security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0122e1e65f54b41e175a2913013497358c8b2a14
sigma-rules/etc/version.lock.json
T
github-actions[bot] 5e073af69d Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 (#1781) 
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1
2022-02-16 08:25:31 -09:00

3523 lines
142 KiB
JSON
Raw Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "80a1e50be50bbff3ad4c80bdb84fae234c4b5ba106a15e6ed2570580a5d60b46",
"version": 6
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "7.13.0",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "cbbb5fe38e0d37cf8fed4293739ecbf327d81a48aeb8aa6d2cb69d0aa362731d",
"version": 5
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"rule_name": "System Shells via Services",
"sha256": "54fc1dc508daf749ca6a92dfd20fc62e6715527a8aeb14a2c8fcc627d1606105",
"version": 10
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "982cd5446f2364c8297740d85ae9e707dafb0ba78e9c08622405313d96b4ae10",
"version": 2
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "1c44db89d3410a06dc61f99dda258376dd4863095c7c858ad1da33d8c582fc2c",
"version": 1
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "dc5c89b6a2667693fbe1a725c957ad2bc11c124768f3a668613ba10a77780f91",
"version": 2
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40",
"version": 1
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "56fde644941c8dc935907706539c6147e325aa11263d94d18329ebf769ee7838",
"version": 5
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "a5417071894f6d1e07147cb4c4ba4712768327afda352ca1bfbc6237b1834431",
"version": 3
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "aa59437d25cbe738b072814c67b5b678717edc99329c857a2eddcc4b0fc42290",
"version": 1
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Potential DNS Tunneling via Iodine",
"sha256": "b98a066f2cf74984ac8e04ea0db6503d30605711ac54d6d341f42c09a64bb515",
"version": 7
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Azure AD Global Administrator Role Assigned",
"sha256": "7a015cad38d39de1f85abbcd1c66f94779b16769f63b8c6155453e53a2f2fd94",
"version": 1
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "bae7f8ff4ba6ea634982a368fedf0384ba3e9912ae10a1c22dab21a49056cb74",
"version": 2
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "bcda2313ca40b6fb5e29b30a8a4a34392c0e5ec339b88f2b93e391657b5e3dc6",
"version": 4
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "d199c2fe63aef75d00d1404d2da28ece62aafacca1288fad7441a7febb506bc2",
"version": 4
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba",
"version": 6
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"rule_name": "Remote System Discovery Commands",
"sha256": "16d8a132a4c14359e8917a15b94a476cff425e291fc3733d15bae53552e8c4b0",
"version": 3
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "c481db545277820f57ac0efe04364be82a44271e65b05635d59c07fb0932a535",
"version": 8
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"rule_name": "Remote Desktop Enabled in Windows Firewall",
"sha256": "29afef30be0c86eeb8c731c39dbf62b777ed72a65f168c0469f907ed9fd5b801",
"version": 4
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
"sha256": "3a499c8697025a438c86ba5961db32de9237c228e0337aa79b43ac98a7624d64",
"version": 1
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "7147dbd3f68475c0087ebb6aabbc2b86ebbe5be53eed996c4499c4b12a6efc21",
"version": 2
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55",
"version": 1
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"version": 8
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "5863e9461fec288af7418b55eb3a1352d66726c36f3b908c8ae0dd5c4f4a86c5",
"version": 1
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Process Termination followed by Deletion",
"sha256": "94e72ce4ad6b954cf01ab7f7a175c472e6936b75e330dec5da7847381fce4224",
"version": 3
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "d2affe457c5a635a572b2b85ae763252a0f0269f17e458d5821017b17de7a9ca",
"version": 2
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2",
"version": 7
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
"sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1",
"version": 5
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"rule_name": "Peripheral Device Discovery",
"sha256": "499dcd1aa2d62a15f68fa52d95b87511f7f4e14f24ffe83babb3e72e990ff81d",
"version": 3
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.0",
"rule_name": "Threat Intel Indicator Match",
"sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718",
"version": 3
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "584f6799b8d5a9a6c941ab48c63d054a539546425843ab0192ff084ffcae3c0f",
"version": 2
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
"sha256": "4e12ac0fb84fd0825957284198b6a6419d7164c0a4bf84a19836ffe7a3839c86",
"version": 7
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "0f9353d514e91fcd914ee39f1c8abb89094025670de8bb9ddac6a07baf25365a",
"version": 5
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "SharePoint Malware File Upload",
"sha256": "48df4cd6be0661df2216bfc2d74a9df628a612d04495422423eed07656ad1a47",
"version": 1
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
"sha256": "a9f964b598c41ad6f015eaff73303e9f70e8c87ce2bef2eeca17742e02ec14f5",
"version": 5
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
"sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15",
"version": 8
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"version": 8
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "7.14.0",
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "549215ea3a624085dcc50282089306cd1d82418bedb7612fff262a1adde0d33c",
"version": 2
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7",
"version": 1
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"rule_name": "WebProxy Settings Modification",
"sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c",
"version": 2
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "b1ff9083e41b85fbc22c312e1c5407ff831202a02bf5a4f620a25f4109aa99d6",
"version": 6
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
"sha256": "683cd269e40b092fff232c56fb89929f544f1bc09566ef0e03053ce621503fdc",
"version": 5
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "f7a9a22c1a88de514cbe1dae2e20a6e83de0000461b15d949b649704273c9498",
"version": 4
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "03dc719901ede4c776db56acbb5acf4106c348b9dd70cd6ec496d0d734175124",
"version": 1
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"version": 2
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "6937bd14a24a894d160dfabe3efe0d868b8952a006578c810d3d7b0492c31680",
"version": 2
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "8ad6cbdd0db141f7bd71e7d4b28197c28f709d99d8a641eaee4b763c35a8514f",
"version": 1
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"version": 7
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"version": 7
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "120221c53163f94f7921394a5239a48a64c87bc263ebcb4fabe661f2813d19a9",
"version": 3
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "7b02935da719949670e9b9601000c344b1f818124e52ac762cf52c3df244806a",
"version": 2
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "7.14.0",
"rule_name": "Rare User Logon",
"sha256": "f9e949d45ac4dc51bd454d12b2bd60ec23f8fe3d5ee9a15595a4663248317d73",
"version": 3
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"version": 8
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Azure External Guest User Invitation",
"sha256": "a84027bf00f826384a1ba67bcc0f221a6ec9b4a6f53e2e48ab8f792f7363df7f",
"version": 5
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "8fb78fd8caf9f2c543f7a8496f9d8f54d2c309b521d9b3f1d1afb9174b6c6068",
"version": 11
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "16e54b31547c5f1dc1b16ad82368432904753d296f9df8aa69d20c61d4d9b3e1",
"version": 2
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "33fa48cfd6c384e6dcf0a5af2d62090fd89307e136c5ef798efbe745e8324466",
"version": 2
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "50ec2f5b9815c5cc153531c5a3d35d9393e03eb4c668ffd62c97b1e2efd616ff",
"version": 5
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "dce41c54cfb048f038e53c478c4df69a51ccb8580b2d1017f26d9c59bab389d3",
"version": 1
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "255c2d46d1242a17eb61b119f3ca491cfca8ed4f92271129b91f875b8d820350",
"version": 5
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7",
"version": 2
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "d8a7a1b1bc8fedcd6d1ed0b5140a74ad097b382d1b33516d6dd4b476ed086ab3",
"version": 7
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "975fcc9572e8117b283322c180c833044bcd17bf6caf3fb3758f1b06c6c48351",
"version": 6
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "2efc5fbfcc942c4b9524b11fc28cd6e721a37c7c5c1936c95b9361a2d0a15622",
"version": 2
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
"sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4",
"version": 7
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"rule_name": "Unusual Windows Service",
"sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d",
"version": 4
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"rule_name": "Suspicious Powershell Script",
"sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd",
"version": 4
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475",
"version": 4
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"rule_name": "Unusual Windows Remote User",
"sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841",
"version": 5
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Suspicious Execution - Short Program Name",
"sha256": "3763b227c0acc1f158a5aafbc971558f823486f26d38ebc8633193bd1110f8d8",
"version": 3
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab",
"version": 4
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "545191239ffa25aad0736095596c8b1da4fe02b5853b7d098de97c66a389724f",
"version": 5
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "59b061c54de834d4f8b093978bf45f2114bed02645ac3a05df8c21d94d0e692a",
"version": 7
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Azure Application Credential Modification",
"sha256": "6131c83a1cf59205fdd118cb16590961e705919f52e11aaf09b0c00bafc02db5",
"version": 4
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"rule_name": "Execution of COM object via Xwizard",
"sha256": "4776192663bb176f851e07e413ee7d932ecc34e7ad179253f59c2be526afec0e",
"version": 1
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "0cc28de03b95bd0c74e9d341f45454944363883a447d9c6f9a48eeb1451611c2",
"version": 6
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"rule_name": "User Account Creation",
"sha256": "2e6aba11ce3349c0f1b9d4e73146c40479f371af1fc28f299eadcfbcc8673748",
"version": 9
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4",
"version": 6
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "3a5d842001943ed5db6ed5374d80c132f413d534608f6ddaddc2ea66b39ac2ff",
"version": 2
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce",
"version": 5
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "0edd2adb2012b1367353ef756b0ec88867a5ed19d5dc243f991845cf5b9d9e2a",
"version": 1
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791",
"version": 4
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "db68a6ddeb9ff20f43c047dcd1de97515eb952ee0c23b9d232e35a0786a7b71c",
"version": 3
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "713f215dd72eac1c0676cf847d9f30d87ba3c2ff376db9f225c99d4433c1eb02",
"version": 7
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "8b2934c92efde1fe5d402ceab8608bcc234ea06b4959f1fc4244a554402d7fd0",
"version": 6
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "addced6abf8dc7f24872880d268564ecb42c37637279c57f635c19123b951d91",
"version": 4
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "713e83e5cc4759b596713bad5c8b20ca123335d567bb2fe189ba8f139cd87b0f",
"version": 5
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"rule_name": "Unusual Sudo Activity",
"sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716",
"version": 2
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3",
"version": 3
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "db699aa748d2368754bd1425dd417d14af479b9812bd1bd1b30fcfdaa28a8a59",
"version": 2
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "f2122f6b1acdab49ad7f6bfc06655f446578271776fd3cf5b24413d055341f10",
"version": 7
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "5e7be99268fbc7605ca567d2dc6d1cb1fd554771d9f92fb62f0d4e00f780a896",
"version": 5
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "530e80dcf00f3d075008dc84df00d8ae307d4cafe4bb16d2f9afe00d7a66e8d6",
"version": 1
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "927ea25a70453624aa091c7fbb432f35923391e79036d62806e4d9aef78dc909",
"version": 1
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Access of Stored Browser Credentials",
"sha256": "70475c97c91896aca0fdd68519bec234ff444f48d2bbbdafb7da5a1da5944868",
"version": 1
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"version": 1
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "e09b4081f8a3699114c413d133c7a1ac52dd6117fb38c45ad5a7e571ae266b0d",
"version": 1
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "f653154c491692a6cb83869048a8f92af0b6bd245f2161717df86a6aadd43a15",
"version": 4
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "75a57f1c9430b9bdb9d55f9a4fff16d0dc5f6d7ac51ae2012e3afa5bce80cb1f",
"version": 6
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
"sha256": "20778cf6abac89fc8fe2c2a7c71dcd89074aa9da95a0c2bc14d9fd694fc7b9f4",
"version": 9
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "bb8096354dce3087fc76625206e23fdf959a562504690ddde6c4e4e937092ce0",
"version": 5
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "541c555ba3d9c4e25fdeed71f0c1033b4c3f0ffcfabf9a5ea94828114d63cefc",
"version": 3
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"rule_name": "Azure Blob Container Access Level Modification",
"sha256": "64a8b7c2b0532a18d1e94f963c74136c3cdf97ace12540d5e9daf5af4455fc14",
"version": 5
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "2fde8b5429bcf1a32d15d54f96a2386179c681a0bc3e5eca71ac09eaa51272ad",
"version": 4
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "fec04f92c2b0f57675047b2adea17e89769476a9e131eb9ce8330f4e46399d8c",
"version": 1
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "b719addb4a6a57230aae3cc40562471814fa8acd231367bd19680f1898915bdc",
"version": 6
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "b0561460404e467a6624cb6966703895e888d6dfa8ff1700ff3a94fcfde9c5c5",
"version": 5
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "25e969879796bbb0d8b68a24c97e5ec6505eced63d6971bc75ee9454d104b3d4",
"version": 4
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
"sha256": "1d74ec0969839420f2e03143d2b535768a053e2d0107ef6ca49719cfe92adb03",
"version": 5
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "2128fba8e36ba35ec3b5e45def2d5ec1cef564aff7859deaa5891a458edd7576",
"version": 5
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"rule_name": "Account Password Reset Remotely",
"sha256": "5204940ed9faa7c63a7a0085cbc43c3f6873c63e917c5cb5ec3644572c5cf9ca",
"version": 2
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Net command via SYSTEM account",
"sha256": "5e35b7ace9af65eee277e440fbb6659768d0caf5ab49a5179222cde8b4410fa1",
"version": 9
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "148f9ae24ebe6ecc8e536ef7c3a01267783438c802cd162447623fe2a303902e",
"version": 7
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "b448efa8a3877578f365cdb010bb962b005c00c8233afaf30bdf8c06784f6dc1",
"version": 4
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "e612f03f7184fa5ee1e8c62b3508e133ac925898424f7350dd6fa8550331ceb7",
"version": 3
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "37eb08a6a2e77c04289f41edc70fe76cf6ce25f43d79fad419ffcfaf17ab6ff7",
"version": 4
},
"2917d495-59bd-4250-b395-c29409b76086": {
"rule_name": "Webshell Detection: Script Process Child of Common Web Processes",
"sha256": "71c8450638f4fe25ff585483564b55ea9fa82c2e4bf431ada7dd963a5b4c5e22",
"version": 3
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "10a0ac7664c24449518000fd745408481a284e5530621bcb46bd09274cb30517",
"version": 2
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Adobe Hijack Persistence",
"sha256": "b855256f23054ec5025f78c2ec0ddd70e36ef7b16856700f208936300525f544",
"version": 9
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "86c10cc273bb5574a224ca30d1328be55d25c8c2b6fb7b02aa04e84f65778038",
"version": 6
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
"sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b",
"version": 6
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "c3726db2dfd855db109944def0676bf91e1eba2881adaf2f1f0f76b2ae14e555",
"version": 2
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "83edd5ea4f7c27a4c4dbe143e79f097c6974e9b6641a6c4e7ad6cc709c75d4ca",
"version": 4
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "2fe8c86abbc5b90c04c50b2d75bc279a82b4ca5b5b9075830ede2cb576e81d8a",
"version": 5
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "9a94bd09a73f383701fd95cad27beec422c1ffddbfe186463b5fa61733bb2d16",
"version": 3
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954",
"version": 6
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "73d4fb8598a974e4c18b6e713228bdddad082fccbb5b41ead57a9a8a31c0d429",
"version": 2
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "db6cd2a29bf48936d744aa3859daa68606c4d83a43bf252be9930a0fabb253e3",
"version": 2
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "d7898ac8939e5614c533f409847a25d00fa7b6de74838a8d8c8c62f4825b7e18",
"version": 4
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6",
"version": 7
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "88d50c899d049787cadcf825cd76a12de950a6f91cbd75e64461970a259ac97d",
"version": 2
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "96d60aedac6a331445e99ddf32dc6532401ff7ce7eeeaa45b07121449be5e805",
"version": 4
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
"sha256": "33b768a4456770f5a2eb024ab81e723b4ed3a53b57ebcea0b5130fc245fd6b85",
"version": 5
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "7.15.0",
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "cb10ec3e256bf22234266e706b1f392088ccf60b2e48ea27893d6b4eb27a2e8b",
"version": 2
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "c30b4dbb58d32a0f0bb0e4cd56091741708bc6a1a3532af6bf2bf17b00a21861",
"version": 5
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "421f583913289f650fdbca557ec44f107d75e90f35328801d816546f8d74b471",
"version": 9
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "a1de315cc54aa0aaf8d5b2db8091cf72a7f1ff49d92e382fb790fec77a936ab5",
"version": 6
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure Network Watcher Deletion",
"sha256": "d42fae44d101f779758e4abaaac8cca749d7db643f3b825cdd3787e5c6a81355",
"version": 6
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "a24945bab294eaacfcf22ab684f83b21b48698fc1861f44d1ac9c1c11fc23181",
"version": 11
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
"sha256": "100633b626385b80ba08306d8456dba05e19987f73a770f60c48334a04297eb2",
"version": 6
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "cc833cab5c0e547e8cccc3b115f8f6e99921d98eed41251c06cac69498d49119",
"version": 9
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "6e01c88d75910af821e1f30d5bd7080c279e17c8283814a231ace540228449b0",
"version": 6
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "0eea43805ecd683b5a20d92763182a589a053f2b3f85e7cd328ff4697555f1a3",
"version": 3
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Telnet Port Activity",
"sha256": "3dd4a438c915920e6ddb0a5212603af5d94fb8a6b51a32f223d930d7e3becb89",
"version": 9
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0",
"version": 1
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"rule_name": "Port Forwarding Rule Addition",
"sha256": "9686d00619c4eda20f8030f22542ba81410c031fa79e8a87712bd72e22b5d96b",
"version": 5
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "426406e1faa8b58d4d556183c34bdb0f14ecce1c81feafbea403b0802d962ef1",
"version": 10
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a",
"version": 2
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee",
"version": 4
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
"sha256": "e0b50ed0cc754b83365d57fc0892ad795403b066b1f2b6e833f37723a3286e70",
"version": 3
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "99138316d123f1f89b859dc2d11724e221fae9034c71a86aba2aa96d8e624e6b",
"version": 3
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"version": 4
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"rule_name": "AWS Execution via System Manager",
"sha256": "ebfabf467dd8b14fa28c54259c168a98dc165de8bb93fd13dcc4354ef9029c5e",
"version": 6
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "a7fca8f1cc9b8a710918f015f9d0cf42440b5e0f288c3b84009f0a8e12096ee1",
"version": 2
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "5abfe9116b4ccb7e1143f2bcfa466f9280f7d3fe2ed2a632087c756dd44d65c2",
"version": 6
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"rule_name": "Network Connection via Certutil",
"sha256": "80cae6ba9f36885936ddc3bfc37d180db9ec37f430b853af1fe21a14311027a0",
"version": 6
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "862fe5f0c824fc337577015ea7456a3d5bba2d45e714bb08d08b245b9ce72d84",
"version": 3
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "User Added as Owner for Azure Service Principal",
"sha256": "9844bec52014f739123ed6e75296b8ada4c863b14872750ececb4c8f3a939c69",
"version": 5
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "0e1cb80e58a1861ea1f891e1daf7b671e106f90d3d75fddb64c368b2dedf709a",
"version": 7
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "6de0440b5c9995f4fd4e00b5d7dd242561ace6cc188ef3aff436f59020df155c",
"version": 3
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "2b74884e710d2b488775647f1a79e3b28390532e537fcabdf72e1595e4b55621",
"version": 3
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"version": 6
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c",
"version": 11
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "78613742979e36a993f52ef1a7a4fb1de7e286ed4c5e52fe24eac7726f4173e8",
"version": 1
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c",
"version": 7
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "1c4973f2206952ea9b39bc9d3516f3facd27091bb2c9003d6725f7134d6e19cc",
"version": 4
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "6190fcbe0b951625445d3995b34ac7d0eb24f491791797d34fdcc52965947e6c",
"version": 5
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6",
"version": 5
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "f97ef2cca95b757b6bf71ab8a99259fc96ac07fc4ec00fa81cdd6e64ef085337",
"version": 6
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "60ad0bc321eee4f3d4d9a5346985b65aa95105034d55525170670faa700a9663",
"version": 1
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "3f2d95fdb79cb6ca4c56f1becabbe1d57288b6104b0b40f17398e3fde07651bf",
"version": 3
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "0f67bb4b3fbdb804594a8f6c72163a50c7a0560738746a8eace419e2b80c81ab",
"version": 1
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "7994f8c47774c0f02a84d4fbc196bbbd74efed6cfd4cc23a0c536e81d619f36e",
"version": 5
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"min_stack_version": "7.14.0",
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "420e91f52a8fb273a099a96a3b3e8beb4c682a608f9ce67d763b32fa803a83dd",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01",
"version": 5
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "24caaad3fea11b7693bad4ee11a32119b0f6804af45f39ac7ded0499c0fa6694",
"version": 2
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
"sha256": "49fca84019de306b693f25ee758a76113137f7f37277ac183c412540bf7dab04",
"version": 1
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4",
"version": 1
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "b3f891727a031658802366c46aa16b0456d98a653e97f0873ad9203e4a88005d",
"version": 5
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"rule_name": "Unusual Login Activity",
"sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849",
"version": 4
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "e4e4fed016f2f7f95e0547e9880feb0a83a077b476bc20dd27ac1cd3a58b577d",
"version": 7
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"rule_name": "Shortcut File Written or Modified for Persistence",
"sha256": "944caee6eb6c128e932e1a8b587dbf2a3da7cf3a70751349132eee695e1ad82f",
"version": 3
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"rule_name": "Unusual Windows Path Activity",
"sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a",
"version": 5
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "ca60e2e85601f7d1db4c009cc581db67e2f3e9ecae3df43a4713b067f9c9a6fb",
"version": 7
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
"sha256": "f65e89b35c2d09bcf13dc109cfe5c2385c3ef652d65c38a84e4d275ed932866f",
"version": 2
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "afd848d3e14acf0cda06b0eb92b86f3bf86fc362d754c4fa574ee0099f5e779f",
"version": 4
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "8b06e2c4389580431725d7ec34eaa01ee257ab1980f1dcb62e9457c7fe3a5383",
"version": 9
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"rule_name": "Unusual Process For a Linux Host",
"sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6",
"version": 7
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"version": 7
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "34086f00f7c81d099a3adb242947eb40dbe6ad2debdf1accf86d786204506af4",
"version": 3
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "8c07df1d0c0f730e3e3126804f0934ba930fe3aaf3514718b5d17e3873665f4b",
"version": 1
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "282abf66ee7d89bd9c9170c0f5d02b637eb154a7dcbe465cd3650a2229bd489e",
"version": 2
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089",
"version": 1
},
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "7.15.0",
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0",
"version": 2
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369",
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "90064df775272d8e2f696fb665bb8e5df6ed2e82abb3a9f450d42b3d0caa61e5",
"version": 10
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "ced0a019b63e9d421f8e75a6d2dd6a581cfd87b9bf4388349f4070700225813d",
"version": 5
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "54f432ebeecc716460a030d6d37cdb842396275d6daf24813ce0f902486cd953",
"version": 3
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "0ae822fec1abd33c32277f40e993668c09ec575f0f6580a760937417c7d50e32",
"version": 1
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "c5df84be421d64d3a1261a065649b24397c4d41d7344dd8828b0b1beb84a7d76",
"version": 2
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "65957d10243835667b29df2c1bf74ef752f91f9ca378cf1382cc41ac5ed81bc6",
"version": 4
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"rule_name": "Suspicious Script Object Execution",
"sha256": "86fbac365ea6f05358840e21847cdac1ba5feaeb3571e7edfdcec13820f6e50a",
"version": 4
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "589c24ca630a77bad17ad6c4b8036cce404b7a1186da052793b448c75bb06371",
"version": 2
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "fd6aa0fb6621012cb8e02b57f75725de1c2d778441edb0a01096a2b76f972d53",
"version": 3
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "e573874c887d52298c8c9a8f0ca2e19769f649bd1b4b36f98aed5a4919ec6c6e",
"version": 4
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "7e5f0b340dfbf69334022656802c3cc8dd99a9acd0ca288a87a1cbf73425f305",
"version": 5
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"rule_name": "GCP Logging Sink Deletion",
"sha256": "f080f65773cf86f0dcf7b5d2234c7b3123961338d5d11310d2bc007d0f5978c0",
"version": 6
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4",
"version": 5
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "6c543d844a90fd931a4c36a1fcaaca7a7608ac2a2f6127382844943ddee4f71c",
"version": 7
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "33e7314dd4b45b521415255a0c6fc075f77dba01dac56340b885f8befad43b9b",
"version": 10
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"rule_name": "Unusual Linux Network Activity",
"sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18",
"version": 6
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"version": 4
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"version": 4
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "306a95f7b751a3c125d43dd4d56e8bc2df8d9ac55b9a76fef8a1e60ac3ee799c",
"version": 2
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "8ba5acc8850e486039277d2da8132a4203da644e6a12e3b500bb67629678dff7",
"version": 5
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "28f16475e1b77a83be53387c10dfc3e12a8cb30463ebed52c32e7a3f104093d3",
"version": 7
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "063beeef24d261da01edbbeeaee92572fb436a31d690472418d40c46a6209d50",
"version": 5
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "d7dd9478ea6adaad5568eb2f70c33bc6ce44da0e2a6867f38c5ff48086311669",
"version": 2
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "08df11e0b47db88dd1ea0c975775244bb561f4eedb48f626f65b3d8d51eff4e3",
"version": 1
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"rule_name": "PsExec Network Connection",
"sha256": "4e4fbdc65c3b54bf30a91147ac126d5e470995cd70f02c1dd673719b0738a0a6",
"version": 7
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e",
"version": 6
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"rule_name": "Potential Admin Group Account Addition",
"sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6",
"version": 1
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "902f4fc3cc9b2951b82e74f03c337b150f2584f77ae83e6d2a23ad8b5abb3c45",
"version": 1
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "b9d492bbf9e35665b2a22d0f90716d61faf78153b20c09c8183e7336b4c1bd65",
"version": 6
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"rule_name": "PowerShell PSReflect Script",
"sha256": "9c17e951b973ee2ca613cc870ce1e0276513c1acef9546f7f7264e2c71c48a41",
"version": 2
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab",
"version": 11
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "16a81e4dd634888d573b513f92f341b62b0dd86237883db37a35e77ebf1fde1f",
"version": 7
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Azure Virtual Network Device Modified or Deleted",
"sha256": "6fc943ed6a7460824b62403a5a15857757bf17110c30528291bd3feedfbd1bca",
"version": 2
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "105c3f90085d4af397d4adccf7e48445bb28c785e46cd84cefc25720ab8b2b27",
"version": 5
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "868ffb9b45e3d8236b93e72b26814071dc1f1d6f1594fc54b97abc6be9f3d242",
"version": 10
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
"sha256": "671a71d6221cf597294f3a2384e29d5a828ffa9b490776ade78495b7180fa810",
"version": 5
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "929b90e9226b83b1269f9a04cb4bdf8e8aa9ae3754590e7b98cec10c44617a0d",
"version": 4
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Lateral Tool Transfer",
"sha256": "3879f384221103f101d7c1c2cc0d549e9b6fb16338e554b2fefaa36d2581debb",
"version": 4
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "c321fa60ddbbe7f3e8b0914a43379c5eacaee6c4c0b9c399fe46481d47c446f2",
"version": 2
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "7ccd4d8f110c738a2b76576a8e8789744375b7af919a2d9fb8eaff54efb4c23a",
"version": 1
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "85d74e77cea83a788a7e8ff5cecbec7170d475c2191813cc38a9f76fac5f0001",
"version": 6
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"rule_name": "Unusual Linux System Owner or User Discovery Activity",
"sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3",
"version": 2
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "c444e8ebabf015f11eca3aad69c7db2c17a53f0ebb7cf413a492bcc22c14252a",
"version": 4
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "949d9585989c20d9adda4bea2921d82a86591c2f26aaf1ffff9db3fc76015f4d",
"version": 3
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "26c0664d074c41ca13825dbb77b7dd7dba82302a0d5ea7a9842d93e02da18f37",
"version": 5
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169",
"version": 6
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "ac6b9792a84324d6359fc162d768843bcf69e9d6a1e60f6a4001a40174a0a17a",
"version": 4
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "3e550cf60b7bdbefd8793ba92498409e7170c4e56cb1b56abc47eeb6a9f81eaa",
"version": 7
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d",
"version": 2
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "64a269e25fae2964d9e1cb61115089d57eebcbdbc1b822cf41ecfc490977e15a",
"version": 4
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group in Active Directory",
"sha256": "1c916f85abeafa2fb73df818ab49266806c69dc729e1e2f68e5982972448cd9a",
"version": 3
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "f0280d78ef564558bec9ff8a9cad7c4ffa23ae2583671463d67d196023c86ad0",
"version": 4
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "39b048716937ceb662422d8e35d3e65524d15b2122f65419c6ee49fff049a570",
"version": 4
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "1423cb901db24ee2389356865a804a69d1c5ccd02aca4cf100ca7486f830aee2",
"version": 1
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "dfffdd35d5aea389d17a849f0a12cb31558b2660b2a20485892c53848ded6543",
"version": 5
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"version": 1
},
"60884af6-f553-4a6c-af13-300047455491": {
"rule_name": "Azure Command Execution on Virtual Machine",
"sha256": "abb1da4a93de07129c1b5b615752a4b9824c9cf4fd8c0c555614dd029d6d7e8b",
"version": 5
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"rule_name": "Azure Service Principal Addition",
"sha256": "8eb451fbf3b33b73f8476b07b3b278f1f89028628f41bccd347c3ac556e4e031",
"version": 4
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "8861a21144a2ea4eb4575801530892df3fff673dc4701f49c4863bf3f0bec8e6",
"version": 5
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"rule_name": "Unusual Process Network Connection",
"sha256": "9284b390c8c7e73e77a69f2d0e2900f6b6ef1e04caca2806f594f3695bc65b86",
"version": 7
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "2996a4fab8119ba85417d7826967b9135cbefceaa7cb3c8cfcb0183f0d9f92b8",
"version": 4
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"version": 7
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "3203c65eec92dee9e1303d21081ea604077f14bd31a3c941ae581c791d450c18",
"version": 5
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
"sha256": "480b35158e6bde86c97da264cbbc89e51301efc810ebfc8913739b428152b2b5",
"version": 9
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3",
"version": 7
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257",
"version": 1
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"version": 2
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "22df29a521ec99fa01bf16c417ab71290f62629f00e77a9d9daa68703717e996",
"version": 1
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"rule_name": "WebServer Access Logs Deleted",
"sha256": "9e822f662024fca699b240383c9eebbb725dd9219991cbb412fbc73130137e78",
"version": 3
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "f27800e26f498a07905f3f25d836d4d3234e564f7ff4aacb4e3778b7155475db",
"version": 7
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35",
"version": 2
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "d93bdd2f8eda2395c9b8ab7c737460f2201732e3176d605b489d38221cd18bfb",
"version": 6
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "9fc4ef03c57ceb4080449f8f6db2e2054bae6343b79b340c3b462697cb756abb",
"version": 3
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "d6726a1a5d3a598df105d959b2d8d7b02e10a98c4e8c5f0f47e124bb5d1fab62",
"version": 6
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"version": 8
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"version": 3
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "7.13.0",
"rule_name": "Image File Execution Options Injection",
"sha256": "6f3da8f7ad3053933ead97d9f24027defb33edf3e295ff028bd18a9028833dda",
"version": 5
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
"sha256": "a7b96a488a076900caca95e6820769a0f0d3d8a4d0d6cda8e543408c1f94f6c8",
"version": 2
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"rule_name": "Threat Detected by Okta ThreatInsight",
"sha256": "0f9bfed2053b99795b40e69a51bfdca388143a9a3a4ac6ecccff16c81657acc0",
"version": 6
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "5195503f06d8b358e209d9caebe4d1cfbc94be351590cb60646160fbab60f0a9",
"version": 6
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22",
"version": 7
}
},
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "afd34ab4f1d7e038c874333fd83de248c0b54d625f489e74359f3ce4ec9ac71b",
"version": 6
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "e36b6e5cdc71883b3829db49b0ec46d102f02be1c7afb892e4b2a95c72a8b5fa",
"version": 5
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "fde09756526a918a6e12316e4a86f8771eb5269f2b2caf1d407e0a5802d872b7",
"version": 7
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "b5812117895d475376f16cb41ebfb385fdbec5034340b59f60e3dcdf71bc0a6d",
"version": 4
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.0",
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832",
"version": 3
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "22d2bd68a5cc0620132227498ac239156162cfc2774f84b41d0ed7c5733f71fe",
"version": 9
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "1429ae42606ee0f1531dd13daed17012855d148d9e0c9c714095e01dcae486e7",
"version": 5
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "79553b3a40acce22ecd91c9946948f0e588df04e533323c192d8e41ded8b499f",
"version": 3
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "1ba40e93a9dd9329c966e27d0d95d4f4629eda849b5480dcacf1c03f0fe4a350",
"version": 6
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c",
"version": 1
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "578607308f1b76a89e24e98c1a2b553b5455443931198123c558adae551bccf9",
"version": 2
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host",
"sha256": "cf57ba8d293696a2da6468acbd3af10bfc461d24f0283c80e614ec4266fe3f52",
"version": 9
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd",
"version": 7
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"rule_name": "AdminSDHolder Backdoor",
"sha256": "5e649f8e7810090f97354f1b0425628afc6c2d3308751967e5fca172eb679b7f",
"version": 1
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "fa4544dbc92b6766522593e44bb10e0036b4824f8d70f381698fc38d56a08aa3",
"version": 2
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0",
"version": 4
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
"sha256": "b36abb97dfae934d532a0ad8bae5eb1ad848b7862a3fd0e9a35f108c528b905b",
"version": 4
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"version": 12
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"version": 8
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Role Modified",
"sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1",
"version": 7
}
},
"rule_name": "Google Workspace Role Modified",
"sha256": "33a6f2e64d79ebfed4fe0f1b4e5c4a7968b9b4941e11fa0cf720ef3810e38a15",
"version": 6
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "6897e1e8f7b9944fbeb558e0232b7a6cff15c0e14bf002b9bd4699a4350468c6",
"version": 7
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Service Tampering",
"sha256": "8e5473155c744a9d9579c9fde809857339d28ed1969699c8087d623f3be4eee7",
"version": 6
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e",
"version": 2
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "3e2fb37fef273486c5032188c9b3bd7baeeeca83a4b49ebb212f95ad0e1451f9",
"version": 1
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "fe4e4318876cf618a1e21bd9cf33c5e2df2b85efd5b8e7801d31ebdabf213df6",
"version": 2
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "eb2d6bdc651c4d7654fc996bcd8b7238f06ac89c28e7cb8a2e198397e9b3dcc8",
"version": 1
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "d6f547243894063d94c8152b6485b57855368f0f9288e9d97e4f9e622f1b7e44",
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "c2f7bf9712e7b52b568aa4ff657e6cb033c602ea071e2fcfcc37247605f999e0",
"version": 3
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "39f2ea0432ed3122a7a0d35999c6c5e031af504f3cb039cce854a4dbbf267128",
"version": 6
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "ba040e94b982f1b9f417b04f1575ccc06418083b121e165cc9fcfc1013cb291e",
"version": 7
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "b9eee6e8e6eb2c238952d35b40ebd2ef4d70e4a462e513ac0bf3f939a447c986",
"version": 2
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "7.14.0",
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "cfc6d020a4aff760e43c4f33a76f8e3f56c9aca58b2199c4c498bb3f6f966b42",
"version": 1
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"rule_name": "Unusual DNS Activity",
"sha256": "af51bdc27c86e87d19b50f0daa04da3c6df9a80227f61e73e44e86db37f30006",
"version": 4
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "7d4448c4595f5cf1ecdfcfde84e6c0bd302004eb1a71c73591e3e339532195e6",
"version": 8
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f",
"version": 1
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "e2370178900d74daa4cadcb8b42f646efd2ea3f2c73c59f9638366f249e0c5b9",
"version": 1
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "fcd8c3219898d5276945fcee501c6a589d1e17e99b96a7360a30c6d982f3c614",
"version": 4
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "05939d1b48b1975cfbe6e80623d1c4d942fffa7f68577f3e05f541d61a5eba9b",
"version": 2
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
"sha256": "db73c1cae414a7e328d7bd8022798a8643bc9e40bd45b3dfeefa437c8931b5ae",
"version": 5
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3",
"version": 7
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9",
"version": 7
}
},
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "ab5ac05b1f57b0e9a197d51506441eee921132528fde66e99b64021454556e71",
"version": 6
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "84ac45e0073c5d7ef4203571ae659413ccd26eac3b505be34ee11115d25db566",
"version": 5
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "27c3d706d0b03424992adb2365dfc910ae1a366c39b31f6ef23bd70b93df5233",
"version": 8
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
"sha256": "739693e9483eba009ac5ee8d2fd3c4da0f3637baa84dd3be947e4e455d60e0e2",
"version": 5
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "14bd23cd43ef9c08357b87dffef5a16b7f40e6ceed857515b50210876529f162",
"version": 1
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"version": 7
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "565d9e046bb625807c9d552344c5097df14d3f17d12b8c23cc8ef382da27c557",
"version": 3
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "14042b6c7716c8acdb6338aed6238ce1e8422f1717bce3b4a3969a382d9b2202",
"version": 2
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"rule_name": "Windows Network Enumeration",
"sha256": "62962d4c50e13c6c3795372fdfa8275aa60f1cba7019c1083b172295130dba0e",
"version": 4
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Bash Command-Line History",
"sha256": "f5d97fc723896745fc89eaf2b77608aafa7dab27702ded21ebde4a2756bafe36",
"version": 6
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "442ed95d9672fab5f430323edace7c2ccf7ee203111de771abd23cd5cfbf3e58",
"version": 5
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"version": 8
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "5f9880c56b50fd6f10c9e092181344d89f39e264561062c8c34d2b811b766721",
"version": 3
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "48ba1263524fb870cd81eaaf17abbab057a5f04d9737f5fb881fcce07d133df7",
"version": 7
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "1664db594a454af4890a7ec808978fdd268088b8b9f21f3956900c607de66cd3",
"version": 7
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "acfba4ee9c92663a86a9a9ea8df686e2efba7ce3491930a45a946285f09ee724",
"version": 1
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"version": 8
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "24464f1301483fc0c282bda7bcb95105795ae33fc1f9c27ebad8c2633fe03af6",
"version": 2
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "f77cf6a6f9ef86b2152b36bf3811485d39bf9c62dcaa02fb0df6c2233cdc8019",
"version": 1
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "315f0c609385f4ef62c8a23ebd01250630792d3acf1a85a78f37a594a6e1202b",
"version": 3
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "7.13.0",
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "2d64484c1819eab787cf8dd38ba726a52646aeaac9cc644db872b9cbc99fb254",
"version": 4
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "5118602879dc1df7dc9f3120f7fc0d393448b861d0ad4ff3ad57e40505bd6ac6",
"version": 7
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "81346c952b5ea1ef59195fe979282495f1bfc0578a043e4702e30911879560d4",
"version": 3
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "49b5381fa47e4fbc5e74d84264a7b41d0253bd4c62d2131fce97453e885668a0",
"version": 6
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "b8282c5a925bd40137e5683f4353565a807bc6bfe47b82a52bdacf7e5c32b1ed",
"version": 2
},
"871ea072-1b71-4def-b016-6278b505138d": {
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "2f6700f791dd256057e4282a89b038cb5296e4c8c37b48776db059141f394a7b",
"version": 4
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "49529bf8713ae032ea90a2bd741304fc3073aa411d60f1731fcd86fbd75c3d47",
"version": 3
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"version": 8
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "4d10c98c0349b65cb88d0bd42fc5d8cc6a8e2646ec4d27f9fb79db6be9ba03dd",
"version": 1
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "d89a2f8c0e73fe51b3f8dcb1b1fdd398f5b9eb9d4277bf19ec14fd8ebd4f2237",
"version": 1
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "e7d2a7b92e920fecc3cd298631d4945b2727effd008ed963b7179303b6f05d58",
"version": 4
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "01a251c96e82a87e563dfaf1263d2a3646c9323638da1fadd54993b0da087d1a",
"version": 5
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"rule_name": "Command Prompt Network Connection",
"sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007",
"version": 7
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "26e7c7e706638948c9e8b88b3e9595a11a572137460001ad4041278283dda8f4",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "Setuid / Setgid Bit Set via chmod",
"sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c",
"version": 8
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "e88541a1a011cfb788e031595a6452d932dfb34adde8fb0adb6a87f91abf9c1e",
"version": 1
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "39d70757faa0cbb8300bcfe88690a5ab67ac0efe7d33ac72e5975902b1e1b2a4",
"version": 4
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Suspicious JAVA Child Process",
"sha256": "9d7875876529960496ced859248197da593afad28edd3ffe08e5d2c0af4119ed",
"version": 3
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "7.13.0",
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "49f3873e68cd7416b2933be1ae193783473434d7ed6329f8d313f0a409453d21",
"version": 3
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "ebcb01477dc704bdeee0d1db6985b13879e9151e5552f29028517978eda2b2f0",
"version": 2
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "c425a28b60e23b0d43a2b54d2fc861c42225a3bc7c2ac7f1243f7bb298784bfc",
"version": 3
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283",
"version": 11
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "cd28b1f77b37d6e9016c24c3cbbf4d94f8cd152004e883f3986a4d9e88687b3c",
"version": 5
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b",
"version": 6
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001",
"version": 8
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "7a56ece573a2e7340ff71758fab173b542a2d7063efece0d05078354bc3ac4c9",
"version": 1
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "c457f1f1b2813439401359cec7480f53b710fb09f8a3af76de317538e47377ff",
"version": 5
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e",
"version": 2
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d",
"version": 5
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
"sha256": "bb302afcbb15dc8bd5a6a79059fb4d67396737dac261262ceb6d5711021f2b9c",
"version": 5
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"rule_name": "Hping Process Activity",
"sha256": "e95b011bb8a3aa490e0c1725dbcb086dcbe8f993b61947c9a5c274bf5de92b83",
"version": 7
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS RDS Cluster Deletion",
"sha256": "814bd87ddb20bb57f1d35ce8e4e8265e2a4915fc68d659aeb8d3fd6adfe68fcb",
"version": 6
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "66c3b0f201fec745d9992dd9e1be815c5a7bf95a2412b6923721ec5aabc6f6cd",
"version": 2
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"version": 1
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "0fe0766cef30ef7f13a641148fc5a4d89c691158770233026342921f02e6b0bd",
"version": 7
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "206d5aa1384191583bac19ff057f907ada6d4a79a91ee47c974487013ecd74c0",
"version": 7
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"rule_name": "Unusual Web User Agent",
"sha256": "3235c8a98dd7280928ad77b9fdd7d87a8189c8025c82c4fd4934cf5c4be7f067",
"version": 4
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"rule_name": "Unusual Web Request",
"sha256": "05cded9c521f7c1c3d294ea3bc28690cd66db94e95e1fa3e54e2e1feb518ee94",
"version": 4
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"rule_name": "DNS Tunneling",
"sha256": "b15eabc6db99f314e02c8cd2d1afdd5f9b52301be4089503c91cd48a51740b98",
"version": 4
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "86b425a524a1db4dfc1c5ee933f99ef66307f6fba8d6070b2a27bbbfe1275316",
"version": 2
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Modification",
"sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478",
"version": 7
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS EC2 Flow Log Deletion",
"sha256": "98ebcee9a4b929baa3c37d53f589bbce227b1f2446f3f3c7c356add09b1dff31",
"version": 7
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "23220ce15e2b4d3768918e69f4ac38f910352b9eed00044f55257c99f50c1e29",
"version": 3
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65",
"version": 5
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b",
"version": 7
}
},
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "7f3e1672e2c15b1f4386242655493bbd483c0c30d377b65c94cadf17d5dbb100",
"version": 6
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3",
"version": 2
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "26cfaadd55aa2fc9557f5080015fe75330c144123bae3e90a76582d2114f2690",
"version": 7
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "a9d0adef2ea58481a1500782645964ae1514d39bec94471128be69c318e49ab4",
"version": 2
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
"sha256": "76e2c506c37e0ba6f11d046b0a7f98af64d20481efd5758e86f0adee37c6c80a",
"version": 6
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "35502f33157c641cfe6e83113f9301c7c9fbf8b4732eec46a13c0eb77b6df58c",
"version": 5
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "a665ef9f68409a2e93c611f82010ce20c46eaad3789062f5a6ddc85f3c522981",
"version": 5
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "bf46beb44ae071c1d51a5e3d5f2bb6fc6556087aaebec176dcacc2534e974560",
"version": 5
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS SAML Activity",
"sha256": "db73bb49c842b6e76bc78b2f090869034d732417e7e2588dcc6afcaec00be4f2",
"version": 2
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "db6fc652133f94ed3b56312ed656e59574f6060596c8663a150999b25c8fb3e9",
"version": 1
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"rule_name": "Suspicious Zoom Child Process",
"sha256": "939b366f86b602d26bc22bbeaed26cfdf9465352e186f0b0034f0c2b0b1d0bae",
"version": 5
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"version": 7
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef",
"version": 5
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "b9684cdb75a2a1269bf2e791e60465bb5fe8c0155cababa9c3bb4711ae5bd1d9",
"version": 6
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "5ee29abad0dcdcae5a013c3f3d55a4276d2e3dc2aeee0926e24157f90944a777",
"version": 5
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "1d81b70ac1e4228bcd3d3d0c3c1e32856559b239753ac6e28bf198a118852208",
"version": 5
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "c8e41a6bd406b08af3b150d25058d4cd83f887d58e6e7b13f25c6a8cbfe3dba5",
"version": 7
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "macOS Installer Spawns Network Event",
"sha256": "07c9c8e38e3443ff00955fbdcfd03ed0b67974906d56679ed5f34fa34826a709",
"version": 3
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "34e37a8d16f99007d21007aa800c2fc54f0de699490e0b9be262f91735376854",
"version": 3
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "7.14.0",
"rule_name": "Spike in Failed Logon Events",
"sha256": "7672fb2df32a9f3da61cb0c2022f18f8bf57af080a3e29e0b647e715d887ef07",
"version": 2
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"rule_name": "Endpoint Security",
"sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09",
"version": 3
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"rule_name": "Suspicious Explorer Child Process",
"sha256": "c0fb8365df33514e95358c2dff239e8a61b31afbd060ab86ebcd8c00eb20e5fb",
"version": 4
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "e42d1f11048885170aa1c334ea460e06ecf2fd17585fbf040805fb33714bb0bf",
"version": 4
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "60f3f4ec605f4c52a7cfc278b265651dd12b5b9177a26143a797395fc327d22b",
"version": 4
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"rule_name": "Hosts File Modified",
"sha256": "3c3588d174cd600f65ee7d3050915a5831b1bd182e27561d3615c7f77973846b",
"version": 6
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "3672f0f401956a6aa3757faa0cf494a614115fe3a1eeefc8c7f5f61722c7859d",
"version": 4
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"version": 7
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "87c20cfb4ea3953543c6011959936c3cdc29ec7b103b20edb95253055c27fde1",
"version": 10
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "f04344278f08e013710f49865b7c6a98732bbe932665e30e5ea30696e19a1057",
"version": 9
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "6aa2f902a6c209e4698dff7263b27b1592311dd713e902640ce9f9a2300efeda",
"version": 9
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
"sha256": "adee2abc28a974071b6f404a24a10cca641beed6625be5e838bab6cd31f8e9f0",
"version": 8
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "a61f532cce3874503bbd1987cc4617a2ad83fd6b289756ccd1b4830bdbf496b7",
"version": 8
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b",
"version": 5
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "85c51be85ab3d5663e311b2549849c31b9da10cb4e8c76762efa8ef23aa601fe",
"version": 3
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420",
"version": 3
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "03ea09bf741f0864cbfcd01045657c731176e2cb81f0a022f61644e68e543e95",
"version": 1
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
"sha256": "8ca3cc529b90e43084ed7e700fdb9909e21585b9856284780c92bb4d7493c348",
"version": 1
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b",
"version": 6
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "AWS Access Secret in Secrets Manager",
"sha256": "f3406ca397e06939999f7ca3d674b4fb81401a65f23403bef4494ccd159e7d6a",
"version": 5
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "ff689b3bd1c5bb0b4f157cc38be2b84d8d17823bac91935c763b0b3d984352d9",
"version": 6
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "d7a9f13cd241a8a41a9b8a0fa534b662929f57162382e173dc2a99ab49da8a8a",
"version": 4
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"rule_name": "File Deletion via Shred",
"sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f",
"version": 7
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "03bdeac5057893f51610fb230139686e35a436d905b7465555966dcfe1769fa9",
"version": 1
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "7b3b1690df6c6b2ede0ea186a352d58f47717c62493f9e48c34776123c3f6d3b",
"version": 5
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "c9bf1fe195602f505c43eda209be7267cf3997e49d86773f719a0a4300d70db8",
"version": 1
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "6f78fd32e25cee20e54d68955f70146f8fef6c8a9a407838c98a204075d706b2",
"version": 2
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"rule_name": "Execution via local SxS Shared Module",
"sha256": "fee8b8d1d56be16d7fe1a0de049286cf7095506b3bf9cc39d48e18ea8fbfd356",
"version": 4
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"version": 4
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "b4e96a5981f76437befb7a429bb81752d2b1bdd22fbb69f417fb410c63c2253b",
"version": 5
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "a8f05e0880af5eee9583781ae4d138b80f47204e064fbac508d287673ca17255",
"version": 4
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"rule_name": "Suspicious MS Office Child Process",
"sha256": "e07a208a63f777c6b78eb3e2d91fc678372672774e5c42448f1cc5dddd54d893",
"version": 9
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
"sha256": "59289eddd2040bc752795a3b4b65166988f1d4f1444723421c506d184777a7d9",
"version": 1
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious PrintSpooler SPL File Created",
"sha256": "f4e0b1722307631cf5e4d40f510227283e04df89bb1190886dc8016879566d4a",
"version": 4
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "44e523ff34b1fc8bc57e3691d0d7688ee9adabcb86d83dca1175a98f5352746f",
"version": 4
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "1f59c0bfab965460c7fea8706f18a0768cca899c0403ed1110a2d274c6727b1a",
"version": 8
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"version": 7
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "ffcf3a23ecf79db330993ab61cde6b83bcd1e767ff5c2f1ef06eaa13e17a8a1f",
"version": 5
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051",
"version": 8
}
},
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "7741aa9c38ba126329fbb075496847374a2dd8d65aadd49aa25b7f0f00e6aeb5",
"version": 7
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "09f364282ecc1369272d232ea563722f124c9be5636ae2c9bcbfd6821f8721b7",
"version": 4
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "f3e51f33c8c8fda2a728a1e73185ef757441a7a1fe4d4c7e057ba1ba00e8fd4c",
"version": 8
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "202bc852ab071859636c80b729cda9593499618b3f2dc34c38e267c76a453f6b",
"version": 6
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"rule_name": "System Log File Deletion",
"sha256": "0d46a18e785f0b5daee88973ca06fdcadeb743a9736224a965e472343ca74d30",
"version": 3
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "d9ef79e203bf39157dce4e28b94d8ecc9a2863e1171d5003948421ce236c9a2e",
"version": 4
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "a4fa795f24e1eecf02164092ec16a99174eddb8733615dc448b876ebd08b8426",
"version": 2
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728",
"version": 3
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
"sha256": "441dfd8343418bbfed2e8b8d16a371e1bf8e4d742fae0d6237c8cc4f4754fad8",
"version": 2
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f9937673d94c8d62bfbabf458c5e1153c72a785fbe91043e3598f248d75f9f98",
"version": 4
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "70a62aa5cade20e81839deb1cef446ae52ca3a21725d7bfc00c7fe0adb539d55",
"version": 7
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3",
"version": 7
}
},
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "3d8eab60bf795ae6756c1c6058a7c1be2eb14e1c1777a7b4bda27e1906206c95",
"version": 6
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1",
"version": 5
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential SSH Brute Force Detected",
"sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e",
"version": 2
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "471a87bc02e6f7d085e50a6378130101e802abd05fc78def073643851037c95d",
"version": 4
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"version": 8
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9",
"version": 7
}
},
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "72ff218857ba09e7c08970ebc6cdfcba3cd1dd4f0711dbd403b074fee911011c",
"version": 6
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "357d02c45f3021968f8a30e2a4a9c4f8756fc98f2a06c67e1b05cad44efe8ec0",
"version": 4
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "ae34300bc6a31dec04ee9e3edfda886d660fef5b4b5b11ac17e87b1c12629a2b",
"version": 4
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "Netcat Network Activity",
"sha256": "fbd9235f346b2954a4f2c978d543d34065e3534b0e17101a79a7fdc249a07656",
"version": 6
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "f0210dc49e358f7039b60f9f0ff7b2339cf65c5cfeda0b549e0dcd4e0071888c",
"version": 10
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
"sha256": "46f80cee555f16f5b0d6567797b79aff56bf202703fcc3d718d0b057fc05d2d3",
"version": 4
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "826bc637cc0f012b3a24a3c6e47b41edc9957eb2d361245eab2562f4d43b6247",
"version": 1
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"version": 1
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
"sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417",
"version": 3
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "da3c30b2325fde833e7f51119907e7fe036c63d2c519ebc209219678adcaf401",
"version": 5
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "c1217476aff9f395f81ab6d124984ece66187ecdc92c7519c7cddcce25d69bb1",
"version": 2
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "178f41173d20d636480f9ed3b789bb0815b9f38a327bab209b3a98e29e5ff6ed",
"version": 9
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"rule_name": "Unusual Linux Username",
"sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb",
"version": 7
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "f54b395d6dfa7b126c8bd7c5e445821fe436f4e33c99dd76f6beb89929d6e454",
"version": 4
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "9f2b91695b4312bdd195b4b435baca4915e550c4d1d524e7d2fd81ad7f56f9a1",
"version": 1
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "dafc0655d05eda9f4d7aa25bc681f944dfbb3406af1af35b75c17f0361e07c05",
"version": 1
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac",
"version": 6
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"rule_name": "Clearing Windows Console History",
"sha256": "7019e4bc7049a79eaaa17917e400a2267ed18d60a47401930de10ac006e4c426",
"version": 1
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "1232ea6310a97df413022bbeba916d1067e8d6a7e9e5910df9f95ac3a1631575",
"version": 11
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "10a7503a00c05ce3603ded3a6a5ca6c6cc3087c78881142356ccfa32882f6e71",
"version": 2
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "90d50261b3b2a019e5fc38ce8a60d012d3ce78cee9a83709883621fc5c108150",
"version": 5
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "54696851213ea2ef95385bdc4cb58d942bcf0ffa4d5663228c057dd9b5303bee",
"version": 6
},
"b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "0ab87cf62524d8d39578a9c8b1af307d665f1a412a64dc559e92432735cacb55",
"version": 6
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "f2337e3bf6ede7fe3d56f1b71e0c49055ccbacb5d1e3490fca8e6d0ad3b803a7",
"version": 6
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
"sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4",
"version": 7
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "051717de0f6c9db9ae1ebe6405e072627948848da2868a8c0deb5e624f0cd2e5",
"version": 4
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "d7cab2144989c107af3b92511c7d537f09bd71feea642b68bf1618580999ca4f",
"version": 2
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "7.13.0",
"rule_name": "Creation of Hidden Files and Directories",
"sha256": "8e1e234b34a64f445bf854bc5c68bfa88bb2958a08ffcb995ccfe2db81e123e6",
"version": 7
},
"b9960fef-82c6-4816-befa-44745030e917": {
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "fb5ff8beabd1977f3f402a145b5142fb38ebfc46926df7ef1830d696692d8897",
"version": 4
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"rule_name": "Unusual Windows Network Activity",
"sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3",
"version": 7
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "4359dc522ac5d74051800cc05272be74bda5c0d5a2a914038c13a13642eb25a6",
"version": 3
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deletion",
"sha256": "05d3511a18870e475f0a29b788a09df1b90b7dd3d8c30d71c1fd0f102b7a028b",
"version": 5
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "adb8ef40d1bdb8dc542122c628457232cfa38a8e3cfa3154dbc75847eed0012f",
"version": 6
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "OneDrive Malware File Upload",
"sha256": "e6c68dc60c27ef6e892718a4e3a1071d1d22afb2050b249e94e4ffd94d91185c",
"version": 1
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "cf4ab6152eb828c653990718827e21f607f56f75618bd5f39f07e9ce0297f0b6",
"version": 5
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"rule_name": "AWS Root Login Without MFA",
"sha256": "e1f5cf52a7d175097f8214d1df8ae5c8b9210b46830621e04baedc8df3670668",
"version": 5
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "5346621003185f9e9f4f4bf9caf8ec32cd996948cd76122ccbfeb4fe19e92908",
"version": 6
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"rule_name": "Attempt to Install Root Certificate",
"sha256": "ecbccde9d45ab87e4c3959dc93eb79ec19b29919d3e172c6a30c702e1b5b59bd",
"version": 1
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"rule_name": "Azure Conditional Access Policy Modified",
"sha256": "a00630117e151eb94950ab0413bee80f0492d7520ffb5cf7f4444e9206eb6752",
"version": 5
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"rule_name": "GCP Service Account Disabled",
"sha256": "660c3b64b35ea795bb74c9eb7b6b3b83154cd7b2eafd8eacd053cb30c89785e1",
"version": 5
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "199201b60e09a340510fcf44f7d7e6a585f9994694d4aa9733417311eef15edd",
"version": 3
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9",
"version": 3
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "1ab2d4264e5364a263cf0fa8de1fa0560dd6e7bc17b7da303eb226263f58c3b7",
"version": 1
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "992fc3eb2005070d0a2eb094b89e093b57426cbe863e2c35c946265fb8f0d23c",
"version": 2
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "4f5ffad0a0704fa36742992383f0ddc019d7cccaca8810bb8ff864f791f3699d",
"version": 3
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "2e2cc6d275afd2b0ad2082fc64d16ff251c7b91b0ad5370583bc7fb460166ee5",
"version": 2
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "56997e25c16d915db541338be6e5a8c2fb86ea53e874dabdb5648b8dac17026b",
"version": 1
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "b252b1b0ae3130cc2aa2af9cd752d49af6d14fd275f6252fa6171a2c9a3ae506",
"version": 6
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "b8e01edc11020238557b88b3db52fb1b046d6704ecec3c71606e6d560684c076",
"version": 7
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "7ffda053c321a862e713b7900ef19daf1eb500387ba3bd6789b36e3e9f99f3ab",
"version": 2
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "e0426acc19d28951632e6d51dc170face86a592f82ae4eb55ee3144a9848b31c",
"version": 4
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0",
"version": 2
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "ab6c806117ab8f06a992321c114ddfe378ad6f83439ab3b977a52868201c48aa",
"version": 4
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"rule_name": "Mshta Making Network Connections",
"sha256": "b4909209146737396e9b58b34966b2b3891fbe958caeeb010d6c23ebf2cf207a",
"version": 5
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "20cc6568ccfe584a934546ca41589195cc38d5c9c159424b793f04f55910382e",
"version": 7
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "15021e6cafece04e5c66ecb8390c4a899e2cd9d5728ff2a165a0ff303dc24d4e",
"version": 1
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "693df7d5173a8307da3c937d1bbb6e29f69db99529a960ce4fe9bcae2c331c5b",
"version": 1
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "fd98829f6683e70e5a3d3fe8ed5fe7ea2a35a9eb323b012ee895ea1e3b563c46",
"version": 3
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "d3e940a5c8517168cdd443783e02286039c72a78c5c9f24dad0eb7be0b1fffb3",
"version": 1
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "7a378b1a7fa710354f67ee1b8b60ce93653a48edd7466d796f3e9d64d03aed7b",
"version": 1
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "88bf63fa5666b708286c1c057c13d9395886468103724aaf6336f5715d4fdc31",
"version": 5
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "90f5901627a5d6c6563a83d379a323230fbdff1ea541807afe7fea4660970e01",
"version": 2
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"rule_name": "Installation of Custom Shim Databases",
"sha256": "81788cf9d61ad308d13bca2f9882ffce48353414414d4bd05235253088b8407b",
"version": 3
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "1998ec75b5eb81ab21dc332a0101d5fb3564ec7fd4023c45d8bc0707c1a9b36b",
"version": 9
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "7.14.0",
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "0c5ec551b85d7e7e8775c4c1508a831c6019881d679e137e6f0531968d3ab03c",
"version": 1
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "0677ca2d233fcadf37a6e15f291d8266722f3b18c926aa5b76f3b1b71f57bde0",
"version": 5
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"version": 8
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "324244d3a1a21367876830445120fc9ce2a3693ac832ce11442f9c71ba26cf1b",
"version": 4
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "897b7cf567d45aebb4daaaba655d2627aac02b5c883882dad6f9cd26c1243975",
"version": 4
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "3e28a8bb55979694d9772245c4b8a44aeb04b4b6ea95f171ba58752e77a128c8",
"version": 1
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "28d8ceeeae367d91ddfcc5654ea7a2a4f188e3914886461d1379da1a9e2a4e48",
"version": 5
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f",
"version": 2
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "8b02aafa4506d9cb5eda8c8243ed102f6b9e882c5a109e5c1f26b086ffbb0afe",
"version": 2
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "cccbd868c1f9fa563d8d731c88ed3e783e085b8c53412177f113a9eaa94118ac",
"version": 11
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "Direct Outbound SMB Connection",
"sha256": "211e2a7134d501f32017fb32b025c99a139a2eeabb60830d0df4ca74a56b43c8",
"version": 7
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "bf300101c83a76a56196a6d061a1495f30d48c3bab5d7eccc5a121967d04c754",
"version": 1
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"version": 7
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "1fef8434702bfb1e375a190414def78e6ee6a6523b0ab47eab82953922195230",
"version": 1
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "df47026f246008b97ac1129190ed1ad88a0f5ee9e13f9740f947380078db82a8",
"version": 4
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "611d2771b89ee0ba4bddee2fe900cec60a79a0b9a76e4428365fb04bfbec58f3",
"version": 2
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "0a3aa3ec4774795554e8be4d9db16b5aa97c1afe8673071bc15ecad2042067df",
"version": 7
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "648947b1b1ff3cf148413b8bd0b3b53bf36c5505da5988a23ec993fa3083b313",
"version": 5
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"version": 1
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747",
"version": 8
}
},
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "de718fed93c2314061daddd300ddb5e01064210ddc42d687fcdd988aa2595d5a",
"version": 7
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
"sha256": "ea21157960f47745d507cee8da54a4fcc8f75c41b225f6ee08d8462e6879a7c7",
"version": 1
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"version": 6
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"rule_name": "Attempt to Enable the Root Account",
"sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da",
"version": 1
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "88d5829dab8d3f0f92799ccdd422cd9f521302270dd2c81d5ddb41b60b1550d9",
"version": 6
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "dc85297baf482232f011b9ce98f169f3b7be8b1422de1cceb9f7af2b50560327",
"version": 6
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "2b1dac1ccc6843acfa825aa0f250925056ed80d273deef8c7fd10f656fd48f35",
"version": 2
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "3f66423329bee6d660afe1e7d5e5d4cfd7203312e3babd6015ca1fee60af2659",
"version": 6
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"version": 7
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff",
"version": 3
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"rule_name": "Kernel Module Removal",
"sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32",
"version": 7
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "a3f866bf18352bd51f590bd78b5ea55a23c8bc7788e93a4b0c6e4a1f1d222873",
"version": 6
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "c3ab50eea009a6df031ff727cb6f5ab3e6699ab059766dd11702e0e67ae8522a",
"version": 6
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e",
"version": 6
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef",
"version": 7
}
},
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "734ba85eb72a8c8167a1247c75d48bbd9abb0a9954f8a357a20017258da978de",
"version": 6
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "a361597bb52abf436cbf188b582ac1d3f77be85d7fe6c10a6e00c6acbc6938cc",
"version": 4
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "8e0d01f097a813b149534720764b6fdbd833f36728870e242c7c1292ba2dc249",
"version": 3
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "bf42a9a4a18efc72f87194d38872a565e6a5bf75e6baeef8789293f6854950f0",
"version": 2
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"version": 7
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "8021ff270be998297c5c97ba9fc27fd8a1b77952434ed4dd2bff1fabca2860b8",
"version": 1
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "ee9768020aceeec742747d02c10584b87657ba6490ddcff4553dd8fc8a23a58e",
"version": 3
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "ecbbc7859552c8437157063f812772cb9577843591fc62608079300e3210e66a",
"version": 11
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "81d944d6e43616c8ce9d52f1959afb89444b9972b4c8269b28c8d7c74485e4b8",
"version": 3
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "015b43d6b11252e9e5bc11ccaa1d78aa3587aa342e429b51f668a160ef3402df",
"version": 4
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "4b9eead51bdd9860f02d47c1a20fc4892ba90960f2151ebe61c89e07ed3f4263",
"version": 7
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14",
"version": 2
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"min_stack_version": "7.14.0",
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "eaec6ceda71a7d7f2ef470443ab29248249a5782241bd0d422c6c5201dff280f",
"version": 1
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9",
"version": 4
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "36945a6918d4b8f1672682279ce8123b9ebbf06b04d6193f67d7f70ee25c2a17",
"version": 4
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"rule_name": "Service Command Lateral Movement",
"sha256": "14fe2ba1367484a6ee97e359ba9b8c5c66987e02d2865d8537b9ae9b1ef6d2ab",
"version": 3
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "2f43c3628e1f8540a1c844cef4b679344bf077381ccc1f8acdea765c8f3c63a7",
"version": 7
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "ff495b8181b94c67024c06bd2b1b9b4e52e571de47f5946026c188d07772e0a9",
"version": 6
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "394e164b962405824e20fa9efd81e7a2a8b9017ec483bc0d0dec04f4bb9684d1",
"version": 7
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "99f23f66b2d5168fc92a02d94e79cfe27e1e7e3b869a4fbe1c8bc605c158fcd0",
"version": 5
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"rule_name": "Modification of WDigest Security Provider",
"sha256": "cf76266315915f3366228a95730f540c6069fac0024bee0055de9054f16c5c1c",
"version": 2
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "fd80e63af37f8a2a7921dc49a3a6d8c2835e23bc3c4595ae3febaf378127ca72",
"version": 3
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "e1c1c4384395fe59e788f530caefc25c56cbb6b0af0d06d448c7095b47643b7d",
"version": 5
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
"sha256": "a18ebe990afbe127f7ea57580737c9d7db9d0e80b10c21bdb54457f92be02107",
"version": 1
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f",
"version": 6
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Permissions Modification",
"sha256": "0a8db0c43b681d84156a42b60ab5ecd8fe9caf71f2bc01c51a9c768bf9d901e6",
"version": 1
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"min_stack_version": "7.14.0",
"rule_name": "Spike in Logon Events",
"sha256": "f597878752cb6e91544579901584b4938249c29026da834e202622b3194aac5b",
"version": 1
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "7e8d3c2560ac6a468f7701f9ee237e39bc51231edf8d5b94ab0055d60286730b",
"version": 8
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "a96204e734aad61228f51845056ce0f072c2740658b3d7b8af4eff8706a9ba9d",
"version": 5
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "c564a84bd80412505c6c368bbaa4901157515871a4dca9ef8642fad1cdbdf2e1",
"version": 2
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "11c865273e884bc2fc14a65de9455d9d999fec216a350a79742055ea2689a328",
"version": 5
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "2d8957ba5a8d444bcd904025089be6e4eb710b93e029b4242316d5e95274facb",
"version": 7
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"version": 4
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "c7114e3a146e9a6f433e98cf3f746fd92dc8fec7c778c85f81593faa766a1295",
"version": 10
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "f63e24c5a39e77b1e2b0464b83698f95e46229dfcaee35404a06ca3d23e91ce6",
"version": 8
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029",
"version": 2
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "25b0e6100151bd4ff5c5484ce7221fc4dda10c7d24dfd447a7f604fe70ae74d2",
"version": 4
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012",
"version": 7
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968",
"version": 3
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
"sha256": "5edf3bc8df71a855a4dab07c6f921c2a459827567c3c4149ec1f3aefda5453ee",
"version": 5
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "8d4ae843cb9c1a4ab4c415b00ed10ca09a6ff0c4911446cf5d667f379e7e2ea3",
"version": 7
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure Firewall Policy Deletion",
"sha256": "a1d4f0fa9407969fc217c89005688467e15ce80b501d09f91d9eebda0756b9da",
"version": 6
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "e49f5cada4a25f4e15cc4ab4eec1aa0f7bb9dadacfd9c37059fe0a39bdd8cf2e",
"version": 1
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "0e7206d6334ee10726bbbf513659b98a614a9b5ab2e916603e598d530ff31e70",
"version": 5
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16.0",
"previous": {
"7.13.0": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf",
"version": 5
}
},
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "f182f841954adaa9009a1b62d0b98506f864adc4d7ab93e8467f26ada0f518d0",
"version": 4
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deletion",
"sha256": "0f7dfa6f861c221ea106353380859eee6f1a047f463f39fbacf7de07af246e71",
"version": 6
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS Route Table Created",
"sha256": "c2d3c4f677cfdfa69ef9ba32f1d771d62809253c641ffea2d75fa7b2e85f559d",
"version": 2
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "AWS RDS Cluster Creation",
"sha256": "d234e6465e48075455eee2f94a978eeead53a68f150231dc941a6ca4d1db897c",
"version": 7
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"rule_name": "Connection to External Network via Telnet",
"sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a",
"version": 6
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "7.14.0",
"rule_name": "Spike in Logon Events from a Source IP",
"sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91",
"version": 2
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "cac862ac2f6933ac4a3b016aed2ec100b670ab49ab3d148e57a4f2af8f4b10bd",
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "94dcf7938345325b7cca64d3a410cffbb9e2503ddb509afb63a9721087a0b906",
"version": 5
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "866137e7aaff75679d9cb9daec327239af72cebed02ddf3e877a76afd1116ecf",
"version": 4
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"rule_name": "GCP IAM Role Deletion",
"sha256": "5031da57a37dd009a981fac97fab322c1464d65b3f518b11934a4deb79d9730c",
"version": 6
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "b4768d0f8f0ed9689db41b8f284dda3bc646f7b85d32b60293e82285d6dfa9fc",
"version": 10
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "e55bea74533e2fc5765e72b6d225511d1cfe053d9489dd81361da331c5c57f85",
"version": 1
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f",
"version": 8
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "b055eb46d4206980a676f50c0e7043bca37dabc37a33fcbd47ceb640532adf6f",
"version": 3
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "b0987f3c7fe63baa9cf5f7327fcd5eb56ef9c49670d24d64de92f40d958e602d",
"version": 1
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "8d8985d87033dc11c0e673c1d9963cf89369e11468d2d4ea2c786fe7ed03b518",
"version": 6
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Preauthentication Disabled for User",
"sha256": "6da2733caeb41cd77fe6dab1b5fd5441349cef2efd8c0d39481f0cf8f454461e",
"version": 1
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.0",
"previous": {
"7.13.0": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82",
"version": 8
}
},
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "aea30c3bf1eb96e0c6f0c64da484ca2310b1ae26e8679030c0a30a8058982a77",
"version": 7
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"version": 8
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "870461090ff0ee534196576c1434c8bab00da1ea368665bc7fbea973a390e24e",
"version": 2
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"rule_name": "Authorization Plugin Modification",
"sha256": "ad9317a7f7fd99c1ba80a7666b86353686bb19e51c37e2af77267750ef650018",
"version": 1
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"rule_name": "Possible Okta DoS Attack",
"sha256": "be780601c9e4a7e1aca8845facddfea5d71bf738376e9880f61beae46ddc51a4",
"version": 6
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "246d03e49a68169a248914b3d7010e3707f42a27ef57fc08b24727a3b5f06773",
"version": 1
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7",
"version": 6
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929",
"version": 2
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "24310c50c362c030cd18b5fc424495faff6d0a8124112c0c786911fc8ae10ae6",
"version": 2
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "8151b1deb537fd602fd988f92448e6eef5ff8ecce725851068f3338f4de8a95e",
"version": 10
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
"sha256": "12abcbd73be1245f4c4a087b27c82ce94378f2a0372631b3391c8cf696e7cefa",
"version": 4
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "a3589119873fe764082ca62c45709fecf67be62df872d4dc816e0bebc64b5429",
"version": 5
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "106155918013377d2c3d72ff9b2d607114595c86cde344092595ee3340b5a9aa",
"version": 2
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "dd2054d650d5ab62a662b60e2b292f49f99261c71ae4c360686b78ea3f5362f8",
"version": 4
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9",
"version": 2
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
"sha256": "6c51a2f7039139e42c9c5ec21c8e61544c1b2becdcebc6fc2923654efffa8169",
"version": 5
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"version": 8
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "05d4c9f087486af875f198e0211e9ed7966e7e37e52aa9cd375374e56eb87fb1",
"version": 5
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
"sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5",
"version": 2
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403",
"version": 4
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "3b60bd1e0f1c27fe50d75322e0e94e81d6569d94d048a2382ea656abc9e4dcaf",
"version": 1
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40",
"version": 7
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "df9854e81170ce396fdfc35f6fdfb40c97ee5a8edc656f3e146e11102777b8fb",
"version": 4
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "09683401b4fff4e70db85bd1e692716a304d674c78fa75013cb09ab1e0236835",
"version": 6
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "5aeab7a2f59aecec28d8a1dc26d6183214c0b766a78fe542ffa59d282b42e2db",
"version": 3
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "607732c4fa53c679773c0154a36d176db4fc120c4d05c90139bc610165d853b7",
"version": 2
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "e55c3cf978d32cfb164c5b8c8aa39ae007961fe094ad77f3c841b63d07cf2bcb",
"version": 5
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Azure Global Administrator Role Addition to PIM User",
"sha256": "081fa89e03c534503260ad3e556fc428c707a6d443a39e2608dfe96f6f59d34b",
"version": 5
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"rule_name": "AdFind Command Activity",
"sha256": "aa759afe354ea02b1178b85a62e449549a60c66f29fa1f9bbc36cc6ecc03c7ab",
"version": 6
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "8da582f29fb72ed46e190081bbe82f4b0666ad3b883cb74b3986eff63610ef66",
"version": 4
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "6f44ec751ed71022884f3953e3b7f63827bdd82eab59cc5f47fbe4322f3f8414",
"version": 3
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "58881af4b4b5bc650329bddcf9a241e080d105eca0fc158b58ae94fe71c8e753",
"version": 3
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "db0c018993905d4f31b0d66f2b4dc8757c3c7d2228c2e56d1c15d4bc3309075c",
"version": 2
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"rule_name": "Whoami Process Activity",
"sha256": "fe2c910bebef36620062b269c0448a3fd9b43c00833778137700385bfcca4a7b",
"version": 7
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "779861ae9a5a6d779252d3f50f03be4b3b396c034d7cb7d558b8742884bd10d8",
"version": 4
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "66263b5a6a9cb7c17f2fd4a6c8c79078cc09d49f8f35ca811226da66e5002fea",
"version": 4
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Attempt to Remove File Quarantine Attribute",
"sha256": "0f27489f0578b5596891555022bb25c63bfe725160ab7d93c8c02efb92a40463",
"version": 3
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "75b2fa37eba863b363c80a411d125c57fe44e72971aec6689befafaf53212bea",
"version": 2
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "4f8fcc4f978c267b58a59c41a4e4f617ba6b8792e2aa22fb26f971279ea9f8cf",
"version": 2
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "687a91ad38f1a50dc0a07c13c05aa7655159f7537889038cd0ef4c720ff24fd9",
"version": 1
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "0bf0f53f6fd19a94d99b558b91d1893ebe242c85c4d77ad0f853700b0be8d614",
"version": 1
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
"sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110",
"version": 2
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"rule_name": "LSASS Memory Dump Creation",
"sha256": "1bb7f26beff47b579126c16832e72166cee2812ed3b488223fd921bcfc96f456",
"version": 5
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "AWS RDS Instance Creation",
"sha256": "0ec2175d57448fcee88f8c0959e36d170fb2c4316bbeb2724bc03fc65de12ae1",
"version": 3
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d",
"version": 4
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7",
"version": 1
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "e10cd34197457df5ffa89b628dfbd7d9ccbb89c295b5b2de5d3a305df3a8d158",
"version": 3
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "f289922736ffd6e74e180daa7f30a3b93686535463b8d9949f29722388e2a75f",
"version": 1
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"rule_name": "Windows Script Executing PowerShell",
"sha256": "9675f6c2d6b7bc26b770ed6f8bb5668058bb865b782423786a1ebb70bf5de797",
"version": 9
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "841cadac1dd3470f4549689e834749aef7cee102c1ab901ea1e65ea87af475d6",
"version": 3
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "cc34e136a98a0c3da501db77e87e4418a36d9fa1a9af7f2809b0e876a0685baa",
"version": 9
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa",
"version": 1
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"rule_name": "Azure Service Principal Credentials Added",
"sha256": "4b1671042f16430f483118a068274d7d28eb2e09124df8365a96a357899dd742",
"version": 1
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "5ba0f707d95e1455ba5ceaf33d751de1607ba2d8b4dca34d3c938c7768003ac4",
"version": 7
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "e4fc24490738631aa609769246c6540ec8b95528a75c4ba57e34c547985bc047",
"version": 3
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "ec14e52e83826d9560d3fd5517acd8ea8328d2ee89f66fdfdc679bc2843e2eb3",
"version": 2
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "a1fab020030d01dfba1dc1c38293f9c6f11877acef2296e84bd9934cb13f0b29",
"version": 1
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "0533f464fc056492b1be7563a334064ed3a94794b0fc726a8f6c58af99f3fc69",
"version": 3
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux System Network Configuration Discovery",
"sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8",
"version": 2
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "c0e090cd568639eb8a72c9c5cffc485a12fe5c1e837a054e3a9ed90da45f7748",
"version": 6
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "0bcc52e13022bb037d72173ac8df764dc3ed52b276fb65e89798744dcaac3aff",
"version": 3
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"rule_name": "Network Connection via Registration Utility",
"sha256": "cdee88e91070d7a8c85aaec9d595418a9392d5e0a0a561789d4a51234aa790c8",
"version": 10
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"version": 1
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "f3105951c9d7b6566cb1ba921365735bf3b75776e1329e5acf10bc0827876c00",
"version": 6
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "8519a65c58825cc9ac20c90228acf96311026b61e6cfd0e17b73f27434bdf4d2",
"version": 4
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "96d6852fdd698f7298c41ddc6f5f45e8b8a82fefa5c52e1d9183b97850470400",
"version": 8
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"rule_name": "Suspicious CertUtil Commands",
"sha256": "122b3b7f61d4146ddcd3551328c63fd1c56f01dad1616d83022d2265375ce1ac",
"version": 10
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
"sha256": "3d1669ea32950b0330c14ea0ed19dd4205c656d44f4860b304c3b103c487c717",
"version": 8
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "96e700cedbd912428d2141285aeb62d039ba2b0ef593f70f72c0faaca1896dd4",
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "5fdc6d766a59b36c16b02377c9284e22b5a2df1d9d3fcca9e215378f032e4e59",
"version": 1
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099",
"version": 9
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "ccdc2ee09712e2a2ea42f40d9aa8bbb35835b6251cfc22ca520f2f5eec5ae28e",
"version": 5
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "d1a7cbc54b4f8910cb9a43b7d0d568b13418ca9fce205a9fbdcc2396a3baf618",
"version": 5
}
}
Reference in New Issue View Git Blame Copy Permalink