github-actions[bot]
86cc61c233
* Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 * Update detection_rules/etc/version.lock.json * Update Patch version for version lock changes --------- Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
14123 lines
502 KiB
JSON
14123 lines
502 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11",
|
|
"type": "query",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a",
|
|
"type": "query",
|
|
"version": 310
|
|
},
|
|
"00140285-b827-4aee-aa09-8113f58a08f3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587",
|
|
"type": "eql",
|
|
"version": 115
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7",
|
|
"type": "eql",
|
|
"version": 215
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 413,
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "708a60d7b82bcae8d3c5d83d4e192c9b30bb0f4e8d73b7c6c3cb947d05f98199",
|
|
"type": "eql",
|
|
"version": 314
|
|
}
|
|
},
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "15ba51d5a9926689787c960642056ab3de981a47b061a42487b3d8425f22e435",
|
|
"type": "eql",
|
|
"version": 415
|
|
},
|
|
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
|
|
"rule_name": "Google Workspace Suspended User Account Renewed",
|
|
"sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"0136b315-b566-482f-866c-1d8e2477ba16": {
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
|
|
"rule_name": "Potential Network Scan Detected",
|
|
"sha256": "0b7bd18f56d2a7b5f3bc16613aeb6e2a09c6a9ccc54a0592c9835fff18811b79",
|
|
"type": "threshold",
|
|
"version": 7
|
|
},
|
|
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
|
|
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
|
|
"sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
|
|
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
|
|
"sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
|
|
"rule_name": "Process Created with an Elevated Token",
|
|
"sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"02a4576a-7480-4284-9327-548a806b5e48": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "378f6d82a234a955375536d3a61db47a5093fe754b62078f81f9746f4e1a3ac7",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
|
|
"rule_name": "Potential Ransomware Note File Dropped via SMB",
|
|
"sha256": "c09424400f8baab1bc7e15018527a7b26314073d02a79aac933a265ba32a2bf5",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"035889c4-2686-4583-a7df-67f89c292f2c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1",
|
|
"type": "threshold",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368",
|
|
"type": "threshold",
|
|
"version": 212
|
|
},
|
|
"035a6f21-4092-471d-9cda-9e379f459b1e": {
|
|
"rule_name": "Potential Memory Seeking Activity",
|
|
"sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
|
|
"rule_name": "Suspicious Dynamic Linker Discovery via od",
|
|
"sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"03a514d9-500e-443e-b6a9-72718c548f6c": {
|
|
"rule_name": "SSH Process Launched From Inside A Container",
|
|
"sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
|
|
"rule_name": "Potential Network Scan Executed From Host",
|
|
"sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
|
|
"rule_name": "First Time AWS Cloudformation Stack Creation by User",
|
|
"sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"0415f22a-2336-45fa-ba07-618a5942e22c": {
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
|
|
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
|
|
"sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
|
|
"sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
|
|
"sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102",
|
|
"type": "eql",
|
|
"version": 202
|
|
},
|
|
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
|
|
"min_stack_version": "8.12",
|
|
"rule_name": "User Added to the Admin Group",
|
|
"sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "ae7b800eac312f398df8ba82f12abc2529bb704c4185f69948be3617af2847fb",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"054db96b-fd34-43b3-9af2-587b3bd33964": {
|
|
"rule_name": "Systemd-udevd Rule File Creation",
|
|
"sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e",
|
|
"type": "eql",
|
|
"version": 114
|
|
}
|
|
},
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "ccb2ff57c3244f25002537f1dc77486f9eafdcdbd670e3f6c41a50749f80121d",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
|
|
"rule_name": "Tainted Kernel Module Load",
|
|
"sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"0635c542-1b96-4335-9b47-126582d2c19a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
|
|
"type": "eql",
|
|
"version": 114
|
|
}
|
|
},
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"06568a02-af29-4f20-929c-f3af281e41aa": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "System Time Discovery",
|
|
"sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "System Time Discovery",
|
|
"sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
|
|
"rule_name": "Unusual Remote File Size",
|
|
"sha256": "86c63dfc5a14108858c1a668088b651845e888e1dfa6764e364d7193cda1e105",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "042f24758999dd875c2a6d26e28f71851c30b509b0ea5f898455dd21afc4bc81",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "dec496b372a0c9557658a4e9e0df8160dac454df7fd61ff83f0ab2d0eecfcbd1",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"074464f9-f30d-4029-8c03-0ed237fffec7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "75622c12c2b3910b87a6b069b747a11dd444908ee4ed676472e167c4347fb1b4",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "69ba5e2f0de8ccc7766ab1484193e28e740b07a10fcb6f6f37899158d8f1dd24",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "GitHub Protected Branch Settings Changed",
|
|
"sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "GitHub Protected Branch Settings Changed",
|
|
"sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
|
|
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
|
|
"sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5",
|
|
"type": "threshold",
|
|
"version": 7
|
|
},
|
|
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "1d581fab9894150d93b9290184613601916238ed613aed8f033ba029c6d7f747",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "cba44e5f0b785c8ff69b139d209a7e10ae87452830da92efee001b69f5a95d51",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"080bc66a-5d56-4d1f-8071-817671716db9": {
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
|
|
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
|
|
"sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "First Time Seen Removable Device",
|
|
"sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef",
|
|
"type": "new_terms",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "First Time Seen Removable Device",
|
|
"sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6",
|
|
"type": "new_terms",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "First Time Seen Removable Device",
|
|
"sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"089db1af-740d-4d84-9a5b-babd6de143b0": {
|
|
"rule_name": "Windows Account or Group Discovery",
|
|
"sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"092b068f-84ac-485d-8a55-7dd9e006715f": {
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "07259ee65eed64efa83cd67f2944378c9f5eac6af8a0d950ddf46fd06505c613",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Member Removed From GitHub Organization",
|
|
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Member Removed From GitHub Organization",
|
|
"sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"09bc6c90-7501-494d-b015-5d988dc3f233": {
|
|
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
|
|
"sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
|
|
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
|
|
"sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
|
|
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
|
|
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
|
|
"type": "query",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
|
|
"sha256": "1a79fc397af3f12c7da606036342d1b41b7d2b17df4a446cd98e618b4e7e9891",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
|
|
"rule_name": "Yum Package Manager Plugin File Creation",
|
|
"sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c",
|
|
"type": "machine_learning",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0",
|
|
"type": "machine_learning",
|
|
"version": 208
|
|
},
|
|
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0",
|
|
"type": "query",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
|
|
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
|
|
"sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0b803267-74c5-444d-ae29-32b5db2d562a": {
|
|
"rule_name": "Potential Shell via Wildcard Injection Detected",
|
|
"sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.13": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Attempt to Establish VScode Remote Tunnel",
|
|
"sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Establish VScode Remote Tunnel",
|
|
"sha256": "a41786ebd2dfbb03c42ea6bf3fdc405509199a39d2c76596d2106580b4e85706",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
|
|
"rule_name": "Processes with Trailing Spaces",
|
|
"sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
|
|
"rule_name": "Potential Hex Payload Execution",
|
|
"sha256": "b50ace78d817688a156f23beb890b4697291938d084ca42129f8ecf1dcb8b0b0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
|
|
"rule_name": "Threat Intel IP Address Indicator Match",
|
|
"sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d",
|
|
"type": "threat_match",
|
|
"version": 7
|
|
},
|
|
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "e9e92aa8e1ad67d6a76c1d863117e5661cf826a76f886d086ccb881e82884a23",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "5c9eb5418f67e5344018b20070d77c09629e1a8fd55f8bdf09e6f4d8e14b8d43",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"rule_name": "Deprecated - Threat Intel Indicator Match",
|
|
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
|
|
"sha256": "dbe1ee653e8649143a8b2aa6c43f5f5661b1bbccfd106614feb092ddd050d25b",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
|
|
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
|
|
"sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
|
|
"rule_name": "Multiple Alerts Involving a User",
|
|
"sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "e5c5f267f119e9874c5b19c097244a7253714352e28e2fcc353b74d5c36bb3e4",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
|
|
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
|
|
"sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "bf7179d1b47194100baad37ed0a523ce816c9844de775a252e0c6a98cd5d3ebf",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
|
|
"rule_name": "rc.local/rc.common File Creation",
|
|
"sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
|
|
"rule_name": "Netcat Listener Established via rlwrap",
|
|
"sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735",
|
|
"type": "threshold",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698",
|
|
"type": "threshold",
|
|
"version": 310
|
|
},
|
|
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
|
|
"rule_name": "AWS IAM Login Profile Added to User",
|
|
"sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
|
|
"sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
|
|
"sha256": "e8f11b08f41d0af660c26c82752b4d5344f91cdc0fc98514b43577e6477977d6",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "aa018af3ba1144c484d88c95f262455130c03245c19a0d48b1f9e314be08333b",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "cd4ff3a06fa4ded3c35daf6785753a17cb5582a6ae1ad4a06a341c03c74b12a5",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 113,
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2",
|
|
"type": "query",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24",
|
|
"type": "query",
|
|
"version": 114
|
|
},
|
|
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "529c6c9afcecffe9bc1f09b979a34bc926f72b18aae363094788855893224f4e",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"12051077-0124-4394-9522-8f4f4db1d674": {
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
|
|
"sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
|
|
"sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
|
|
"rule_name": "AWS Lambda Function Created or Updated",
|
|
"sha256": "034e4008a61db1376ed832a2c197463f0db3f4a325e879f200fc0180f30cdc17",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"128468bf-cab1-4637-99ea-fdf3780a4609": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "c7b2febcd7a93457f53f7d4c52aad131a4116e9f93d76437d261111f09423eca",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"12cbf709-69e8-4055-94f9-24314385c27e": {
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "6f467e2189a55fb44966834223c32fb6509c57dd21bcdff69b4f6e2ec920aeff",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"12de29d4-bbb0-4eef-b687-857e8a163870": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
|
|
"sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
|
|
"sha256": "4bbc3bd2b9452e05e7e5829db2c77881e9bd34accc89ae0ee089e96ed991a0d0",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
|
|
"sha256": "20059209c3052442c7ed5c5a377f07f5900366dd533db5b237c40a4f03968c49",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "fe4ba438fce303e2daf224812c4bd214f595f651161a5e587cc2d2e50dda76ee",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "2948ee0b531e8ccedd058b6ffb287bbd8285049d41818d9af4a814c1705e8765",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 410,
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "88943865100dbcb63138fc9fc3e1c81fcd227f586956038e529e688b71384ceb",
|
|
"type": "eql",
|
|
"version": 311
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "9ffa543a06d0f2ad3662845e6fa645986ce32abf6fdd1a341eb3cb92a2c2e4c2",
|
|
"type": "eql",
|
|
"version": 411
|
|
},
|
|
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
|
|
"sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7",
|
|
"type": "threshold",
|
|
"version": 7
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
|
|
"sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853",
|
|
"type": "threshold",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
|
|
"sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd",
|
|
"type": "threshold",
|
|
"version": 207
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
|
|
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
|
|
"sha256": "6f94ca87d3b3519fd810a9fdc1a9a04afdea58ca913b4b4dc9e9be63ed77cec0",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "6f7487c7e356c40aec2caceb15dce0977070fac0869a8f73757b0d4986b15113",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"14dab405-5dd9-450c-8106-72951af2391f": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Office Test Registry Persistence",
|
|
"sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Office Test Registry Persistence",
|
|
"sha256": "e0673b4aff07f3de4b7256ce50a44e6147759d3281b639adae677dff72feecbc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "6349c839b9198d37d576fd976eaa2f85e6034f8ba89204b451ff0d11467cde5b",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "cd5c53102463d73641cecf06ff0109725f62f522ecbaba20de251787a79cb33f",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
|
|
"sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
|
|
"sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
|
|
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
|
|
"sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
|
|
"rule_name": "Execution from a Removable Media with Network Connection",
|
|
"sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26",
|
|
"type": "eql",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "14ea5e0fd126666fbc1f42f74fc27465bd18827b6a4a7aa6eb91a8a20c82dea1",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "afb44f5ed406ccfb9c40513c5e774867e961f22a9ac007320d0a4c1c31fb8cc0",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "43674c0e7d244957e0cecaf069f23652cb12fe5bee0b6d2dfb54c4bf6bd9160f",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"15dacaa0-5b90-466b-acab-63435a59701a": {
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"160896de-b66f-42cb-8fef-20f53a9006ea": {
|
|
"rule_name": "Potential Container Escape via Modified release_agent File",
|
|
"sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"166727ab-6768-4e26-b80c-948b228ffc06": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "File Creation Time Changed",
|
|
"sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "File Creation Time Changed",
|
|
"sha256": "b50d36dbfeb9c4de02bafa12ca2bfce4a438b1ba628cf3c02d4f726079e3e1b8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"16904215-2c95-4ac8-bf5c-12354e047192": {
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"16a52c14-7883-47af-8745-9357803f0d4c": {
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "3a76496d25961498c7105d4962f1c5a68168264eadc61c4c51b20c602177f4d8",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
|
|
"rule_name": "Persistence via a Windows Installer",
|
|
"sha256": "20685cfaedd2fe2b3471f27dca9cdbd6794180b2a0fe8045a0e6eef35ebd9c56",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
|
|
"sha256": "03de244ffc1915c80ee82688449c357f1f23252b911b441563cb5f95106f963e",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a",
|
|
"type": "machine_learning",
|
|
"version": 207
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c",
|
|
"type": "machine_learning",
|
|
"version": 206
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601",
|
|
"type": "machine_learning",
|
|
"version": 207
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0",
|
|
"type": "machine_learning",
|
|
"version": 206
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb",
|
|
"type": "machine_learning",
|
|
"version": 206
|
|
},
|
|
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
|
|
"rule_name": "Systemd Service Created",
|
|
"sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a",
|
|
"type": "eql",
|
|
"version": 15
|
|
},
|
|
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Renamed Utility Executed with Short Program Name",
|
|
"sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Renamed Utility Executed with Short Program Name",
|
|
"sha256": "ace9eeca0b1a6ebcd4b65d9e2ae4bd2f36b8947c516f5d108e7f2e714efc8ddf",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"181f6b23-3799-445e-9589-0018328a9e46": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Script Execution via Microsoft HTML Application",
|
|
"sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Script Execution via Microsoft HTML Application",
|
|
"sha256": "2c618a1e42c7a15f0b94f84bedbef7c477dfa17b3cac3d42205bf6cde5202f00",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Script Execution via Microsoft HTML Application",
|
|
"sha256": "684159701e9e3176c8ca83b06107285ec6e1aab78f1d1794866e3aa38cfaa963",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
|
|
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
|
|
"sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e",
|
|
"type": "threshold",
|
|
"version": 1
|
|
},
|
|
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
|
|
"rule_name": "Spike in Number of Connections Made to a Destination IP",
|
|
"sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"192657ba-ab0e-4901-89a2-911d611eee98": {
|
|
"rule_name": "Potential Persistence via File Modification",
|
|
"sha256": "abc2a9316141b799f35032d6ce4594520d1990765d3886ffe188c594fafd59a0",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
|
|
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
|
|
"sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
|
|
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
|
|
"sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
|
|
"rule_name": "Spike in Number of Processes in an RDP Session",
|
|
"sha256": "c02ce126b5e2476c4b0957b0c3ef37a9b2dba70091c0f7164a46bc10a7ebdcd4",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
|
|
"rule_name": "Suspicious Network Tool Launched Inside A Container",
|
|
"sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "45e3cf83135b3ec25c35cb029422968d7a5094dea02895e0490145fa04586340",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "0f3e13b35064dbdad29e0f2b80895fc844346955c595402ce66bd632d1e1e524",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "9af12b0253eeb5e99e162b69240851ba05f9a54cc8abecb25c973288e57cf7e5",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
|
|
"rule_name": "Process Created with a Duplicated Token",
|
|
"sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
|
|
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
|
|
"sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
|
|
"rule_name": "Potential Process Injection from Malicious Document",
|
|
"sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"rule_name": "Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "ae500dfb91fef53e60123090127f7daaf307a63a988ad01fc07d30ed8c8fc368",
|
|
"type": "eql",
|
|
"version": 116
|
|
},
|
|
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1ca62f14-4787-4913-b7af-df11745a49da": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "New GitHub App Installed",
|
|
"sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "New GitHub App Installed",
|
|
"sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "413e3eff92ab72f06e4cef563d06cb6fee44cc7c59fd54e342da4d6097e914b6",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Okta Sign-In Events via Third-Party IdP",
|
|
"sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Okta Sign-In Events via Third-Party IdP",
|
|
"sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1d276579-3380-4095-ad38-e596a01bc64f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "6f27265db635c4e5a27af29fa64198dfa96b707802e5ccc7cba6609498d3543e",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
|
|
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
|
|
"sha256": "becc05324f5f605086badfd23a1e969801e19931eb7ae06312657e19eac4175d",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
|
|
"sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
|
|
"sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "ab6031b77ee7e33386e09b6709ad7d1ab82280dbfda90557b8d4b617f07ee4a2",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "efc56fdcfe6bda16119359923755ab32f6703b8de3c44f536d1335dabbd59c93",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
|
|
"rule_name": "Suspicious Inter-Process Communication via Outlook",
|
|
"sha256": "181668624cb2b4bcc36606deec8dd31b109407ea7b1591438578d01cdce15dce",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
|
|
"rule_name": "Potential Linux Hack Tool Launched",
|
|
"sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "PowerShell Script with Discovery Capabilities",
|
|
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "PowerShell Script with Discovery Capabilities",
|
|
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
|
|
"type": "query",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Discovery Capabilities",
|
|
"sha256": "54e718a88b4a68d227e6b66b126f993aa778b036deb6f8be5b61951c298f111f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Creation of a DNS-Named Record",
|
|
"sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Creation of a DNS-Named Record",
|
|
"sha256": "5accab0498d68d3aea14b3f15cb0cfde813706bc712ed95d37e68281a4e3750c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Creation of SettingContent-ms Files",
|
|
"sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Creation of SettingContent-ms Files",
|
|
"sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
|
|
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
|
|
"sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
|
|
"sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
|
|
"sha256": "eeebabf5497517642690f0b238295c5f9f09396305832e4b067a3d788067bee9",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS Signin Single Factor Console Login with Federated User",
|
|
"sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Unusual Process Execution on WBEM Path",
|
|
"sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Execution on WBEM Path",
|
|
"sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "edb91b7c64bd8e744fac58ccc66f711fb22f4daf41dde169c4e8be954d4d2b81",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "c69929f38a28448280307676118534bb0928728d16c0269577d27e957d21011e",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "1a866e733aa7ce66be8425aa24bf02efd91c98b7dce86a22fab32584ef096ac1",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"202829f6-0271-4e88-b882-11a655c590d4": {
|
|
"rule_name": "Executable Masquerading as Kernel Process",
|
|
"sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "1e793bac94cf744476de8ec10572545b6000ddfafffe37170ddb870c9b5c8d94",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
|
|
"rule_name": "Suspicious Web Browser Sensitive File Access",
|
|
"sha256": "f285de9c9bf8851c505323409cd2daf9c3f4f430c5bae5b68541220f7acf0fbd",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"205b52c4-9c28-4af4-8979-935f3278d61a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Werfault ReflectDebugger Persistence",
|
|
"sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "Werfault ReflectDebugger Persistence",
|
|
"sha256": "606f8fb96e10d28c3f078e71f4be2fa3c1806eac4331c217010c3e5404457407",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "Werfault ReflectDebugger Persistence",
|
|
"sha256": "dedd11f2f7e4c43edba25c00b1deddb8fcd93f7c17a384a0ff0e086781d74caa",
|
|
"type": "eql",
|
|
"version": 202
|
|
},
|
|
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "8f0e6c0741fc802300e26ea71da63f8ece28e9b054d35e452de4e7d78bc634a5",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"210d4430-b371-470e-b879-80b7182aa75e": {
|
|
"rule_name": "Mofcomp Activity",
|
|
"sha256": "c154de44212ce97be6bf2064228454a7baeb68ef036313f325ecbef08dfb1184",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
|
|
"rule_name": "Potential Reverse Shell via Child",
|
|
"sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
|
|
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
|
|
"sha256": "5123093932b6f544cf28a9f7f30a22658848fa12289e7f1c21584d21a79e2354",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "30c368664c1bd007c6f25e8f4815c47ba84d8626a03680a17f4d9e672cd6b61d",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "5950490a263aef327d0d6b9b4f9c83dd9eeb655207043afab349082a0d04e0e9",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"22599847-5d13-48cb-8872-5796fee8692b": {
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
|
|
"rule_name": "Kernel Module Load via insmod",
|
|
"sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"2377946d-0f01-4957-8812-6878985f515d": {
|
|
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
|
|
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
|
|
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
|
|
"sha256": "3f418fe503710182cb6ee9cfde5fad9281638f086f4441f882e8c13dbfdaccaa",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.13": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
|
|
"sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1",
|
|
"type": "esql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
|
|
"sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1",
|
|
"type": "esql",
|
|
"version": 103
|
|
},
|
|
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "New GitHub Owner Added",
|
|
"sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "New GitHub Owner Added",
|
|
"sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "2fa971d8349cceea534e945ac39e6dc74a0af458533c1ccbca9f544f5f4b2a7c",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "274df472a867247fc2de690c81bfcb03b32b4ed67e0cc46c3a64d40fd0231c44",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Potential PowerShell HackTool Script by Author",
|
|
"sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential PowerShell HackTool Script by Author",
|
|
"sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
|
|
"rule_name": "Potential Reverse Shell via Background Process",
|
|
"sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"25d917c4-aa3c-4111-974c-286c0312ff95": {
|
|
"rule_name": "Network Activity Detected via Kworker",
|
|
"sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
|
|
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
|
|
"sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "New Okta Authentication Behavior Detected",
|
|
"sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "New Okta Authentication Behavior Detected",
|
|
"sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2605aa59-29ac-4662-afad-8d86257c7c91": {
|
|
"rule_name": "Potential Suspicious DebugFS Root Device Access",
|
|
"sha256": "c48d98b19af215d3015bf2ae376ddaf8e9cf52396b7d8c7ecc202a8dd07e6ca7",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"263481c8-1e9b-492e-912d-d1760707f810": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Potential Relay Attack against a Domain Controller",
|
|
"sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2",
|
|
"type": "eql",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Potential Relay Attack against a Domain Controller",
|
|
"sha256": "42c3946d99b19b6c84dd284fe024b606c61cd8cbf26ccf17a957a92f9ac8f441",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
|
|
"rule_name": "Potential Defense Evasion via Doas",
|
|
"sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
|
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
|
"sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"26edba02-6979-4bce-920a-70b080a7be81": {
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4",
|
|
"type": "esql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70",
|
|
"type": "esql",
|
|
"version": 311
|
|
},
|
|
"27071ea3-e806-4697-8abc-e22c92aa4293": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "PowerShell Script with Archive Compression Capabilities",
|
|
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "PowerShell Script with Archive Compression Capabilities",
|
|
"sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95",
|
|
"type": "query",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Archive Compression Capabilities",
|
|
"sha256": "4a3e6bf68329d70f058be24f7904ce234a26b57c38972ad33ff103a9e00f78a9",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"2724808c-ba5d-48b2-86d2-0002103df753": {
|
|
"rule_name": "Attempt to Clear Kernel Ring Buffer",
|
|
"sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"272a6484-2663-46db-a532-ef734bf9a796": {
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"2772264c-6fb9-4d9d-9014-b416eed21254": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "30c7423c5023c7e2a06f2b998a346e1a90ca192c24819613312d92d5f7e37117",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 215,
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799",
|
|
"type": "eql",
|
|
"version": 116
|
|
}
|
|
},
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "8adb8b82a3d53207484f625914ee09d91378639f23dfaf99e0c5e4e504e7323b",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
|
|
"sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"28738f9f-7427-4d23-bc69-756708b5f624": {
|
|
"rule_name": "Suspicious File Changes Activity Detected",
|
|
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
|
|
"rule_name": "AWS STS Role Assumption by User",
|
|
"sha256": "2988f8c5e5774464830730c7672f895c27574e37db7a0dd42027d9e4617f69f4",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"28bc620d-b2f7-4132-b372-f77953881d05": {
|
|
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
|
|
"sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"28d39238-0c01-420a-b77a-24e5a7378663": {
|
|
"rule_name": "Sudo Command Enumeration Detected",
|
|
"sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
|
|
"rule_name": "Privilege Escalation via SUID/SGID",
|
|
"sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
|
|
"rule_name": "Shell Configuration Creation or Modification",
|
|
"sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
|
|
"rule_name": "AWS EC2 Security Group Configuration Change",
|
|
"sha256": "48882709d629f366aa2742f2930bda9d8520aa354b7a9df6ecb07e58d3ce6a95",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"290aca65-e94d-403b-ba0f-62f320e63f51": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "d5889d6fb11d2ccc008cab9342767cacc97ce35cad65e947b0e808f8dd323e78",
|
|
"type": "eql",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "891e2a84a8bee293f84e2d2d2fb5755a5677ceb079a6adbd7cd800fd88b6a889",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"2917d495-59bd-4250-b395-c29409b76086": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 414,
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "a8eb3f78278925242ed765acb2a2d0e95ccd361a73e67ba655fb6137b82acfb7",
|
|
"type": "eql",
|
|
"version": 315
|
|
}
|
|
},
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "e685ec880f93003d916f83c558301d788cc0671883fab6eebc79fe744f7c4c2b",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 414,
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4",
|
|
"type": "new_terms",
|
|
"version": 315
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d",
|
|
"type": "new_terms",
|
|
"version": 415
|
|
},
|
|
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
|
|
"sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
|
|
"sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"29ef5686-9b93-433e-91b5-683911094698": {
|
|
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
|
|
"sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
|
|
"rule_name": "Linux SSH X11 Forwarding",
|
|
"sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"2a692072-d78d-42f3-a48a-775677d79c4e": {
|
|
"rule_name": "Potential Code Execution via Postgresql",
|
|
"sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "dc8b0a2fc0d7fa52084bd9ff94ef01de5dbafce96fa29a0e89c89ef27ab8e9a7",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
|
|
"rule_name": "ESXI Discovery via Grep",
|
|
"sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 413,
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a",
|
|
"type": "eql",
|
|
"version": 314
|
|
}
|
|
},
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "98e76c4e7dfdfd6f4b1bbc860b8d1ded5399f58cf113baa58e96cbb4c2c34f65",
|
|
"type": "eql",
|
|
"version": 414
|
|
},
|
|
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "035b963e8b20d330a6df9c8b7bf1ff3812c17492b17c6f32dea5100d031289e9",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "ba6ccf2fd7102484bab3ab16542b8c07903d577a967904103c08bbfde581d055",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "9cb101dff02725a228ac6abd8ec38be725b6f0375a41b27f1ce6e446fa009463",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Potential Foxmail Exploitation",
|
|
"sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Potential Foxmail Exploitation",
|
|
"sha256": "677b62dc3502ba3192802220e5c25de4e44c1c068cc4cbb54124820c29ce13f2",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Potential Foxmail Exploitation",
|
|
"sha256": "2cbfc9b78f91dc490e73a2fda8ca38737b819a786d7912db3d0dee69983a971d",
|
|
"type": "eql",
|
|
"version": 202
|
|
},
|
|
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
|
|
"sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
|
|
"sha256": "a80f52e2d0f126a7c18db7078056274ede0a847de4047bf98ab6fdeb58beef17",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
|
|
"sha256": "f343d88c98d36193572a1726eef142417d8f9af99eb57da610bd75e4c1a79d9d",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c",
|
|
"type": "new_terms",
|
|
"version": 210
|
|
},
|
|
"2dd480be-1263-4d9c-8672-172928f6789a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "ddbbefc59783e983723d68990ec3bed4228de396458b94ed38fdc10ade8d9c9d",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
|
|
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
|
|
"sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"2de10e77-c144-4e69-afb7-344e7127abd0": {
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46",
|
|
"type": "threshold",
|
|
"version": 207
|
|
},
|
|
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "903805e8cc42654adfa662e19eab1b40069bf11b67935e85d3d175c3a969514a",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "1e0176ef079975e1f7800254fbb79354318b4765c236b9cbb67f9ade42b3fa4f",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "868e3c2f1a196ebbc4dd930f064d4c6b6e935ec882160043674baf64605134b0",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029",
|
|
"type": "query",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"2e311539-cd88-4a85-a301-04f38795007c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Accessing Outlook Data Files",
|
|
"sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Accessing Outlook Data Files",
|
|
"sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Okta User Sessions Started from Different Geolocations",
|
|
"sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc",
|
|
"type": "threshold",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Okta User Sessions Started from Different Geolocations",
|
|
"sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac",
|
|
"type": "esql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Okta User Sessions Started from Different Geolocations",
|
|
"sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac",
|
|
"type": "esql",
|
|
"version": 203
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "a3f55a20eb34eb9f050c14ebec723bf8910a29329d76e98fee0fa59c90d5d247",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
|
|
"type": "query",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"2f95540c-923e-4f57-9dae-de30169c68b9": {
|
|
"rule_name": "Suspicious /proc/maps Discovery",
|
|
"sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 214,
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b",
|
|
"type": "eql",
|
|
"version": 115
|
|
}
|
|
},
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"301571f3-b316-4969-8dd0-7917410030d3": {
|
|
"rule_name": "Malicious Remote File Creation",
|
|
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
|
|
"rule_name": "AWS S3 Object Versioning Suspended",
|
|
"sha256": "16e9f3ed67d6796c3a8d6b7fae2c3432ecec1180bccc33240b81d05c0d654d22",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
|
|
"rule_name": "ESXI Timestomping using Touch Command",
|
|
"sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
|
|
"rule_name": "Network Connection via Sudo Binary",
|
|
"sha256": "b469b8c3a65e085d1a09370ef4bf02f1feb2e98f438d6af4c42d1495c1959385",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
|
|
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
|
|
"sha256": "a0060f1d4d4a006b66f4dad527c7bf963002cf71864a361f0c45f7959030f08f",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "3a5ba368eb9c20041f39f0ccb099b88622f09abeeca8836f0978e004928922e6",
|
|
"type": "eql",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "7636e829317fb6054a6324982a7342705e13d8712bd9297b1e16195419b0edbb",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"32300431-c2d5-432d-8ec8-0e03f9924756": {
|
|
"rule_name": "Network Connection from Binary with RWX Memory Region",
|
|
"sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "bd14c9e18b459c255249f0f5e5e5d3fb94b2c32186ea0e40eb3847cf3da62ac3",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "b971172eccda841cf458753c2173ec71dad386098f0aecce8d402912cc50f630",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "7118d989ba0d5e6e0b2a80bb486a7a93738b35454c185aa6edf9e558ca1662d3",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
|
|
"rule_name": "Microsoft 365 Portal Login from Rare Location",
|
|
"sha256": "3e3186fdaf81508055217cd52ac7b74d8c88bda2fca0eca7f8e1b3b573b7cd02",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 414,
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "52d170ebae7e61e5c4726ce76d29b5b2e9d7026e32a550e9d5012f02f0e50f8d",
|
|
"type": "eql",
|
|
"version": 315
|
|
}
|
|
},
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "647dc0c3fd2b8dffd212c282c77861aaa9c16dc0a23e442c48d168eb333f8ae7",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"3302835b-0049-4004-a325-660b1fba1f67": {
|
|
"rule_name": "Directory Creation in /bin directory",
|
|
"sha256": "f412ce479acffee82949aed77160fece5ab382dbec5d754ae3c3fdf213e61712",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
|
|
"rule_name": "ESXI Discovery via Find",
|
|
"sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"342f834b-21a6-41bf-878c-87d116eba3ee": {
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container",
|
|
"sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "GitHub Repository Deleted",
|
|
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
|
|
"type": "eql",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "GitHub Repository Deleted",
|
|
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
|
|
"rule_name": "AWS CLI Command with Custom Endpoint URL",
|
|
"sha256": "cf3130f23b44875cbdc95a497a47b56ca8d3eddfd51b8275318b17028b7f5e56",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"rule_name": "Accepted Default Telnet Port Connection",
|
|
"sha256": "d4d536d179c2456b42cc7463e03bb7cc9e7f6b8fc478a861c31138ba803c957a",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 412,
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "a5d70c0995622fa1e034a975d14f87929c6bb6032e2a8b710c5619638eeddef7",
|
|
"type": "eql",
|
|
"version": 313
|
|
}
|
|
},
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19",
|
|
"type": "eql",
|
|
"version": 413
|
|
},
|
|
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
|
|
"rule_name": "Spike in Bytes Sent to an External Device",
|
|
"sha256": "7f778783d142f64fbf3be96cbd7c5059a658dce8b1986144a77ebac82f8c9a58",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts",
|
|
"sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "ec66f5859b414a64af3fb50ecdd42328868c38c15d769091fbe8b212c4bfeb46",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "d4084427ba4202e29ea9d52ef3f7dbf75c97b4a6f1a10725f786c723d5659016",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"3688577a-d196-11ec-90b0-f661ea17fbce": {
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "d70480df37508e5a424c838ac5ccc1002758e722ac2e3a8fdb58ba327ec88eaf",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "6cb28ae624dbac6a4d47e720907a77cdf089d5b190a6cc3bbbc2cc16990dd488",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
|
|
"rule_name": "High Mean of Process Arguments in an RDP Session",
|
|
"sha256": "702a6f3a2433e5ad66e4dd17b555c7bc979578f8248e27744f421e12791d0780",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"3728c08d-9b70-456b-b6b8-007c7d246128": {
|
|
"rule_name": "Potential Suspicious File Edit",
|
|
"sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"37994bca-0611-4500-ab67-5588afe73b77": {
|
|
"rule_name": "Azure Active Directory High Risk Sign-in",
|
|
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
|
|
"sha256": "eaca01a4eabb8830d6e1829229535613f1f61dd22c301080198653b3cbbff971",
|
|
"type": "new_terms",
|
|
"version": 210
|
|
},
|
|
"37f638ea-909d-4f94-9248-edd21e4a9906": {
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4",
|
|
"type": "query",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146",
|
|
"type": "query",
|
|
"version": 310
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 214,
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be",
|
|
"type": "eql",
|
|
"version": 115
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
|
|
"rule_name": "Prompt for Credentials with OSASCRIPT",
|
|
"sha256": "4082dec3872831be075b4437114dd49a7322440fc0f7650a4de37632a9a6b063",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
|
|
"rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations",
|
|
"sha256": "b27504fdf50603f2d3b2d98b424475dd42fa3e57f3331ab23a5b8290dde2302d",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
|
|
"rule_name": "External User Added to Google Workspace Group",
|
|
"sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
|
|
"rule_name": "Downloaded Shortcut Files",
|
|
"sha256": "3734901c2dbce0d6f0b119ddff90fe866f68c2fc432c33ef166921f6ba83c1fd",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
|
|
"sha256": "c17aaffab1800f50439ea947e5d83bad847542dce0fa3a035bff758b4b41d5a6",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 306,
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "fbccc75ff02a26ccb579fc912dbe3bf5e26a7b1c0e7f2084425a15d680bda382",
|
|
"type": "eql",
|
|
"version": 207
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "33de23d497e65bf6580cc0881d00591732c13e58e5e35d309d5a9bc28346b5de",
|
|
"type": "eql",
|
|
"version": 307
|
|
},
|
|
"39c06367-b700-4380-848a-cab06e7afede": {
|
|
"rule_name": "Systemd Generator Created",
|
|
"sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "d12e9ea8b95150ad9d1665a105aed34e99914c20b08bab4f9397c47f325e4c10",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "d871f50940eccfb6ba880998b63207b59ad3a087325d70f116c2cd1933b25a2b",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
|
|
"rule_name": "Suspicious Module Loaded by LSASS",
|
|
"sha256": "372861b3a0dbd56bd07c70db72fade23ea4a42e3e23bb7f2abdcb213da4ebc17",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Rapid7 Threat Command CVEs Correlation",
|
|
"sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1",
|
|
"type": "threat_match",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Rapid7 Threat Command CVEs Correlation",
|
|
"sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99",
|
|
"type": "threat_match",
|
|
"version": 103
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "7201f6b6243d0d0dc0eac73fe827a1ffb624b049a65a51c6841c687ffe51721f",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of IP Address For GitHub User",
|
|
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of IP Address For GitHub User",
|
|
"sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 412,
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c",
|
|
"type": "eql",
|
|
"version": 313
|
|
}
|
|
},
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "6607d2b148d51566de12ce0fadb3f13c90bb62e32b04a73759da7217d76f611a",
|
|
"type": "eql",
|
|
"version": 413
|
|
},
|
|
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "7dbd101cfc60e0f4febc19c31533e12bb0a1abb9ecb7563306f9f11e42d65fdf",
|
|
"type": "eql",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "efc4be7065fb21dda602cb05f908b052088f468c4d5895557352b0bb7b435b0b",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
|
|
"sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
|
|
"sha256": "73219570f39fd74e63d334cf190ecad1456cf55d17635400acccced12f4145db",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
|
|
"sha256": "152d719bdeb4edfad363cab37bbcfc8cba76396e6167e9191f3cee7e4ea76042",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "PowerShell Script with Log Clear Capabilities",
|
|
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "PowerShell Script with Log Clear Capabilities",
|
|
"sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972",
|
|
"type": "query",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Log Clear Capabilities",
|
|
"sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
|
|
"rule_name": "AWS SNS Email Subscription by Rare User",
|
|
"sha256": "3782f3b4a3f1178ef89a11153e95f81c46ce674abc47b6c266753a0216a05c5c",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
|
|
"rule_name": "Spike in Number of Connections Made from a Source IP",
|
|
"sha256": "12c6038b69842f3fafbe9f2dd9630e0d41734d2b8678ebefe442944fe4a7595f",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "80ec99e7e9c7ceb86a2819a92409d1afbf4232a8603b961b1c2a06d3d5fec295",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "ed255a3528818035e55fb704799e92c28c150eb25062d2a1f17bcb57f7606766",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
|
|
"rule_name": "Kernel Driver Load",
|
|
"sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"3e3d15c6-1509-479a-b125-21718372157e": {
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "b6aae2c2f1319d6dfcfceea3d42f2c90a421b25587e321a4bcc543da9488b064",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
|
|
"rule_name": "Potential Remote File Execution via MSIEXEC",
|
|
"sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "495df18eb2e7fce9cab92e0daa1a6fc851b024af00ffe18364998f6349b22c9c",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "b3772a465fb94393a11a17110e5399564938138ce5e9a99952cecc8c7740c048",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
|
|
"type": "threshold",
|
|
"version": 208
|
|
},
|
|
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
|
|
"rule_name": "Potential Protocol Tunneling via Chisel Client",
|
|
"sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
|
|
"rule_name": "Process Discovery via Built-In Applications",
|
|
"sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
|
|
"rule_name": "Unusual Time or Day for an RDP Session",
|
|
"sha256": "da80ff0e6020c1f4b703d597ce09ad294629d13d57cddce31f7eac0eb7d51f16",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
|
|
"rule_name": "DNF Package Manager Plugin File Creation",
|
|
"sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Unusual Process Spawned by a User",
|
|
"sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Spawned by a User",
|
|
"sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "GitHub User Blocked From Organization",
|
|
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "GitHub User Blocked From Organization",
|
|
"sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "189be13789b4fe9c8186eb9792601f98902e9e4f771519b7b2fa1a3730ac9783",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "d4f0b0b8e409cfc73e748281d83319870c4576cc95f3859d8935524d3bc92af0",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
|
|
"rule_name": "Suspicious Modprobe File Event",
|
|
"sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c",
|
|
"type": "new_terms",
|
|
"version": 108
|
|
},
|
|
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
|
|
"rule_name": "Unix Socket Connection",
|
|
"sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"416697ae-e468-4093-a93d-59661fa619ec": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "ef575bc7d7acfcd5bbcb58ad8207b7e652bf99f488da62ebd21d3f1f263c804c",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "00d4df4d402cbc68f54277c6595937da99601194d0c3c14f55b63bc2480f3d53",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of User-Agent For a GitHub User",
|
|
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of User-Agent For a GitHub User",
|
|
"sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS EC2 EBS Snapshot Shared with Another Account",
|
|
"sha256": "7f8925fab74497cb1c5a5be27e5fdd45c850feed6f57c4fd2e0f5997d9648c6f",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
|
|
"rule_name": "Mount Launched Inside a Privileged Container",
|
|
"sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
|
|
"rule_name": "Interactive Exec Command Launched Against A Running Container",
|
|
"sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8",
|
|
"type": "threshold",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669",
|
|
"type": "threshold",
|
|
"version": 311
|
|
},
|
|
"42eeee3d-947f-46d3-a14d-7036b962c266": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "6674dfbc494de648492942264a74378878bd65349a373567ab79725690c27aba",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
|
|
"rule_name": "Linux User Added to Privileged Group",
|
|
"sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "55097fe7650ccd542aec1b7f2aa6cbd2363a7907f40ad5d19c69854a09f8a21e",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "d22e1212d466beeea462d473302315e0145664ef7364a5d7055e1e499b1d1543",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4",
|
|
"type": "machine_learning",
|
|
"version": 207
|
|
},
|
|
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
|
|
"rule_name": "Potential Masquerading as VLC DLL",
|
|
"sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 110,
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "05a22c3ee9741e987667e6487211254de88c897b90832c45430c18a6b4582a38",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"453183fa-f903-11ee-8e88-f661ea17fbce": {
|
|
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
|
|
"sha256": "fe85472e289bd363341d59f4b9a362e21110fd6fb58902f400f3575b09f612a0",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
|
|
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
|
|
"sha256": "bc96c80774873e20fc93cc0aeb3cc34e08ce5f4b3109b4218de43a44228be7ed",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27",
|
|
"type": "query",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "6389d9780340aa3eba76379358bc68062f775f8c23b81e15d7be509e7fcc87b2",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "7ad3e21c453191513dfe0e226519ce81d8d70e633876b9c5c611b097850e5c22",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "911870b02ee518a2da8c3f8f090cd4b295555c15a1be6cd1ebc0aa8b569b12e6",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "70ebcc9b4db135969838d698ab1670f702ef00ddc29111226b7fa8d6b0a95f7e",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "ef467b076c584bc58e0fb6a3391048706f314e25ebb970eb1c7861eaaac4eacc",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
|
|
"rule_name": "System V Init Script Created",
|
|
"sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
|
|
"rule_name": "Sensitive Files Compression Inside A Container",
|
|
"sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"476267ff-e44f-476e-99c1-04c78cb3769d": {
|
|
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
|
|
"sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "24516e60132d4debae6058458462d958f659d37c82f6f68ae24cb1af134fa428",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"47f76567-d58a-4fed-b32b-21f571e28910": {
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "03e1e388a616fd76a913bb276b36b25a9a92ad0d3421a55ca134c175af61f971",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "927864e2de84459226772454150dfa72d9134da990b83c7f61d2f4621e2bd541",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"48819484-9826-4083-9eba-1da74cd0eaf2": {
|
|
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
|
|
"sha256": "33e3379959ca6f93326f5069bb4e5104c77c30f399d41fdb0108d3f4de3d7444",
|
|
"type": "new_terms",
|
|
"version": 107
|
|
},
|
|
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
|
|
"rule_name": "Potential Reverse Shell",
|
|
"sha256": "5cb666b8db28f6ef91c652488905003a54f688578c1a34017e77b80bc87c153a",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"48b6edfc-079d-4907-b43c-baffa243270d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "50742a90a9cfc7318d787fe297c644ba6ff7658ae59bda3650452a451ed3969c",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
|
|
"rule_name": "Remote XSL Script Execution via COM",
|
|
"sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"493834ca-f861-414c-8602-150d5505b777": {
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
|
|
"rule_name": "Potential Linux Backdoor User Account Creation",
|
|
"sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
|
|
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
|
|
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Process Discovery Using Built-in Tools",
|
|
"sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Process Discovery Using Built-in Tools",
|
|
"sha256": "24424c58a67a62f2464e7ce3c038697aeb561551b61ba5a2c8bf1cf001674ec1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "340f1c9b6d0d92fa721456ed567e265ee5b0b193bb96bea2145541912b19c536",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
|
|
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
|
|
"sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
|
|
"rule_name": "Potential Cross Site Scripting (XSS)",
|
|
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
|
|
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
|
|
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "e5e62d3b1a1f58eb079ca908f55105df68b2471d48e53122d47ec5b74afbb1cc",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "b538b62cec3fc16a06ef51cdb6f2a711aa479c82326a61862a3ac9a90238e17a",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
|
|
"rule_name": "Container Workload Protection",
|
|
"sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
|
|
"rule_name": "ProxyChains Activity",
|
|
"sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
|
|
"rule_name": "Unusual Process Writing Data to an External Device",
|
|
"sha256": "d5d28b9af1ed399604eb5bc1744453ce1f5dbc4839e7650ccf12c30616fe3d07",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "dd78ff329788e32ccfcd11f3331174f609f2a0b868ccfbf47b8d997dbfd30096",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "fdac8198180b87285d0dce793712e89ac9bdb36ea90ce122de8f4b1095c4dd6f",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 110,
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
|
|
"type": "query",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
|
|
"rule_name": "Kernel Load or Unload via Kexec Detected",
|
|
"sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1",
|
|
"type": "threshold",
|
|
"version": 207
|
|
},
|
|
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "9ba7f7cc43f484c307334745f27743ee4979e2df65bd1bec89add2c10051d0d3",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "982de592a7f2da640ff2a6006445d12e52090a1180b225e2f943c386641236c7",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 110,
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "7b0176c520ea313b2012e6843edc760f64652558471e6f971e2b6d86d90116df",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"4ec47004-b34a-42e6-8003-376a123ea447": {
|
|
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
|
|
"sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "63a4cc656038a44374eeed199a47a67bcf261940a890689a6fe62a4fb2a51010",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "8a21c3a283a81db1aaea226e6ea8bcd2fae151cba2095929d13d00d0ae28b537",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "87be064ac19c5ea66f69f2e2387eea0c3cd7bf236626285df2b76b760f408845",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "Unusual High Confidence Misconduct Blocks Detected",
|
|
"sha256": "273e5740f1d9e333cd6a22cd396b698234240feab6dba79c175c790fdf183ccc",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"4fe9d835-40e1-452d-8230-17c147cafad8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "72eaaba3e4541c4b67787d99cacc0cc2a13b0947f01563d4fb97ee7c1b5230df",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
|
|
"sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb",
|
|
"type": "threshold",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
|
|
"sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
|
|
"rule_name": "AWS SSM Command Document Created by Rare User",
|
|
"sha256": "92832a1d67cc61df5e937f62a495aead9cfcc980486b8d2b754f3416427265aa",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"51176ed2-2d90-49f2-9f3d-17196428b169": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Windows System Information Discovery",
|
|
"sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Windows System Information Discovery",
|
|
"sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
|
|
"rule_name": "Hidden Files and Directories via Hidden Flag",
|
|
"sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 411,
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "12362423f221d5f78a62ede69455b6acc8926caeb7057ac6af76e9e8663839a1",
|
|
"type": "eql",
|
|
"version": 312
|
|
}
|
|
},
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "6888e4d8dc2ffc69e0f3b29e7601596b7ed396f3071eb3bf4b22614aec126f6d",
|
|
"type": "eql",
|
|
"version": 412
|
|
},
|
|
"514121ce-c7b6-474a-8237-68ff71672379": {
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"5188c68e-d3de-4e96-994d-9e242269446f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Service DACL Modification via sc.exe",
|
|
"sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Service DACL Modification via sc.exe",
|
|
"sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Service DACL Modification via sc.exe",
|
|
"sha256": "4966b4c68a294538d5fe7fdd895bf295a7b8220649477a2de843e07ffbbd038b",
|
|
"type": "eql",
|
|
"version": 204
|
|
},
|
|
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
|
|
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
|
|
"sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "84c893dffd43871523001e934f53b55aa3560ab0e48927a519cc9890b21e6206",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
|
|
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
|
|
"sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"52376a86-ee86-4967-97ae-1a05f55816f0": {
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "fd77da125fda39b0791110d21e18fe7c21233971339f47f4d46a1f228f048839",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
|
|
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
|
|
"sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"530178da-92ea-43ce-94c2-8877a826783d": {
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
|
|
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
|
|
"sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870",
|
|
"type": "new_terms",
|
|
"version": 11
|
|
},
|
|
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
|
|
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
|
|
"sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "f7c792ee12ea5e1c289da3010faa0241087a72374e2a07e9744490d2d732a0f6",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"53dedd83-1be7-430f-8026-363256395c8b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Binary Content Copy via Cmd.exe",
|
|
"sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Binary Content Copy via Cmd.exe",
|
|
"sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"54a81f68-5f2a-421e-8eed-f888278bb712": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
|
|
"type": "query",
|
|
"version": 8
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
|
|
"type": "query",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "b6183b74d47d3cfe8b22dcff57a47da7713bc366002dbf9f7979a42bf76f6cc6",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
|
|
"rule_name": "Windows Installer with Suspicious Properties",
|
|
"sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"56004189-4e69-4a39-b4a9-195329d226e9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Unusual Process Spawned by a Host",
|
|
"sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Spawned by a Host",
|
|
"sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
|
|
"sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
|
|
"sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7",
|
|
"type": "query",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"565c2b44-7a21-4818-955f-8d4737967d2e": {
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"565d6ca5-75ba-4c82-9b13-add25353471c": {
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d",
|
|
"type": "query",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1",
|
|
"type": "query",
|
|
"version": 313
|
|
},
|
|
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
|
|
"rule_name": "Execution of an Unsigned Service",
|
|
"sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9",
|
|
"type": "new_terms",
|
|
"version": 105
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "65439f5e4fa7b0f4bbb310547d8239ea649d5818b5ac6338a7b358f2eb0c03ee",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"rule_name": "Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
|
|
"type": "query",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "File Staged in Root Folder of Recycle Bin",
|
|
"sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "File Staged in Root Folder of Recycle Bin",
|
|
"sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "DNS Global Query Block List Modified or Disabled",
|
|
"sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "DNS Global Query Block List Modified or Disabled",
|
|
"sha256": "6b33c63d553cab599384d2a06a3cbe2ce79ac5637431a647f3c0b0bd8930e497",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "DNS Global Query Block List Modified or Disabled",
|
|
"sha256": "566037aa998817fc0a251e782f43cec8f2037e67f0fdfe4fc54256563b8a8994",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "0a123f7c9ac032b20d904a897c3925725aba31f988722148f34fcec998d5ad9d",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "ed7c60dc12bdfa2d20edceb1eae21c05458b5885ec3be1eff755ceba3fab866e",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "ad5f6e2a7ed2a334c068a318cce1628f5eba03cc5188384b8936624810b633fa",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"5919988c-29e1-4908-83aa-1f087a838f63": {
|
|
"rule_name": "File or Directory Deletion Command",
|
|
"sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"5930658c-2107-4afc-91af-e0e55b7f7184": {
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"rule_name": "Unusual Linux User Discovery Activity",
|
|
"sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"5a138e2e-aec3-4240-9843-56825d0bc569": {
|
|
"rule_name": "IPv4/IPv6 Forwarding Activity",
|
|
"sha256": "0ac95528a079d01b7adeaa69e09a6ce000a6e52cd17f4fc7984edb24bf715c66",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "a58979585d4e2dba00ae2bf4cc63ae6bed5e961b9f7644c0dc3fa1cdc1f2a938",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "922c50914d6b49f38e49963069b5aded60978873160d1be2e5ac966b0f38d3fe",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
|
|
"rule_name": "Potential Reverse Shell via Java",
|
|
"sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
|
|
"rule_name": "ROT Encoded Python Script Execution",
|
|
"sha256": "c0274af6f64a052fd104039c8754ea7aa05eaadab769efc8a98bc62711b2b491",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
|
|
"rule_name": "Potential Chroot Container Escape via Mount",
|
|
"sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "f758d94665be51996867211777d79e6aed92bf1caef03e695a48519325656443",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
|
|
"rule_name": "SUID/SGUID Enumeration Detected",
|
|
"sha256": "ecb48f9b2113ef16a9cf28b12062a7336b1fc1183e11978fa97c5d28f733e894",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"5b18eef4-842c-4b47-970f-f08d24004bde": {
|
|
"rule_name": "Suspicious which Enumeration",
|
|
"sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
|
|
"rule_name": "Potential Masquerading as Browser Process",
|
|
"sha256": "78ec9be84e9b6970a121017e012905d15e2e20158762c57da7f514ea4d07c5f2",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2",
|
|
"type": "new_terms",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3",
|
|
"type": "new_terms",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0",
|
|
"type": "new_terms",
|
|
"version": 314
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
|
|
"rule_name": "Process Capability Enumeration",
|
|
"sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5c602cba-ae00-4488-845d-24de2b6d8055": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
|
|
"sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
|
|
"sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 112,
|
|
"rule_name": "FirstTime Seen Account Performing DCSync",
|
|
"sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106",
|
|
"type": "new_terms",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "FirstTime Seen Account Performing DCSync",
|
|
"sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8",
|
|
"type": "new_terms",
|
|
"version": 113
|
|
},
|
|
"5c81fc9d-1eae-437f-ba07-268472967013": {
|
|
"rule_name": "Segfault Detected",
|
|
"sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"5c895b4f-9133-4e68-9e23-59902175355c": {
|
|
"rule_name": "Potential Meterpreter Reverse Shell",
|
|
"sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
|
|
"rule_name": "Potential Defense Evasion via PRoot",
|
|
"sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "7d3bf84b8bde799ef371d4a6327bf8f541afea0300cdbf24763d28eb8f8342b5",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "User Added to Privileged Group",
|
|
"sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "User Added to Privileged Group",
|
|
"sha256": "249e80a94140cb17cb1bbbd22fcf7b01c9c149e0bb082822fc0cbec1322f4413",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "bcfac59564d41ebcb539180ca3a3bf7ce87cc15eef7fe386b497fab430a67572",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "f3fa333c7f1b7b2d1da2b134f2a3f535c02a04bbe1e29aea9a07f65dc3112f42",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "98c90d11775a22fd8b8841c192bba0357583dfff531656d7728cefb2a3cf68fb",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"5d676480-9655-4507-adc6-4eec311efff8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Unsigned DLL loaded by DNS Service",
|
|
"sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Unsigned DLL loaded by DNS Service",
|
|
"sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"5e161522-2545-11ed-ac47-f661ea17fbce": {
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
|
|
"rule_name": "Memory Swap Modification",
|
|
"sha256": "87f23ecd1afbe1e17093f0f1d038a49132d433f0e99f842a2c1ea2070422022a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5e552599-ddec-4e14-bad1-28aa42404388": {
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
|
|
"sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"5f2f463e-6997-478c-8405-fb41cc283281": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Potential File Download via a Headless Browser",
|
|
"sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "Potential File Download via a Headless Browser",
|
|
"sha256": "19a1d06007326123108f50fbfe0508ef28d7ef131ac3e5df567dbdc47aa6ff7a",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "Potential File Download via a Headless Browser",
|
|
"sha256": "8a9e091c55b5692d8d0032f78a5e51ffa80b4380ff50f18e6b2b25ad5830ba41",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
|
|
"rule_name": "Docker Escape via Nsenter",
|
|
"sha256": "11c34c854e425416671771fda4ebe364a729e7203d287c32837120c5426ec678",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
|
|
"rule_name": "Azure Service Principal Addition",
|
|
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"61336fe6-c043-4743-ab6e-41292f439603": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "New User Added To GitHub Organization",
|
|
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "New User Added To GitHub Organization",
|
|
"sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Interactive Logon by an Unusual Process",
|
|
"sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Interactive Logon by an Unusual Process",
|
|
"sha256": "1baf1fef6bba99c5ccdc2528a1cf37b50b5fa046a869241e7957bc24910a38d2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"61ac3638-40a3-44b2-855a-985636ca985e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
|
|
"type": "query",
|
|
"version": 113
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 315,
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8",
|
|
"type": "query",
|
|
"version": 216
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95",
|
|
"type": "query",
|
|
"version": 316
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7",
|
|
"type": "eql",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "0025f93aa161653a794f9a26065ea5e0cc28cde56f00267df2baedba016c4e6e",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Multiple Okta Sessions Detected for a Single User",
|
|
"sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba",
|
|
"type": "threshold",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Multiple Okta Sessions Detected for a Single User",
|
|
"sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "469e57d1084b2101124729bd1a24f0d0de9a3ba693867395cb5e2b2747429009",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"627374ab-7080-4e4d-8316-bef1122444af": {
|
|
"rule_name": "Private Key Searching Activity",
|
|
"sha256": "cfb8fb1ac5550969ade51696c2cce707ef17cb2ba835b59dde324128fe49a3da",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62",
|
|
"type": "query",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
|
|
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
|
|
"sha256": "5a3fd12529c9c80182c6867d42fd64119b65ce06f0106fb6c46537b9f536d9ed",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"63431796-f813-43af-820b-492ee2efec8e": {
|
|
"rule_name": "Network Connection Initiated by SSHD Child Process",
|
|
"sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"63c05204-339a-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
|
|
"sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"63c056a0-339a-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Denied Service Account Request",
|
|
"sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"63c057cc-339a-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Anonymous Request Authorized",
|
|
"sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
|
|
"rule_name": "Sensitive Registry Hive Access via RegBack",
|
|
"sha256": "5fc949c2d8e00d3580f74fc9c2d044a0ed34182238f186e9c60e3f63df540d87",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "13ab27af642b6257541d2f7dd40e674512caf3615983668154c3cb69ce92212b",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
|
|
"rule_name": "Dynamic Linker Creation or Modification",
|
|
"sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
|
|
"rule_name": "Network Connection via Recently Compiled Executable",
|
|
"sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "MsiExec Service Child Process With Network Connection",
|
|
"sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "MsiExec Service Child Process With Network Connection",
|
|
"sha256": "41602b6a702f894fa85aeda894b432bf97541e7a789da640b09d1a6ccb020920",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "MsiExec Service Child Process With Network Connection",
|
|
"sha256": "f777f01e40e9050b0c782526949a439d855433b0f63892411d709ce8cda391d4",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"65f9bccd-510b-40df-8263-334f03174fed": {
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"6641a5af-fb7e-487a-adc4-9e6503365318": {
|
|
"rule_name": "Suspicious Termination of ESXI Process",
|
|
"sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
|
|
"sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
|
|
"sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d",
|
|
"type": "new_terms",
|
|
"version": 104
|
|
},
|
|
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
|
|
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
|
|
"sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "6ee19e30f1b9b03cb860b685a9b64b35926db4749f7f4bec889b9061a34dd99f",
|
|
"type": "eql",
|
|
"version": 116
|
|
},
|
|
"66c058f3-99f4-4d18-952b-43348f2577a0": {
|
|
"rule_name": "Linux Process Hooking via GDB",
|
|
"sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 112,
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804",
|
|
"type": "query",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b",
|
|
"type": "query",
|
|
"version": 113
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3",
|
|
"type": "threshold",
|
|
"version": 112
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6839c821-011d-43bd-bd5b-acff00257226": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "9cd61cbd2e186a7e79c84c63453170d959f8a17ba7f17226d7b751d3eb3401a0",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "a0e0e9db739a9599f432f5b67c38f79f2d78548a4048ada364cc2a77c63ad808",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
|
|
"sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
|
|
"sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "5ea5116cd208e91c51260783d73f21acff4cc3285956fefc376e9fae3941f1b9",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "ae80e6eef7f02f152d24f72778eb22b6f998fffe08710ced5a60d17513f2ba50",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "bb5ce1fe0201d211c3e0ee4e797372019294920771fb9be33e2e03799c925f41",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Suspicious Access to LDAP Attributes",
|
|
"sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef",
|
|
"type": "eql",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Access to LDAP Attributes",
|
|
"sha256": "ea3607c104e47097033fed5ea9538819d7ee0e258c4956660fe6bdb792e9e9c4",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
|
|
"rule_name": "AWS RDS DB Snapshot Created",
|
|
"sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "d9f1796c6d6ad026fc2376b376520d5553dcbd8c64035bb1e86132a90634d94c",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
|
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
|
"sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS IAM User Created Access Keys For Another User",
|
|
"sha256": "0007bd73ca11b0b6f5300662fa4863050840bc67ef764048a14b63a4a6e1c038",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"69c116bb-d86f-48b0-857d-3648511a6cac": {
|
|
"rule_name": "Suspicious rc.local Error Message",
|
|
"sha256": "5ca0e055dc47c8c359d83d3c42388f2d1da1c8bb7fd5b309f29e81d5e4d767d5",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "84b303918d680f78c54255bfee90e9c6b45ad43925858f14ee5a3670c8dec812",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "191ff5cfc3df060d64cd80442331785e547236bc47cde601d473c2839019123c",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
|
|
"rule_name": "Attempt to Disable Auditd Service",
|
|
"sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
|
|
"rule_name": "EC2 AMI Shared with Another Account",
|
|
"sha256": "0c4ef4f51a8579747372ea43f8369add1855a2c4ca49c0059a91aca3c86b15e1",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "a5aca0cae7c3d4e2af72e551b196aa734185edb840e64a44250875f56954f40e",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "43459eeea6bab6c7fd87826c312985fcadb070763b879b2c8918b3cec2435895",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"6aace640-e631-4870-ba8e-5fdda09325db": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 415,
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "f59e6b0937b1a1ec0da32d1ced5e54224ce51ff3c12f6ef795d4c46104d824ce",
|
|
"type": "eql",
|
|
"version": 316
|
|
}
|
|
},
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "f630ebc0372153fafb100d4dba68e9a37b8c2997eead17632bd5df3bed2843b4",
|
|
"type": "eql",
|
|
"version": 417
|
|
},
|
|
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
|
|
"rule_name": "Suspicious Utility Launched via ProxyChains",
|
|
"sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50",
|
|
"type": "new_terms",
|
|
"version": 208
|
|
},
|
|
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "81dd8799d02ef1ea7d54b9def9a1ab5cddb29910c2a88f978b310fc8b0b4b232",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
|
|
"rule_name": "Container Management Utility Run Inside A Container",
|
|
"sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "5c11225cdbbc4109678a5ed167332604297fd7074668973d0b0112b3b4052f3a",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "2fb47f8769b5103eed7d0e994a27d88daa89b306a570f96a16b4a7143462ea24",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "GitHub Repo Created",
|
|
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "GitHub Repo Created",
|
|
"sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203",
|
|
"type": "machine_learning",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
|
|
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
|
|
"sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
|
|
"rule_name": "Root Certificate Installation",
|
|
"sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
|
|
"sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6",
|
|
"type": "new_terms",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
|
|
"sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9",
|
|
"type": "new_terms",
|
|
"version": 108
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623",
|
|
"type": "machine_learning",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9",
|
|
"type": "machine_learning",
|
|
"version": 208
|
|
},
|
|
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe",
|
|
"type": "query",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "e7158ede633bc5e943fe69d3f0dd3ca7dbbb2dcd7c6be7221419dbeb34619d36",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31",
|
|
"type": "eql",
|
|
"version": 114
|
|
}
|
|
},
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
|
|
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
|
|
"sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"6f024bde-7085-489b-8250-5957efdf1caf": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Active Directory Group Modification by SYSTEM",
|
|
"sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce",
|
|
"type": "eql",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Active Directory Group Modification by SYSTEM",
|
|
"sha256": "3a007cf6213892afdb51e38c653b7fbb54d64d355bfe16ae31a77fa323fd5fbd",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
|
|
"sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
|
|
"sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9",
|
|
"type": "new_terms",
|
|
"version": 104
|
|
},
|
|
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "b2f7ce631f07fd56f2182a2d89e94a7b72a8f17e0957f25048b089de04c78dec",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Suspicious Execution via MSIEXEC",
|
|
"sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution via MSIEXEC",
|
|
"sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "48ce070e2534c85222ae42380aff08e9cf1051209120195a41abb438dd4f8f6e",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7164081a-3930-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
|
|
"sha256": "32963011dca38553023a0d151758f181bed528bee5ecb5b09ac7e98db6994910",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"71bccb61-e19b-452f-b104-79a60e546a95": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 214,
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297",
|
|
"type": "eql",
|
|
"version": 115
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 314,
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "3602a1e97b87858224410b312b908c03fd8de29c7043c6e494f1f906e12bcc30",
|
|
"type": "eql",
|
|
"version": 215
|
|
}
|
|
},
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "265742cf965a3ba843e506c2a3b295f9cbd5d86e7cd45f85a3135b441230d12e",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "8225645357459c0d58f7893ad549d29d2962f1d7223312aab7feb5c8b918fc68",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
|
|
"rule_name": "Suspicious Passwd File Event Action",
|
|
"sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
|
|
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
|
|
"sha256": "221735c970fc3e380f11afa20a31274e578aab37486d9b912fe880f215412ddb",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"725a048a-88c5-4fc7-8677-a44fc0031822": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
|
|
"sha256": "34978ee634354ab60ca9b666477fc311458de3badb024f148a5005ee0469187b",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
|
|
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
|
|
"sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"730ed57d-ae0f-444f-af50-78708b57edd5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Suspicious JetBrains TeamCity Child Process",
|
|
"sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Suspicious JetBrains TeamCity Child Process",
|
|
"sha256": "e855ed53b4cfc63e2e39c9229565a1c01d7d48221d8070d431e8dc9e876c8f50",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Suspicious JetBrains TeamCity Child Process",
|
|
"sha256": "ae1341f2955bd09f391d9e1c7a700bda4d7f98485c0639ce3a9296fd402d7f36",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"7318affb-bfe8-4d50-a425-f617833be160": {
|
|
"rule_name": "Potential Execution of rc.local Script",
|
|
"sha256": "a1de5406513b29e7517ce6db0a932eed198d6f6646dde0fa92bfd7cc13817aa2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
|
|
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
|
|
"sha256": "335243f27a9e9ed1e3642e492e90d9884c17019a2822331a668c6e48b82c46c4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448",
|
|
"type": "eql",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "c31f8fce3143f7e8eb7fcff3e3855ec68728dbb708d60e35ebc951c8dea7b0a5",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
|
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
|
|
"sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"745b0119-0560-43ba-860a-7235dd8cee8d": {
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
|
|
"sha256": "e302282bacf904630c492f9029228d942da4a53e8c775f0a4d050c1adc149db8",
|
|
"type": "esql",
|
|
"version": 1
|
|
},
|
|
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
|
|
"rule_name": "Suspicious Sysctl File Event",
|
|
"sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1",
|
|
"type": "new_terms",
|
|
"version": 108
|
|
},
|
|
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
|
|
"rule_name": "Service Disabled via Registry Modification",
|
|
"sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"76152ca1-71d0-4003-9e37-0983e12832da": {
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "22a8ad00011d5f164b7afb9036e0c5c08d16762e2128190811ec8aafe4886bd4",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"764c8437-a581-4537-8060-1fdb0e92c92d": {
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "5ddd8e0de022dc243009f61fe4aed4fd7812fd7d7ce4ff362bb536a2e0dcc1e9",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 111,
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "548fe255b858588807657801d2412f86bb23f3f7be4ad873dc10a2106a76466c",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "49a20927f23290c2e144d1b65851802c17c754cff9a811996be6493bd052aa8e",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
|
|
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
|
|
"sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 413,
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8",
|
|
"type": "eql",
|
|
"version": 315
|
|
}
|
|
},
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "3de8678662d78c511880c3dfa795b3d501c299cd3f22598f42b4c97f2d48685f",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "2b7e8fa40dba01ec3ca76881d26777d3de3ace0c62af4427698b3bd594bd7195",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "d72d3f14698c4424226b130a2b715c698d3064d3c24a739a0927e48acb0f6aa8",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"7787362c-90ff-4b1a-b313-8808b1020e64": {
|
|
"rule_name": "UID Elevation from Previously Unknown Executable",
|
|
"sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"781f8746-2180-4691-890c-4c96d11ca91d": {
|
|
"rule_name": "Potential Network Sweep Detected",
|
|
"sha256": "9121a1422f15efedecd947633f481a8974363778374dfdb1bdcce1b188167fbe",
|
|
"type": "threshold",
|
|
"version": 8
|
|
},
|
|
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
|
|
"rule_name": "Yum/DNF Plugin Status Discovery",
|
|
"sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Suspicious ScreenConnect Client Child Process",
|
|
"sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 304,
|
|
"rule_name": "Suspicious ScreenConnect Client Child Process",
|
|
"sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996",
|
|
"type": "eql",
|
|
"version": 206
|
|
}
|
|
},
|
|
"rule_name": "Suspicious ScreenConnect Client Child Process",
|
|
"sha256": "b4eea876e31435d0c73ac8768c4954d50f6d10e4862c73652ad1fa9d0faa4464",
|
|
"type": "eql",
|
|
"version": 307
|
|
},
|
|
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
|
|
"rule_name": "Suspicious File Renamed via SMB",
|
|
"sha256": "b06fe72841e973c578410fa85cc532be47a7199c613e59e094aaefce1e311a48",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
|
|
"rule_name": "Unsigned DLL Loaded by Svchost",
|
|
"sha256": "bb615c82f76f783f0f58151931932eec4f8b1bab35a8600d646c237df38dcb1f",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"79124edf-30a8-4d48-95c4-11522cad94b1": {
|
|
"rule_name": "File Compressed or Archived into Common Format",
|
|
"sha256": "3d99ad9a8ea1ddbc2a184754459191a84dc56f918bf759be9a52d7649106e44e",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
|
|
"rule_name": "SSL Certificate Deletion",
|
|
"sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
|
|
"rule_name": "Potential Masquerading as System32 Executable",
|
|
"sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Potential File Transfer via Certreq",
|
|
"sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Potential File Transfer via Certreq",
|
|
"sha256": "c7346c7c1df15029b05df11871734739ec4818f53fd9684c2a583eb85d432fff",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Potential File Transfer via Certreq",
|
|
"sha256": "317afcd5484f4d5ed77732c52136d63141c3af83abc8cc130d698fd7da4ef84c",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e",
|
|
"type": "query",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
|
|
"rule_name": "First Occurrence of STS GetFederationToken Request by User",
|
|
"sha256": "97ed856d2841e0782bc46e870d33be5ca0ae8b6df0b3ff8f168f828213f57081",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
|
|
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
|
|
"sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
|
|
"rule_name": "Potential Execution via XZBackdoor",
|
|
"sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"rule_name": "File and Directory Discovery",
|
|
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486",
|
|
"type": "eql",
|
|
"version": 114
|
|
}
|
|
},
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
|
|
"rule_name": "SELinux Configuration Creation or Renaming",
|
|
"sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "0bcdd2692369252815bb0b5c45cdfcebaea56683de999dfad868be1f725d9ddd",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"rule_name": "Tampering of Shell Command-Line History",
|
|
"sha256": "b29563e9adeb94b3d771f3e0f0316518415fb4312e33347e187c39ba28647529",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
|
|
"rule_name": "APT Package Manager Configuration File Creation",
|
|
"sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
|
|
"rule_name": "Git Hook Child Process",
|
|
"sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
|
|
"rule_name": "AWS Lambda Layer Added to Existing Function",
|
|
"sha256": "2b5beb7d7435862fd58aef36fbe1c663e0c9dd064e09b122cce712360569c1da",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
|
|
"rule_name": "SSH Key Generated via ssh-keygen",
|
|
"sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
|
|
"rule_name": "Suspicious Kworker UID Elevation",
|
|
"sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Microsoft Management Console File from Unusual Path",
|
|
"sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Microsoft Management Console File from Unusual Path",
|
|
"sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 304,
|
|
"rule_name": "Microsoft Management Console File from Unusual Path",
|
|
"sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043",
|
|
"type": "eql",
|
|
"version": 206
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Management Console File from Unusual Path",
|
|
"sha256": "332111db4905fbf977cb9ea156d2aa394347669370073cd3430efc581d4c41eb",
|
|
"type": "eql",
|
|
"version": 307
|
|
},
|
|
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
|
|
"rule_name": "Security File Access via Common Utilities",
|
|
"sha256": "35fc8b548fcc1523cdea4fa29865704d65b15be3c7601e2a1f778dae2d006575",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "95ee9038faef018973ee81cb960175831ba7c20826685ba790ba0f6926232d5d",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
|
|
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
|
|
"sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee",
|
|
"type": "new_terms",
|
|
"version": 102
|
|
},
|
|
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
|
|
"rule_name": "Systemd Timer Created",
|
|
"sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5",
|
|
"type": "eql",
|
|
"version": 15
|
|
},
|
|
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
|
|
"sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"80084fa9-8677-4453-8680-b891d3c0c778": {
|
|
"rule_name": "Enumeration of Kernel Modules via Proc",
|
|
"sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a",
|
|
"type": "new_terms",
|
|
"version": 107
|
|
},
|
|
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
|
|
"rule_name": "Unusual Process Extension",
|
|
"sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Potential PowerShell Obfuscated Script",
|
|
"sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential PowerShell Obfuscated Script",
|
|
"sha256": "6e71b4ea552314b263198211bc6bc680d060453ac942fe0fe59499562f8ed834",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
|
|
"rule_name": "SSM Session Started to EC2 Instance",
|
|
"sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
|
|
"sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
|
|
"sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
|
|
"rule_name": "Unusual Remote File Extension",
|
|
"sha256": "d33a4fa7f5db48036701cd4df4e4586b2218d47f930a796097379a4757023e30",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "fc4ff95d31809bdc72563ba4251142cb5a33e5239d3cb64a0b877a31f6ba05d4",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5",
|
|
"type": "query",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561",
|
|
"type": "query",
|
|
"version": 314
|
|
},
|
|
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "b1820c87c951dea5911f8205052ea225bd0591292ca0283895f1242d165ff6c6",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"835c0622-114e-40b5-a346-f843ea5d01f1": {
|
|
"rule_name": "Potential Linux Local Account Brute Force Detected",
|
|
"sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"83bf249e-4348-47ba-9741-1202a09556ad": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Suspicious Windows Powershell Arguments",
|
|
"sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Suspicious Windows Powershell Arguments",
|
|
"sha256": "13d53b19535acefeb9018df99a3327de628c8cefdf886e9453b33d0f128fb058",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Windows Powershell Arguments",
|
|
"sha256": "13d45d27cdabc4d4143ebc5cccab8fff6f0a87c28bdb2f258d0dab66423371d2",
|
|
"type": "eql",
|
|
"version": 202
|
|
},
|
|
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
|
|
"sha256": "7527cb6d613f3cbebb763fc8b4da705569785eb0d5f20552483a9ac4e03c34e9",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Microsoft Exchange Transport Agent Install Script",
|
|
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Transport Agent Install Script",
|
|
"sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"84755a05-78c8-4430-8681-89cd6c857d71": {
|
|
"rule_name": "At Job Created or Modified",
|
|
"sha256": "a987f893268d128252316712332f0deeb89dbfad27ee9595059745bcfc9cfb1e",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
|
|
"rule_name": "Potential Upgrade of Non-interactive Shell",
|
|
"sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "d9c16cda743982a7c6cdbdb8dc28e0a6b4b32544874e6716412faa3814b400a7",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
|
|
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
|
|
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"870aecc0-cea4-4110-af3f-e02e9b373655": {
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"871ea072-1b71-4def-b016-6278b505138d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e",
|
|
"type": "eql",
|
|
"version": 114
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "a362b8b5e455f372dabfdad53f4b89385185d08f8e4cd581f2d4d3a13bc1a59b",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"873b5452-074e-11ef-852e-f661ea17fbcc": {
|
|
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
|
|
"sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
|
|
"rule_name": "Linux Clipboard Activity Detected",
|
|
"sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"88671231-6626-4e1b-abb7-6e361a171fbb": {
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"88817a33-60d3-411f-ba79-7c905d865b2a": {
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
|
|
"rule_name": "Potential Sudo Hijacking",
|
|
"sha256": "48ef2dcad2d1f95fb5e7cd7f890d36ba444b2c045b00f18db67a56565a8fb776",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "23ea84a839f5ac5677f5dcd1bd511e1a590fb3a73e3bf7922f0ac80814489841",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"894326d2-56c0-4342-b553-4abfaf421b5b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
|
|
"sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
|
|
"sha256": "f41675c0e6c71d8ffce61638873343c099dd76784a16afca7fc2bf6896b4ea63",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "ca38aa28a331bbae9391539b45d46648d9465bbf8261f1320789c780faf60c37",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "20e49f8b0cc9cd52d6a4e8878d070cae67b09b9f66c1d604d4d844a1a31a48c1",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
|
|
"rule_name": "Suspicious Symbolic Link Created",
|
|
"sha256": "e6768a2a66d26ab7605de86680ec11417c10c845603ad67d0b5768837751b40f",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
|
|
"sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
|
|
"sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "GitHub PAT Access Revoked",
|
|
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "GitHub PAT Access Revoked",
|
|
"sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"rule_name": "SUID/SGID Bit Set",
|
|
"sha256": "3709b15d60903268e4e30eba20dc1d89c099e0aa71b45dcff996484296a8c994",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "2b1670c842dd4482f2d66f4b20ad288dba295639673efae366e467a0b4347eac",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"rule_name": "Deprecated - Suspicious JAVA Child Process",
|
|
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
|
|
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
|
|
"sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "a5ba27def82c8a23b306fc36f9fc4d034de167102926baab02506d958ae44b71",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "bb22de8a34a7d93efe239f27bf92b15ba453c32860882728ed8eba1e57eba71d",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "0233b0c095271e86a61b4f41bb130007b740f4c4e75718f9ca731a3bc4f94511",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "1b8dcfb849fbca85f3c0f9347e3081f3c8e4b4f6736756a7de5d88cc31652ce9",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "6659d5d4a4edaff5a8ca68cbfaf2a04c0158a37d500c6e10acc18c930935370f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "8e9cdfcc336ce2f5c05c2db76a514795e03b4b84ef65fb2ccd5d14b90a043f77",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "187f18c4d04b8449ae3e946d3e2dfe18c3a5cd4a22ac2f5a20319294fef4e588",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
|
|
"rule_name": "Potential Successful SSH Brute Force Attack",
|
|
"sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
|
|
"rule_name": "RPM Package Installed by Unusual Parent Process",
|
|
"sha256": "9868139ca7255c94edd8b10c7750af9f9be3e501bb386dce4f46e240eca21bc2",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
|
|
"rule_name": "File with Suspicious Extension Downloaded",
|
|
"sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8d3d0794-c776-476b-8674-ee2e685f6470": {
|
|
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
|
|
"sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Potential WSUS Abuse for Lateral Movement",
|
|
"sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Potential WSUS Abuse for Lateral Movement",
|
|
"sha256": "3e2c0816b6054ee90afac447a89f0dbd2c8657badf12aedab3b4c1f371c1d799",
|
|
"type": "eql",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Potential WSUS Abuse for Lateral Movement",
|
|
"sha256": "6f20b8e3e7b5786f7b0cc4ec248f9c11431df6e0ee30decc8a98078423a583cf",
|
|
"type": "eql",
|
|
"version": 205
|
|
},
|
|
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
|
|
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
|
|
"sha256": "428b39c4182e10ba307e2d107d34845ceae5b7f6f1e2f036872c3cf1d8cd70e8",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Bitsadmin Activity",
|
|
"sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Bitsadmin Activity",
|
|
"sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
|
|
"sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
|
|
"sha256": "53543595176dfe8267e4ad2d5a70fdf91eaa2919aa81daf806a9d56daf0fd67a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "2593df86374cf3250f718b43d01f4e492da7574bdf8bc54867aad7fc465a8f60",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "8e6310e520c4ac17999de81799f5ab21b14bad01162d9cc5aa9bd5a8acd914c8",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"90babaa8-5216-4568-992d-d4a01a105d98": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "InstallUtil Activity",
|
|
"sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "InstallUtil Activity",
|
|
"sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
|
|
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
|
|
"sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9",
|
|
"type": "threshold",
|
|
"version": 1
|
|
},
|
|
"92984446-aefb-4d5e-ad12-598042ca80ba": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
|
|
"type": "query",
|
|
"version": 8
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
|
|
"type": "query",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "e5b5be0c7d172af228b2b4d7673159c5732796739b2ca948c4486b38d6b867ac",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"92d3a04e-6487-4b62-892d-70e640a590dc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Potential Evasion via Windows Filtering Platform",
|
|
"sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Evasion via Windows Filtering Platform",
|
|
"sha256": "7ac59a9ca2f1b45c91bacb9ec313fd3e400a28a06751a9175f3262892e0f96fa",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"93075852-b0f5-4b8b-89c3-a226efae5726": {
|
|
"rule_name": "AWS STS Role Assumption by Service",
|
|
"sha256": "098648b0ec9a99626b4b9cacd20f79f9028f13d93cda5ddb8c02d9394c758353",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "750c2d617d020e994dadb92ce3e0b585d16bbdc097fb24a656bb3e2f95ccae14",
|
|
"type": "new_terms",
|
|
"version": 205
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "7363bf0ec1ba1d14c0e88b63d2dd0597d01dc13ab80fcd01d0ca58e10e232b4e",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 410,
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "b5558abe7fd77b3214d07c369401260d1c211b91845eb37e5f92266ebf92ef54",
|
|
"type": "eql",
|
|
"version": 311
|
|
}
|
|
},
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "af45080cf231cdc384e6d85e2ccc178fd5b9cc69c739e04396373babe9b31ae5",
|
|
"type": "eql",
|
|
"version": 411
|
|
},
|
|
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30",
|
|
"type": "new_terms",
|
|
"version": 204
|
|
},
|
|
"94418745-529f-4259-8d25-a713a6feb6ae": {
|
|
"rule_name": "Executable Bit Set for Potential Persistence Script",
|
|
"sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
|
|
"rule_name": "Creation of Kernel Module",
|
|
"sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "5d504991acb458ceeb163edfc30f03c2b639725ce90470439bd1854d0c508ea5",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "5ac9902c4013c4a43232005924bbd2e3ea5837f3b1fb46536414e31a990e9dfb",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.13": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Multiple Okta User Authentication Events with Client Address",
|
|
"sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380",
|
|
"type": "esql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Multiple Okta User Authentication Events with Client Address",
|
|
"sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380",
|
|
"type": "esql",
|
|
"version": 103
|
|
},
|
|
"9510add4-3392-11ed-bd01-f661ea17fbce": {
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"951779c2-82ad-4a6c-82b8-296c1f691449": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
|
|
"sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
|
|
"sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"959a7353-1129-4aa7-9084-30746b256a70": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
|
|
"type": "query",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.13": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
|
|
"sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379",
|
|
"type": "esql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
|
|
"sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379",
|
|
"type": "esql",
|
|
"version": 103
|
|
},
|
|
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
|
|
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
|
|
"sha256": "85feced66a2d2b2c88a257f2aa26916b9bff95d08871035e142b35191149d8cd",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
|
|
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
|
|
"sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"96d11d31-9a79-480f-8401-da28b194608f": {
|
|
"rule_name": "Message-of-the-Day (MOTD) File Creation",
|
|
"sha256": "dee0fa159010c2aba6be29979a0ca7a24423ce4b2897d3bde2f635ddff3fe6c8",
|
|
"type": "eql",
|
|
"version": 12
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"rule_name": "Access to Keychain Credentials Directories",
|
|
"sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "d04ceea45c0ac0f1155e702d8add70dc3c753a765f23720895f180232c65a4a4",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"97314185-2568-4561-ae81-f3e480e5e695": {
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
|
|
"rule_name": "File System Debugger Launched Inside a Privileged Container",
|
|
"sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"979729e7-0c52-4c4c-b71e-88103304a79f": {
|
|
"rule_name": "AWS IAM SAML Provider Updated",
|
|
"sha256": "4ef7bf5e39de2d55f436f611e2de8f1d905d1ea116d8ff8000753ceb8d2663fc",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
|
|
"sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
|
|
"sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 413,
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee",
|
|
"type": "eql",
|
|
"version": 315
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "3db79975854f188574aa5d5aec5b4fe1e5375be640e0ac15fa02437975ef0d7e",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
|
|
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
|
|
"rule_name": "Suspicious Renaming of ESXI Files",
|
|
"sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"97fc44d3-8dae-4019-ae83-298c3015600f": {
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "d8b7b25e2fefe1dc94dd57ee87b2dd576cc089e5d7a78dcb91f493b33e925285",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
|
|
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
|
|
"sha256": "13bb60d5c1f5306bc12b67f81f15a38dc8238c2cd154896536269d9668d075cc",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"9822c5a1-1494-42de-b197-487197bb540c": {
|
|
"rule_name": "Git Hook Egress Network Connection",
|
|
"sha256": "8e57b1dbf16d5746922b8edafe41713555a95bb09c7bc1b9f9f63a00bd5c3724",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
|
|
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
|
|
"sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
|
|
"sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
|
|
"sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
|
|
"rule_name": "MacOS Installer Package Spawns Network Event",
|
|
"sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"994e40aa-8c85-43de-825e-15f665375ee8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
|
|
"sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
|
|
"sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"9960432d-9b26-409f-972b-839a959e79e2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "4bf6f2a660c85fd28a35ddf6782205584eb0a142d6df00a0777a759911565330",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
|
|
"rule_name": "Access Control List Modification via setfacl",
|
|
"sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"99c2b626-de44-4322-b1f9-157ca408c17e": {
|
|
"rule_name": "Web Server Spawned via Python",
|
|
"sha256": "34fe21a4d673170b9d5de7326cc8f18a359a13a6b97d49085d89e96cf0f9952a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
|
|
"rule_name": "Unsigned BITS Service Client Process",
|
|
"sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "8911b89e1d09588deb7e5a942983225efff7df52cca7afc92f98f0875de1c7e2",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "155a1370c4fc3154277e3947dd506fb75a99bd378727d59485c4e1947de04ecc",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "f3167a9539280f0deb3103a26e2dad2bc7f971e05e60885f5a533db2ba730fa2",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "6c0f3e8a857f02183dd2476acbc51cd2417ad39b9a38013caea85872f6c0495f",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
|
|
"sha256": "19bb01d2bfc28053a0a6ef4bba3cc428e187d1c71998e94cabcc80b2b15ef822",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "GitHub Owner Role Granted To User",
|
|
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "GitHub Owner Role Granted To User",
|
|
"sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "890f3569bcc29ef77a9be476b20376ebe51917937cb2bde1ca196f0698b6c9ff",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "894cde78d489d010f90f6c225dc210803634f3e1d380a685cea35bd4605694ef",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
|
|
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
|
|
"sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
|
|
"rule_name": "Unusual Interactive Shell Launched from System User",
|
|
"sha256": "b203af3a5e4914073b4c50ace39c1cd98fff18e024f1810b36679a1ae394cf3a",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Remote Scheduled Task Creation via RPC",
|
|
"sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Remote Scheduled Task Creation via RPC",
|
|
"sha256": "9860fa33ea3768742f597c39c25196697991a88b7dc7cf668e73827b1da60387",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"9c951837-7d13-4b0c-be7a-f346623c8795": {
|
|
"rule_name": "Potential Enumeration via Active Directory Web Service",
|
|
"sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "382fed94a5329814298bb2fe0283ed3c63d2c0ff9293e69efad3950dfe08121e",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "71bbd98aa70c506906a99a90cb6f320ba14cfe6276decafe44eb330c1a9e7428",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360",
|
|
"type": "new_terms",
|
|
"version": 311
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "1a76f0bbf93f2e947cf44f3a49de094b9821895129e1861a2e6f30b6af1e9ea1",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "b231de2975d9c748c61f7f29bd2b82eff7dc7eeb84a3b7e15858428d7acce811",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "e5c954ed07e9fd47ada5f8b7e54e8b4a9dbd25bee53943caa9897ffba3703f10",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "402957a0efead0143ad51d2e826e9107da5aef344e559d2c85478257a3aa15b0",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e",
|
|
"type": "new_terms",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772",
|
|
"type": "new_terms",
|
|
"version": 314
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "cb223017b8d3219787c5490b16190472e106e9b56b2efb8d0d5e50af116f48d0",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
|
|
"rule_name": "AWS RDS DB Instance Made Public",
|
|
"sha256": "d5b10fa1230219482d9260c9b3abc29a378aad24325e84d344be2fa223a72b04",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 214,
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921",
|
|
"type": "eql",
|
|
"version": 115
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "42787461cd6ccfd67f8830817f8a5a08ce5c23299a470a46c9b4f09e6db3d307",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
|
|
"sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9",
|
|
"type": "new_terms",
|
|
"version": 312
|
|
},
|
|
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "A scheduled task was updated",
|
|
"sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "A scheduled task was updated",
|
|
"sha256": "749ba895080051e4aa8e4a2df55b64ca9fb5e99c35767bb1f288e9c07842211f",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
|
|
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
|
|
"sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "539e9bec28c5ba2b0d44bd1a2c646f203f6b4a07abe0fff58707c93fe20a2684",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "a67ae649a271e68ef17b80ec7a1d6cea6f39d80a5dec0803424fba96df9a9024",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "0e7f58671c9058c1194ab7cd3b496010e9aa320e5ca20b4bcc8b196c7fafdb4d",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
|
|
"rule_name": "My First Rule",
|
|
"sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
|
|
"rule_name": "Linux Group Creation",
|
|
"sha256": "93d8a95d1c43dedafd6cece3fab8d0b375e5a15801c84585d037fd2c7f361076",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "64d63c9fc9cd61923e9f98811c5823a1bb8a27a525a4b54b969fdd7051bb4649",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "ce9a658724c78ad0fb002e88c88c00891614f43d625181cf23e6541447ff4daf",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"a22f566b-5b23-4412-880d-c6c957acd321": {
|
|
"rule_name": "AWS STS AssumeRole with New MFA Device",
|
|
"sha256": "cfb03e9127dfd2a1580d29f64f412173261e28a1c22ca8b51e484f75b870ff8c",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
|
|
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
|
|
"sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "PowerShell Mailbox Collection Script",
|
|
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Mailbox Collection Script",
|
|
"sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "2084297807278d91612b5ba01c82c2f10551b23506d0009a391feb6f63287dbf",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "1bb9e2021e6b0db51906eb89a0556e7513a62b080972cf61ad4b7dd2a7f01e2a",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
|
|
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
|
|
"sha256": "17e90233a68416b545e9ec60b945d558eea63b417eebcda8d046984ca667b87c",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "286b04230e047bb8f027f8d352ff9cf1d299235a13c6cac5631f289389314181",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"a52a9439-d52c-401c-be37-2785235c6547": {
|
|
"rule_name": "Netcat Listener Established Inside A Container",
|
|
"sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
|
|
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
|
|
"sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
|
|
"rule_name": "Potential Reverse Shell via UDP",
|
|
"sha256": "107d9dba2ad9b03f457311eef2f1d29f5c30f692db76b52c0ecb7ad90cb1bba0",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
|
|
"rule_name": "Threat Intel Windows Registry Indicator Match",
|
|
"sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3",
|
|
"type": "threat_match",
|
|
"version": 7
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "588a86512ac13842f4f3b0dfcf78a653ee96c402aca625c9db1f793666c9479d",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "df103b761567aa84a163bf20bed5e548a1a13df931fa93006532bb57e57af65b",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
|
|
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
|
|
"sha256": "468acf9925b683cd43a8c9d55cff0117071c66f66e7c1a1dfe43b164b6cb22a2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
|
|
"rule_name": "High Mean of RDP Session Duration",
|
|
"sha256": "55ef145cde18d6c08b01ce4ece7f4903351d9bdd131a8453002647a668aaa5c4",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"rule_name": "Suspicious Print Spooler SPL File Created",
|
|
"sha256": "96b2fcbc3924d11fc9c3eed38fc768bf6f97bfe8fe667f084d210769af057164",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "c96159806a102e910abdca6cdd017afdce8fcae45e565867bbd1f7b43abc431b",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "4aaa0273cb33a2b9fccdcc176011775da2bcc37db98deab6d7b0fb2b9792a8b3",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"a80d96cd-1164-41b3-9852-ef58724be496": {
|
|
"rule_name": "Privileged Docker Container Creation",
|
|
"sha256": "5550f7f742c87f9bd39c1e4db8db24caee9b67540120dacf5f7b201023626f25",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
|
|
"rule_name": "Entra ID Device Code Auth with Broker Client",
|
|
"sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
|
|
"rule_name": "Authentication via Unusual PAM Grantor",
|
|
"sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
|
|
"rule_name": "Suspicious File Downloaded from Google Drive",
|
|
"sha256": "41c537740053f42fad23d5168744e96453f28557cccc97585c0f976a10ef5178",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
|
|
"rule_name": "High Variance in RDP Session Duration",
|
|
"sha256": "f40d918cd70e374c3ea932e1a3b6c14fe1d4bea3bc082607586e660708225c9f",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "4687afae3e7472fed3b420f99cd3124158312bfbab94cd1f7303fda1d1a139bd",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "f6ceb7d4ece3477e49b056e9dd3e833f999b2eee034004d015ed34cab40f8df5",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"aa895aea-b69c-4411-b110-8d7599634b30": {
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "3bca920a328d271bc638274d9265324896cb1635894bb09d8c7628ee499617d2",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
|
|
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
|
|
"sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"aab184d3-72b3-4639-b242-6597c99d8bca": {
|
|
"rule_name": "Threat Intel Hash Indicator Match",
|
|
"sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a",
|
|
"type": "threat_match",
|
|
"version": 8
|
|
},
|
|
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "93c49db43b03637f2c1d053b9f5ebcbd2776f483fe824854fae2ace948d956dd",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
|
|
"sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c",
|
|
"type": "machine_learning",
|
|
"version": 206
|
|
},
|
|
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 414,
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "c1b3b8d2072d918930efe998f724cf12942ee022c135971e24778f2c1821eb4f",
|
|
"type": "eql",
|
|
"version": 315
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "cf59420deb50d843084ffc3320ad39588acb649e55c3c0eb12c54b1d52a3b4aa",
|
|
"type": "eql",
|
|
"version": 415
|
|
},
|
|
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
|
|
"rule_name": "Git Hook Created or Modified",
|
|
"sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Outlook Home Page Registry Modification",
|
|
"sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Outlook Home Page Registry Modification",
|
|
"sha256": "1adad2fbaac61dd3b02e58f8271efb1177aadfc906d7c20a2a30ce2f984ae27d",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Outlook Home Page Registry Modification",
|
|
"sha256": "02cd6bf4e2e371ef2e60d5a1df762ee51868c135ad78304ce723d27a91a4c7f2",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "WPS Office Exploitation via DLL Hijack",
|
|
"sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5",
|
|
"type": "eql",
|
|
"version": 1
|
|
}
|
|
},
|
|
"rule_name": "WPS Office Exploitation via DLL Hijack",
|
|
"sha256": "ffe2ee7667dba6c6d5b6c0f2e759bd20739ce00b74f2ff55cfa78eaac5c6167a",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"ac8805f6-1e08-406c-962e-3937057fa86f": {
|
|
"rule_name": "Potential Protocol Tunneling via Chisel Server",
|
|
"sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21",
|
|
"type": "query",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
|
|
"sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
|
|
"rule_name": "Potential macOS SSH Brute Force Detected",
|
|
"sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9",
|
|
"type": "threshold",
|
|
"version": 108
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "6bedea5ed62553b3faee7de59fc7d5379a82ec9a852980276971dc29d0c0b345",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "de021f1c7c7f774f5ae581c5a8dcf13e91eaa358742311cabddc983f8bd428e0",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "be076a1dbd4f050fe7d76ce1b43d766bf6de4de026ea97dc7ed5bf45358d73cb",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "c1a7cd36ec3ec749ea82e4039eaf388f2e5733806e0aa2d62166f97dbeeeda22",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"ad5a3757-c872-4719-8c72-12d3f08db655": {
|
|
"rule_name": "Openssl Client or Server Activity",
|
|
"sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d",
|
|
"type": "query",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
|
|
"rule_name": "Suspicious APT Package Manager Execution",
|
|
"sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"rule_name": "File Transfer or Listener Established via Netcat",
|
|
"sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
|
|
"rule_name": "Suspicious Communication App Child Process",
|
|
"sha256": "e8cf6343472cdfd3a91baaa7aed30214af872b0b163555edc8908ffd5d89a675",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
|
|
"rule_name": "Suspicious File Creation via Kworker",
|
|
"sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 204,
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "bc36274c731c5231be458f7c7b13cbefb5bbe0dba08f745f6d3a65c6f02bbbf6",
|
|
"type": "eql",
|
|
"version": 105
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "8b17583a4547a22fa32e210797078688b3ea53cdd67f93494107cbc65d3e69ab",
|
|
"type": "eql",
|
|
"version": 205
|
|
},
|
|
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
|
|
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
|
|
"sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a",
|
|
"type": "new_terms",
|
|
"version": 9
|
|
},
|
|
"af22d970-7106-45b4-b5e3-460d15333727": {
|
|
"rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol",
|
|
"sha256": "cb2725c021473f600c5a345ec6f8d3ff117b7ed72f2b96bd4e98d625edcfc640",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"afa135c0-a365-43ab-aa35-fd86df314a47": {
|
|
"rule_name": "Unusual User Privilege Enumeration via id",
|
|
"sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "866c1232689b9c39d30a1a03948c4544423e632af7fc8b8b42c69e4a88ca637c",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
|
|
"rule_name": "Network Activity Detected via cat",
|
|
"sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
|
|
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
|
|
"sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"b0046934-486e-462f-9487-0d4cf9e429c6": {
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b00bcd89-000c-4425-b94c-716ef67762f6": {
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"b0638186-4f12-48ac-83d2-47e686d08e82": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Netsh Helper DLL",
|
|
"sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "Netsh Helper DLL",
|
|
"sha256": "12a75647b89fa1a4bbc61d7654d7f62e6c69fd20f55ad24ff83e672bbb8ca97d",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "Netsh Helper DLL",
|
|
"sha256": "54f00272d79b87fe262ae02033486e748e84d4ab22a02b091b094c3cb456d4d5",
|
|
"type": "eql",
|
|
"version": 202
|
|
},
|
|
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
|
|
"rule_name": "Hidden Directory Creation via Unusual Parent",
|
|
"sha256": "9775897dddd3d5ea2fa72deb33baef8f2737925ad1d5be0ea764df8986e49111",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b1773d05-f349-45fb-9850-287b8f92f02d": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
|
|
"sha256": "b4bb7df60780eda7a7112af699e8f9eeb886859104a14dc0c0e590d88fbdfc26",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Potential Network Share Discovery",
|
|
"sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Network Share Discovery",
|
|
"sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"min_stack_version": "8.13",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab",
|
|
"type": "eql",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "0c04cfa96ede82a6bbb59d8e384474d50b45f25914ae1e80b8f511c08aeb6711",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"b2951150-658f-4a60-832f-a00d1e6c6745": {
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "116a6ad1cd9cb04c665956e8d54a4b226e296be8ffbf0a20f7073e7b6329ed3a",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"b36c99af-b944-4509-a523-7e0fad275be1": {
|
|
"rule_name": "AWS RDS Snapshot Deleted",
|
|
"sha256": "5ef62fe38d22a4511a897c8008ac45dc5666daf58d4330f04538f49decbbeea1",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "67351b07df4aa1f47a5962233ac558f0f841b0b99dc69791d778f50a1490b724",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "0cf7c5888e6bd4702f883dc4ba471a0d9c383c885d4588e6fe1a7ff741df7a15",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "8abbd6548883de2d4be1a5b3301cd6db8b4794b27c6795d260aa7bc4563dbf15",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "40c7f66bf4e89df1d59470f6039032a32e6991959d8e11a12649604b2ba79da1",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"b4449455-f986-4b5a-82ed-e36b129331f7": {
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"b45ab1d2-712f-4f01-a751-df3826969807": {
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"b483365c-98a8-40c0-92d8-0458ca25058a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "At.exe Command Lateral Movement",
|
|
"sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "At.exe Command Lateral Movement",
|
|
"sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
|
|
"rule_name": "Potential Privilege Escalation via OverlayFS",
|
|
"sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "2750851ffd550e98d2fa0f4b5654f051e62a2b807d18128b748c136fcfa2d9ce",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "4895530aff3222c2708c780f6046f091fe54c7f8ae320663a9e360501eaead98",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "f507b4e773a9237e2f79ee6904335b27b7cde346688aeee533fbdf6dfc06bf52",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "a23c2164fc398c84a3801c90a53f1caaa9b506aeb7e2200ced7b22100fbc25bf",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
|
|
"rule_name": "Systemd Service Started by Unusual Parent Process",
|
|
"sha256": "f7dabab39fc646885b39c4c9afb130a28ee22c77ab5d59c1661931a5024b5ea4",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"b64b183e-1a76-422d-9179-7b389513e74d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "4f452d9f56b62a85917e5573aa9d6ccec3f73e1f315ed4713033aa6c121baad6",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Potential Veeam Credential Access Command",
|
|
"sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "Potential Veeam Credential Access Command",
|
|
"sha256": "a781b7d7d5cb0610d58d9d15d1958e44ecdca51bccac374b26439493b44aa19e",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "Potential Veeam Credential Access Command",
|
|
"sha256": "72b427f54c6695f023af0e9104a96d6c24a4b1b4656b3ad7c04ec87636e4af2c",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
|
|
"sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62",
|
|
"type": "eql",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
|
|
"sha256": "af45308979a39d4eaba7f820d1065c522553f97422f59b37e1ceaa30e384f5b6",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"b7c05aaf-78c2-4558-b069-87fa25973489": {
|
|
"rule_name": "Potential Buffer Overflow Attack Detected",
|
|
"sha256": "5380c3038a2af299ccd3b033b1406b58964ffa17c1f58df16c2ef6e5cf6cb8f3",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
|
|
"rule_name": "Linux System Information Discovery",
|
|
"sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"b8386923-b02c-4b94-986a-d223d9b01f88": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "PowerShell Invoke-NinjaCopy script",
|
|
"sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Invoke-NinjaCopy script",
|
|
"sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 410,
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190",
|
|
"type": "eql",
|
|
"version": 311
|
|
}
|
|
},
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "1a2bd980116032f3b23c60f6ff7d330af67914677769ffb5257e3c4586c81cf7",
|
|
"type": "eql",
|
|
"version": 412
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "2a8d4623d634d9ba410321005df48a3d01e6223aae8df69789c9d8d06ba0b095",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Kirbi File Creation",
|
|
"sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Kirbi File Creation",
|
|
"sha256": "d4bb7b621d40378ce8bd39a87d46ccfedd440b733962e100fa3813f738a80a22",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Kirbi File Creation",
|
|
"sha256": "9c52cab4c0ede53965241d9332ed5d03335a7efa2d96067f2cd95ea3844f3e1b",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "0cf05a58ea4296f5dd53393e3fa87a56decafbc24ed8a95c02173a6278d99696",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "214ce6ab3146a3459a0af3b78a456204ac356e19d633e99e5b038f6e42f1306b",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
|
|
"rule_name": "Discovery of Domain Groups",
|
|
"sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
|
|
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
|
|
"sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c",
|
|
"type": "threshold",
|
|
"version": 4
|
|
},
|
|
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "3acd9e9b9d59edb71bdeac456f55d8a99ada6edeb583af312a886c1c4701c997",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"b9960fef-82c6-4816-befa-44745030e917": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "bda5b68f6a9ce0faa83bde7e30a5eec3d8841869e427b86112cf0f0a52a6353d",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "9623c43706d421a241ab6b399c014dbf39d8e09e1801bf1e8527980848090a52",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
|
|
"rule_name": "File Creation by Cups or Foomatic-rip Child",
|
|
"sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4",
|
|
"type": "machine_learning",
|
|
"version": 206
|
|
},
|
|
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
|
|
"rule_name": "AWS STS Role Chaining",
|
|
"sha256": "58bc4d819e8f3c20c185397da3f15f20e53974723a07372c04ba0d8368367511",
|
|
"type": "esql",
|
|
"version": 1
|
|
},
|
|
"ba81c182-4287-489d-af4d-8ae834b06040": {
|
|
"rule_name": "Kernel Driver Load by non-root User",
|
|
"sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "94ce634225344b3f6df8c3497393fba829c409f0d01520f34d4611a74ed8bea3",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
|
|
"rule_name": "Potential SYN-Based Network Scan Detected",
|
|
"sha256": "682e1b59f8cf01d5dd254c5cab6e075ed621000c6059b31845117c2d16a2ba69",
|
|
"type": "threshold",
|
|
"version": 7
|
|
},
|
|
"bbd1a775-8267-41fa-9232-20e5582596ac": {
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bc0fc359-68db-421e-a435-348ced7a7f92": {
|
|
"rule_name": "Potential Privilege Escalation via Enlightenment",
|
|
"sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"bc1eeacf-2972-434f-b782-3a532b100d67": {
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"rule_name": "Potential Non-Standard Port SSH connection",
|
|
"sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
|
|
"rule_name": "File and Directory Permissions Modification",
|
|
"sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
|
|
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
|
|
"sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"bd2c86a0-8b61-4457-ab38-96943984e889": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 214,
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e",
|
|
"type": "query",
|
|
"version": 115
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b",
|
|
"type": "query",
|
|
"version": 215
|
|
},
|
|
"bd3d058d-5405-4cee-b890-337f09366ba2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Potential Defense Evasion via CMSTP.exe",
|
|
"sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Defense Evasion via CMSTP.exe",
|
|
"sha256": "1b379c5cbede7bf2589191a432c64ff0cec22ff6311e672094cd7adfdb312095",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
|
|
"rule_name": "Potential Pspy Process Monitoring Detected",
|
|
"sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"bdcf646b-08d4-492c-870a-6c04e3700034": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "648bf202efc778e1ea44b6f4bc7c7ed4bc604a577fcc05f919cf3c4039e47be7",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.13": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Execution via Windows Command Debugging Utility",
|
|
"sha256": "fa9ae9a7e20aab6c162d2e5a0efe0f3abacb8e51ecc0dfde0e1e9ada66b911e5",
|
|
"type": "eql",
|
|
"version": 1
|
|
}
|
|
},
|
|
"rule_name": "Execution via Windows Command Debugging Utility",
|
|
"sha256": "de2a9f336f392f64c5a8f2b0a31498085b0ef328787d7393babf01a457d396ae",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
|
|
"sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
|
|
"sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
|
|
"rule_name": "Unusual Remote File Directory",
|
|
"sha256": "7b9570bb0ddabacbeccf2b03bf6ea05d0ed3a286165e5b807313c17531ac9116",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "f4689b888fd798880d919b9f8ffbd6b0e6a45d941a01ac44077e773d933a4b5b",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
|
"rule_name": "AWS RDS DB Instance Restored",
|
|
"sha256": "0703a09b818a7309df61f2173cfadcdd04899c0f597c70caebec0a6a7a077968",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
|
|
"rule_name": "System Owner/User Discovery Linux",
|
|
"sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"bfba5158-1fd6-4937-a205-77d96213b341": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
|
|
"sha256": "c3cf350e861be02338f712fd3772691bcefeb7f7d07e9718eec2fbc3476c707e",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "68ed471fcd146543d06d0854313cc5aa6f1e0cd02ff5805bce530ea781ab8d55",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "46f5dedea1c425098d98714b5c270d6a19a1448ac58d30298bfc61ed75871e39",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "22c604dcead155c536a23f4687ff4c4ff12c55e14328e455fe26c9d245f4db2f",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
|
|
"rule_name": "Memory Dump File with Unusual Extension",
|
|
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
|
|
"sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
|
|
"sha256": "e35fdfd50d3dc2bb04494da7e86463de8df7262df4dc0e66fda0ce85c0784cb4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
|
|
"rule_name": "Suspicious Renaming of ESXI index.html File",
|
|
"sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"c1812764-0788-470f-8e74-eb4a14d47573": {
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
|
|
"rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance",
|
|
"sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
|
|
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
|
|
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
|
|
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
|
|
"sha256": "7eaafe9a1859aea975f3a42c61875d9938e374647239d4b28ad396c47e79b439",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "75e92ba876a46ba416822bbfaaed256d7fa604ac8d9cdcaebf4485f15cd91632",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "6d389db925ca6ff91bfe40b09dda0749379ddfca071421d7cd921cb6eda3b48c",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"c292fa52-4115-408a-b897-e14f684b3cb7": {
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
|
|
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
|
|
"sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "9f77b2b2eebd6e08c007e73536752a8651c85bccde0c72303282ccb671a8ed42",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
|
|
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
|
|
"sha256": "0708e23a034fee01df470474eaa8c8f2f7a058631b83a0987e39af15bc538007",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 409,
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "3ee641a856aab0e4e1f23e3bb55717a5567eef2d8e52cd2264595fff36224273",
|
|
"type": "eql",
|
|
"version": 310
|
|
}
|
|
},
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "84190df73efbeee30c435b862e6339cd80ea290b44deb8a5717118537039b954",
|
|
"type": "eql",
|
|
"version": 410
|
|
},
|
|
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "050a77ee2d2b2c854c6320a07694f747e48b09086e2645e5e46e63cda03729f0",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "d8d527c314b2a860bfd447d4f890c361324c76dafb9094cb24b83ce8992a998c",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 306,
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "8895e76598306332603174aa736fad580b191085cfa16e063a5e68dd62cfd102",
|
|
"type": "eql",
|
|
"version": 207
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "471171679c1f48fa93954b8787198a0094598e326a0f6c24ae1b22c07b40251d",
|
|
"type": "eql",
|
|
"version": 307
|
|
},
|
|
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
|
|
"rule_name": "Windows System Network Connections Discovery",
|
|
"sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"c55badd3-3e61-4292-836f-56209dc8a601": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Attempted Private Key Access",
|
|
"sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Attempted Private Key Access",
|
|
"sha256": "a4672a225e05abdfbd91924298f689eb56da9ff55c0db55ca1f87d7ca8bdd3d9",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c5677997-f75b-4cda-b830-a75920514096": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Service Path Modification via sc.exe",
|
|
"sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Service Path Modification via sc.exe",
|
|
"sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c57f8579-e2a5-4804-847f-f2732edc5156": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "d7461fda5a82259331589a9df2a3a7f39630bc5f8e08c25f2190e7f8bfb1ae29",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "9f78c640ad25e83eafe47ad5226ce12c169358048d03ffb119f9b94df969c3e5",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "7c57916d4cbeb0fde51ef91819b1a5011019694b631ce8c734dd6aae5bede3c6",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "71bfefdca279f32dd86cd0b316f2315947b2489ae20e1246bbe17df82f6004e9",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "ae8bc9d069de44bffb8c71f3b18a9843bb54f74eec29f1e1cdd40651771676a0",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "234ab55015e205be9f494759489e7407d97a9587f61784858ec614d199b4599e",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "e8f809976fd19dc1921f285ff28a22407baf1aac6f21a7d4d2b1377a3770de14",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "5ee5259c1f1e782f05ada777a136193574b44d4a693c38ad33781b6996a42ee3",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "a8f43c737d22256ef316daf60178182defb4bff24396c497fb6d3b777514ab10",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
|
|
"sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"c749e367-a069-4a73-b1f2-43a3798153ad": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
|
|
"rule_name": "Egress Connection from Entrypoint in Container",
|
|
"sha256": "316a1006bad5109ad8ef036d4b8ba5142bcc0cd4822c7c4c0e3f4852e1860f20",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c7894234-7814-44c2-92a9-f7d851ea246a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "2ec487d2c8aa01cad9488f877c4a770ba69fb9065a728c79edf06e8c31aaf20f",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "3220434ae7ebd56669033cb648bf9d422b8aec1fb59053d8472bcb7a69abf1a1",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "84418134bc5c4c6ecc1151adcb9fbc62839c51dd865a24dc270d5f1d3dc50363",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "801e97235c25019c80a78237b5ef98ff66883e7e236ae9ff293f74ec6ae09aad",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
|
|
"sha256": "5d272b19dcb9cdb2beaf0e6124ebad3b1ecfd48dab9d60987f7ef8bc5bab5318",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "b829c4a07bfb5c509b1c4bd6241656300dcb169905e9882e8e5c905f621f03d4",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
|
|
"rule_name": "Potential Linux Ransomware Note Creation Detected",
|
|
"sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "d67260cfe20ef2ee8eb9e8acf13d36352e2608a38716e5270b57bd531fec9191",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "d560617a0b7c26d4a8f02dc76d6e3f106206eddf439a88ea24de0dc33126e896",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "d5e6366373a4f2a5a6d949519a1a95eb5bb692aeee5d81396c80291f549e176d",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "83f572dcc38a77f73655b953ffcf03ce0b0b5d017a8528b7163012096212f4f7",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
|
|
"rule_name": "Potential Masquerading as Communication Apps",
|
|
"sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
|
|
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
|
|
"sha256": "0f0023fc74fadd22887ee74c13f93f0c5174f8b66d140965587e4972eb2d3647",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cac91072-d165-11ec-a764-f661ea17fbce": {
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9",
|
|
"type": "new_terms",
|
|
"version": 214
|
|
},
|
|
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
|
|
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
|
|
"sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f",
|
|
"type": "esql",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
|
|
"sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f",
|
|
"type": "esql",
|
|
"version": 204
|
|
},
|
|
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
|
|
"sha256": "332626f80c0a809547d1b86248b4ac5acc33ad7dd090fb4c94596b699126f751",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf",
|
|
"type": "query",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e",
|
|
"type": "query",
|
|
"version": 310
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
|
|
"rule_name": "Downloaded URL Files",
|
|
"sha256": "96627951c8f79991a7e7ad2d73372aa5abe51ca5b57851c08dd650ab77f12760",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
|
|
"sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
|
|
"sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7",
|
|
"type": "query",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4",
|
|
"type": "query",
|
|
"version": 310
|
|
},
|
|
"cde1bafa-9f01-4f43-a872-605b678968b0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 110,
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
|
|
"type": "query",
|
|
"version": 11
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b",
|
|
"type": "query",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
|
|
"rule_name": "Shadow File Modification",
|
|
"sha256": "ab59547a675e69ef560b0060dc95a158b1e98d40da959d1e6102a4474c39afbe",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
|
|
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
|
|
"sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "3124a4ec07d5162829476ceebb62530a7ed736152f13b37c55791b32ecf351b4",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "306a951d4400b5b1612097ba11a9eeaaa71e1d40a54b3f80d5a82ad3660c4b84",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"cf575427-0839-4c69-a9e6-99fde02606f3": {
|
|
"rule_name": "Unusual Discovery Activity by User",
|
|
"sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
|
|
"rule_name": "Trap Signals Execution",
|
|
"sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "bb4695e9b2608cae2d13b3bd01ab45072258c75394dfc44f816bf2516ec760d7",
|
|
"type": "eql",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "c89e2ffe082dc78f5ead10fa743f39ea35e1333b8a50a74298ef5d9b66ff1397",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
|
|
"rule_name": "Archive File with Unusual Extension",
|
|
"sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
|
|
"rule_name": "Namespace Manipulation Using Unshare",
|
|
"sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
|
|
"rule_name": "AWS Credentials Searched For Inside A Container",
|
|
"sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "a6887e5edda607f541eedcf84f05242bf6d66840c91d08ea1cf84fc80283fa70",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "fe172ebb9b9cc09ac3418473f8bbbe1fd438fc8c7f5e2711984cb8c781070f18",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "37145c723b473d65d0bb500dc4e602e9be53c701bebccba958554a5992032cba",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "3034865be9da254728b4d1468ec5c2ffa3dfc305f180a77e47c5b69a916508fa",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
|
|
"rule_name": "Expired or Revoked Driver Loaded",
|
|
"sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d197478e-39f0-4347-a22f-ba654718b148": {
|
|
"rule_name": "Compression DLL Loaded by Unusual Process",
|
|
"sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
|
|
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
|
|
"sha256": "16a5255bebd2dbea413bcd674ddbbe9fc7c0e8a6c372b513b9a452bba2274d8a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "b4d0f51e31276b87a2d2f365694f02f3826550163ef41d500b69e5a188479123",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "6d45b9b9acf8b31cca0f0c7d70ffd9e42c69b4f9ddbc0db1fa912fc154bf735a",
|
|
"type": "eql",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "10c1f03793fcb8bad9555616905d87289a0f11c3a96622a566e66223f9df88a3",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "7483da5c5a66152f79d48484ff586847c93f9cd9f44c51048e4dcdfbbf18bc12",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d3551433-782f-4e22-bbea-c816af2d41c6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "WMI WBEMTEST Utility Execution",
|
|
"sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "WMI WBEMTEST Utility Execution",
|
|
"sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d488f026-7907-4f56-ad51-742feb3db01c": {
|
|
"rule_name": "AWS S3 Bucket Replicated to Another Account",
|
|
"sha256": "fc10d87ef74b91aafdf6f789f6c0f7602e2a1f222d20a3433c18424042268f55",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
|
|
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
|
|
"sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
|
|
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
|
|
"sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d55abdfb-5384-402b-add4-6c401501b0c3": {
|
|
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
|
|
"sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "ccd6f0e1dc7444cd01f7f1273379600f001c8ba2608cd8c1e4744f5de3f677a1",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "b882bc3921a13712f0db559c292b13772f12aaeb5673711e227685ccad9e7c56",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "17f85cbe91c6b5fdcfe53a17b2b99e0ecb72d024dd472cbc509963acec2b5ace",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
|
|
"rule_name": "Unusual DPKG Execution",
|
|
"sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 113,
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "a509788cd40ec1f0f0af9c860a4dbb6f77a05421428008e91c1619cf410ee20e",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "7c19ee463ecfc62c87fee685189cb441ee9abfb2ea897009a6c11ee131b6ede9",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "17eea5871c73f5fb356a051968d7cb36bd835774aeff070acb752283235c8009",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"d74d6506-427a-4790-b170-0c2a6ddac799": {
|
|
"rule_name": "Suspicious Memory grep Activity",
|
|
"sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "fafc9b93a08a48425d81e9b8d77c65427d4a0059c9002836e7cd43db72fb0365",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
|
|
"rule_name": "Untrusted Driver Loaded",
|
|
"sha256": "c22a4b5aaf9a5211781fbafa109ec85e7094f3b473efa585e2dafa6bd86b481d",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "45efd7d53f83838ba357aa1bfb387f4c2489612adc924437d1f1953cf68c6d7f",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"d93e61db-82d6-4095-99aa-714988118064": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "NTDS Dump via Wbadmin",
|
|
"sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "NTDS Dump via Wbadmin",
|
|
"sha256": "9a7aecff18c2b2c03fb09f108eb19cf4062741ef26df0abd91a13a980b793f8d",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "NTDS Dump via Wbadmin",
|
|
"sha256": "0c9ca98240f1da76e24997c3f0e416ba94169679df7c594faaded88c0928357d",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "b0c3e97ff9361dd6edacb9ed48e4b541387b984a265fa98d119adee51577458d",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "21e3bb58844ec1cf781a8dc4fabc5dd00365515d481779308fbe721a11082c50",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Suspicious Windows Command Shell Arguments",
|
|
"sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Suspicious Windows Command Shell Arguments",
|
|
"sha256": "4100ea91fd5746ceabc0b3056bf622961cb4e56a6733775ccb8b74fc1394d4ff",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Windows Command Shell Arguments",
|
|
"sha256": "f14448c067e0a0e0be1f51976cbc11fff0b37b0f5da3205c8afde1ae167e0eec",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 110,
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "d9efb6f5bfab991a95e185da00b9c3797f891983b8b396c9d7dbf292e759abe7",
|
|
"type": "eql",
|
|
"version": 111
|
|
}
|
|
},
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "cf52711a1189dd89d5cc0b35fc53b8cf7cf58f927144ecd794a969dd6245ad54",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
|
|
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
|
|
"sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "Suspicious Service was Installed in the System",
|
|
"sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Service was Installed in the System",
|
|
"sha256": "4a237b6a951c3e4530bac7e5c14e1b5270fc7263a9cc7b53c6355f05422701df",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
|
|
"sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
|
|
"sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e",
|
|
"type": "new_terms",
|
|
"version": 106
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Network-Level Authentication (NLA) Disabled",
|
|
"sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Network-Level Authentication (NLA) Disabled",
|
|
"sha256": "ea295acc9a2c0d920da2e8cd84ded801c713a06ad473c948126091def230b5ad",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Network-Level Authentication (NLA) Disabled",
|
|
"sha256": "452e5fbee79ceeb158518545ac367412757396a660f25ecf4e8940a04976f311",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "7d866450dcc8e535903a7e7d28333859b7c1e5b20cf243b9885c0ba2fd3e3bfa",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "d238242db88c4dffe3b45b6338748daa6638b409ae25dcebf555dc5fbd22ef37",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
|
|
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
|
|
"sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
|
|
"rule_name": "Git Hook Command Execution",
|
|
"sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
|
|
"type": "threat_match",
|
|
"version": 100
|
|
},
|
|
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
|
|
"rule_name": "Potential Hidden Process via Mount Hidepid",
|
|
"sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "6c79aab936e1fe25141e3e984b8d2113e9aa91ff99605c1bfd90084361126379",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Suspicious Execution from INET Cache",
|
|
"sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Suspicious Execution from INET Cache",
|
|
"sha256": "ff4e6f8fc8ffdad46c9ca8403e225098989a5548343270fe5420b6a1021d3fbf",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution from INET Cache",
|
|
"sha256": "6a04f4ffaa5c40018c58ab7ef7d0b4986d678da98c9dd78706e4c645c8bc71a5",
|
|
"type": "eql",
|
|
"version": 204
|
|
},
|
|
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "db373be5d72255dcfc03d21367e6a23f15576fe50874ec53d75ff7edf26e222d",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "eb5782b9024f97b13ced9ed9a27e3af47b54101824f8592c383c4fa46f18bcb1",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"dd52d45a-4602-4195-9018-ebe0f219c273": {
|
|
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
|
|
"sha256": "9d09534c9e25cb62cc2ac0983ac2a41afb47c19dfec4625145ed0922d5c490d6",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "6581546aba5c9cbdb29e1998c5b3ce1a10bba7abbbdf5036de332cc395e4d74b",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "50633d69f921b67ff24e8f6a63aef23b74ed335c0104445871dbc3945e3af63c",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
|
|
"sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
|
|
"rule_name": "Query Registry using Built-in Tools",
|
|
"sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd",
|
|
"type": "new_terms",
|
|
"version": 105
|
|
},
|
|
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
|
"rule_name": "First Time Seen Driver Loaded",
|
|
"sha256": "1faad3f27c89ce87b1a4f9ba8d28fcd968f1da207d94216c3e71a09884db6eb8",
|
|
"type": "new_terms",
|
|
"version": 8
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3",
|
|
"type": "machine_learning",
|
|
"version": 206
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "0aa047864e74cf8a18fe9dd039cc10fc1cfadcd1b2b98de5cfedf9afe1c98251",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
|
|
"sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "Potential privilege escalation via CVE-2022-38028",
|
|
"sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Potential privilege escalation via CVE-2022-38028",
|
|
"sha256": "7b6acf6b548474373227dfe0d95525762951ea112531f064e226bb790080e8b1",
|
|
"type": "eql",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Potential privilege escalation via CVE-2022-38028",
|
|
"sha256": "d0fe93377143f6c21a5d7bacce642eca85c15341cbdd34b6b4254173a819008c",
|
|
"type": "eql",
|
|
"version": 203
|
|
},
|
|
"e00b8d49-632f-4dc6-94a5-76153a481915": {
|
|
"rule_name": "Delayed Execution via Ping",
|
|
"sha256": "da0cf4affe1558ec93cbb7b96eac795d58a8770bcb564ff0b2021a7f7622eceb",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "d73db62405efc39a8ad58641974ba0785e0ae2f01440c19c88e84e81a194593a",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "System Service Discovery through built-in Windows Utilities",
|
|
"sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "System Service Discovery through built-in Windows Utilities",
|
|
"sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068",
|
|
"type": "threshold",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238",
|
|
"type": "threshold",
|
|
"version": 311
|
|
},
|
|
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
|
|
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
|
|
"sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"e1db8899-97c1-4851-8993-3a3265353601": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
|
|
"sha256": "18d369e85745dfad874fe33bb6e7faff482e843a231c6c456cd2668d675040bb",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"e2258f48-ba75-4248-951b-7c885edf18c2": {
|
|
"rule_name": "Suspicious Mining Process Creation Event",
|
|
"sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
|
|
"rule_name": "Spike in Successful Logon Events from a Source IP",
|
|
"sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
|
|
"type": "query",
|
|
"version": 112
|
|
},
|
|
"8.12": {
|
|
"max_allowable_version": 315,
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2",
|
|
"type": "query",
|
|
"version": 216
|
|
}
|
|
},
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8",
|
|
"type": "query",
|
|
"version": 316
|
|
},
|
|
"e28b8093-833b-4eda-b877-0873d134cf3c": {
|
|
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
|
|
"sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
|
|
"min_stack_version": "8.12",
|
|
"rule_name": "Suspicious pbpaste High Volume Activity",
|
|
"sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
|
|
"rule_name": "System Network Connections Discovery",
|
|
"sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "e20728e2d7fdb11e0c89fe8b59339217c06311f3e887ecc68c878ac02e342c43",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "e700c3aa1868cdab411187bb9463c15130cb104b333c4aeca0f322d52bfbe885",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff",
|
|
"type": "eql",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e302e6c3-448c-4243-8d9b-d41da70db582": {
|
|
"rule_name": "Potential Data Splitting Detected",
|
|
"sha256": "e9c73adb2c1f6cce1863d61a9079baab27593eb754bed9dfb7462a2a0e757dfa",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "b2ec162d5e1153e3aec75388d239610723efecf8e84f07bed191977174467f88",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "af6bff4d9b0f88e5cadd6ce1f24e77dac8a706d375a23109a8c681c97c6b4706",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"e3c27562-709a-42bd-82f2-3ed926cced19": {
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "b96e61601debc0c2b8731cd56031412334418497e035336cb8c471af5f70b60f",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "First Time Seen NewCredentials Logon Process",
|
|
"sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "First Time Seen NewCredentials Logon Process",
|
|
"sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639",
|
|
"type": "new_terms",
|
|
"version": 105
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "9eb77e0dda391b5aa9d210c7d318596248ca59b969e138c7cfa6d9a2fcfd72ad",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03",
|
|
"type": "query",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"e7075e8d-a966-458e-a183-85cd331af255": {
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
|
|
"rule_name": "Potential Credential Access via Memory Dump File Creation",
|
|
"sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "a7f9e12e26f22539b2c1e4f2c784361d72a1bbc261ff0bc1fa9ba30bb48845a1",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Suspicious WMI Event Subscription Created",
|
|
"sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WMI Event Subscription Created",
|
|
"sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
|
|
"rule_name": "Potential Windows Session Hijacking via CcmExec",
|
|
"sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
|
|
"rule_name": "Unusual Process For MSSQL Service Accounts",
|
|
"sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Unusual Execution via Microsoft Common Console File",
|
|
"sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Unusual Execution via Microsoft Common Console File",
|
|
"sha256": "8aa16b6d5c72cbd8db236cecb394fdb3419409a9334e5de3e489cba322b17da1",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Unusual Execution via Microsoft Common Console File",
|
|
"sha256": "91c9567bb907691834edbcbf81478eea228783238516ba4840d2a6678945a3f7",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
|
|
"rule_name": "Potential Linux Credential Dumping via Unshadow",
|
|
"sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"e7cd5982-17c8-4959-874c-633acde7d426": {
|
|
"rule_name": "AWS Route Table Modified or Deleted",
|
|
"sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
|
|
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
|
|
"sha256": "5537d2a44f881bfebdb8606aac6d5674c620607d55bb4822209da2cb5f3caa40",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70",
|
|
"type": "eql",
|
|
"version": 112
|
|
}
|
|
},
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "a674e578cfbef5b95a62b11671aeca823f09b5f2f63129f91f2557fa46d972e4",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "3d579bb92fe8249d3708f287ce73068e3e1eb7d3da4d7457b71e6c95ec5e6491",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "e863b1547c1a211479f64783701a48f31459decaff80471ecc40d7b3f7d64f0d",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
|
"sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
|
"sha256": "a8d0addea981abc201c8075ddf84cc71cf8e889932f1c06e212d64d43a19f083",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
|
|
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
|
|
"sha256": "14242eb38154b8a8e1a58bf61c0bfb74b5979a402c8daf3ac16d945e00cfd816",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
|
|
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
|
|
"sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753",
|
|
"type": "new_terms",
|
|
"version": 107
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4",
|
|
"type": "threshold",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425",
|
|
"type": "threshold",
|
|
"version": 311
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
|
|
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
|
|
"sha256": "97e36f64a18b7742354c75783032d8c937129028e729388f75253413f03292d8",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "9273914a7b7945fd48d1b65cbaca22cac9b1a363e215a919dfc7d7f2023e6a9b",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "3472059c099b888efa866c73f5ebda8a7cdd81a96a7c4c6c01e327c1d1fa2aa6",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "85a69d2c3599e4ee1bee8122b9a14c0b9148c3db5d510013e18e96dd0f9ec389",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
|
|
"rule_name": "Spike in Remote File Transfers",
|
|
"sha256": "f9cfa49163402d6de09bf8956e320315bd0c937785ed3267ad306470bc834a69",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Unusual Process Spawned by a Parent Process",
|
|
"sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Spawned by a Parent Process",
|
|
"sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3",
|
|
"type": "threshold",
|
|
"version": 210
|
|
},
|
|
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
|
|
"rule_name": "Suspicious APT Package Manager Network Connection",
|
|
"sha256": "805fa189545f981d575ddc36086ba698c6cab425b1ecf2c09c8f857aa7db539f",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"rule_name": "External Alerts",
|
|
"sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"eb44611f-62a8-4036-a5ef-587098be6c43": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 105,
|
|
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
|
|
"sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
|
|
"sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
|
|
"type": "query",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 411,
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "68b70fb7a0759edb5d4057074ce39e0a9d16c36f7e65d6fdcdfb8e6872bfbbc7",
|
|
"type": "eql",
|
|
"version": 312
|
|
}
|
|
},
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb",
|
|
"type": "eql",
|
|
"version": 412
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "efe3336c2caa03ca5f2f4c180030a6988719173b020f4ef0b6328548942e1cc0",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "93b513e8ce449023833b25afd4c092d6d39708e07c92d3169dd2fe80a10617d7",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"ec604672-bed9-43e1-8871-cf591c052550": {
|
|
"rule_name": "File Made Executable via Chmod Inside A Container",
|
|
"sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
|
|
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
|
|
"sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
|
|
"rule_name": "Executable File with Unusual Extension",
|
|
"sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "39ddeac69ba7e957dbde30dd6afb1b62daefa13143c99fcc1c9131251c2da3f1",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "666a39201e6cd023560381806ba6b8b178ce2bc7596b8084f46b63bec57859a2",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05",
|
|
"type": "query",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a",
|
|
"type": "query",
|
|
"version": 309
|
|
},
|
|
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "bdcf41c9d261562501f02bbc0fdf00741c278f827f8c4b389c9b44351aaa466b",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "b1477cad6a3940c5331b5aac48248d75f2d9628f206c15ca3a83c52a0f2fde0d",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
|
|
"rule_name": "Linux User Account Creation",
|
|
"sha256": "4af9d5eb4553ab22a10d185542796bf3827c9c57126d958da584089a9b4181a6",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Okta FastPass Phishing Detection",
|
|
"sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c",
|
|
"type": "query",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Okta FastPass Phishing Detection",
|
|
"sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961",
|
|
"type": "eql",
|
|
"version": 109
|
|
}
|
|
},
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "986186036dc086ae57af371ae59653ca11d16660a1311a709a7137fa6c7e6fd5",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
|
|
"rule_name": "Shortcut File Written or Modified on Startup Folder",
|
|
"sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"eea82229-b002-470e-a9e1-00be38b14d32": {
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
|
|
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
|
|
"sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
|
|
"rule_name": "Potential Container Escape via Modified notify_on_release File",
|
|
"sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508",
|
|
"type": "eql",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "214f8fb47c57ac54428d1979e50f4e691ccd265637670689bfab291afa11f712",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"ef8cc01c-fc49-4954-a175-98569c646740": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
|
|
"sha256": "90d364f8a22a46e10400502782f9e63b502856dae193ee242c9df80b475350ca",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "c27a1557272e16660b29e32abdf339448cda357be42a5df8ff09e7cd7089e867",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "30a4a9a823ba20654cac348d46d6ed2d266e48a105d74d2b07cd97485f45e644",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
|
|
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
|
|
"sha256": "910384ce8b7a90baf6621c861b7a046f4764fa0a712b0a51e2aaf95bc8363a39",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"f0bc081a-2346-4744-a6a4-81514817e888": {
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
|
|
"rule_name": "Potential Remote Code Execution via Web Server",
|
|
"sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f18a474c-3632-427f-bcf5-363c994309ee": {
|
|
"rule_name": "Process Capability Set via setcap Utility",
|
|
"sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
|
|
"rule_name": "Forwarded Google Workspace Security Alert",
|
|
"sha256": "da7ef3b91f3643cdf38700c894afdb9c990e17ed9711f5e4a7e4133589c98b04",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"f2015527-7c46-4bb9-80db-051657ddfb69": {
|
|
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
|
|
"sha256": "4e740008509defdc52f3ce580a43a0c02b9f679ad77ebf0f4136253adef5b1ec",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f243fe39-83a4-46f3-a3b6-707557a102df": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Service Path Modification",
|
|
"sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Service Path Modification",
|
|
"sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"f28e2be4-6eca-4349-bdd9-381573730c22": {
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "14a9d741acb3030e8466bf9a59a206544298e89f5fc3fee49bf83f99a7e052fd",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "254a89261a7919cd601e7aa8a8c9aafa993f9a2f38062b4f3f6b1839c39a0993",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
|
|
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
|
|
"sha256": "3ac6f85158571e7ae9821f8407cf1039e071354f5ae798cd907c077d71b4ef58",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
|
|
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
|
|
"sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"f3475224-b179-4f78-8877-c2bd64c26b88": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e",
|
|
"type": "eql",
|
|
"version": 110
|
|
}
|
|
},
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "f68bad409924e59b8443d6a7bfa105b2b48cb4d88da36172d95d7094cb3a3375",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c",
|
|
"type": "threshold",
|
|
"version": 104
|
|
},
|
|
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
|
|
"rule_name": "Suspicious Network Connection via systemd",
|
|
"sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
|
|
"rule_name": "Threat Intel URL Indicator Match",
|
|
"sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de",
|
|
"type": "threat_match",
|
|
"version": 7
|
|
},
|
|
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
|
|
"min_stack_version": "8.14",
|
|
"rule_name": "Remote Desktop File Opened from Suspicious Path",
|
|
"sha256": "cf963b5d775862505a178cb58178b33fb23107afcc00e561160961a865e46b4f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f41296b4-9975-44d6-9486-514c6f635b2d": {
|
|
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
|
|
"sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "c065074afa1efd59796f42921ce27c145b88b963e7472fa5c5269c74503e3647",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "0ceb15eaac8188f45c14c3dd7bead9ba70e09eb4b5f51deb6b9a8c126b63c78b",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"f48ecc44-7d02-437d-9562-b838d2c41987": {
|
|
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
|
|
"sha256": "6dc8920fe9a4bc479c93299a5b594945d88909d894d5a90f8997caba441bfa2a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 212,
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d",
|
|
"type": "query",
|
|
"version": 113
|
|
}
|
|
},
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
|
|
"min_stack_version": "8.13",
|
|
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
|
|
"sha256": "e018ec0346e1abac5468b4f741a4a3036311473e101a7ddf11bca9b702e142c0",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
|
|
"rule_name": "DPKG Package Installed by Unusual Parent Process",
|
|
"sha256": "c9f84cce8696eb7c2dc198d566da5e106e018e6fe6cd9e016fd243ae72c741b4",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
|
|
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
|
|
"sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "7d014986e6735e5f5b90c0790e404e69d4e5d64634f6935fb10a34ec72877e05",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
|
|
"rule_name": "SSH Connection Established Inside A Running Container",
|
|
"sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 107,
|
|
"rule_name": "Rare SMB Connection to the Internet",
|
|
"sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2",
|
|
"type": "new_terms",
|
|
"version": 8
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Rare SMB Connection to the Internet",
|
|
"sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d",
|
|
"type": "new_terms",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Rare SMB Connection to the Internet",
|
|
"sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289",
|
|
"type": "new_terms",
|
|
"version": 208
|
|
},
|
|
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "WRITEDAC Access on Active Directory Object",
|
|
"sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "WRITEDAC Access on Active Directory Object",
|
|
"sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "WMIC Remote Command",
|
|
"sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "WMIC Remote Command",
|
|
"sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
|
|
"rule_name": "Setcap setuid/setgid Capability Set",
|
|
"sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
|
|
"sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
|
|
"sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
|
|
"rule_name": "Masquerading Space After Filename",
|
|
"sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
|
|
"rule_name": "Account or Group Discovery via Built-In Tools",
|
|
"sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "b83dd05aaef86c18fe47f7a8bdc6132a6c0d868069edcc7801fff9dcd7d10428",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "94e0a975da6a20b8e5a7088399f5da7561593424d1eb70d66d5a542963808c79",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
|
|
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
|
|
"sha256": "e4f93dc05162bf6cad753a1327db0e023df793034c6204d0b08a1d15f6d23b4b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "d3bf5930d646553b64fceb3142ba60e854e52fe3478bad4d52ce0a606395d9ee",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "81b4cea2ac276f83aaf465ba9217bfeea8d6f63be702f6088801a22b09cb7b77",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
|
|
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
|
|
"sha256": "791121ea6aec69d7039ecb415a62b0a87915433516a225fa0103e30dc1fb3eb9",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
|
|
"rule_name": "System Hosts File Access",
|
|
"sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
|
|
"rule_name": "Azure Service Principal Credentials Added",
|
|
"sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
|
|
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
|
|
"sha256": "7447ba66f5bb3a7f75ebfa0ec16f2c79965e3653b03fc3f3a06ec4e7dc27ece8",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
|
|
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
|
|
"sha256": "9d9ea4b2bef0475b57635433aa6c30663d72eb3226baf7e94587e17374f9c08e",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "19dabb4cdeb3093420fb56b9c94ca6687ea7ee3479e605b8b9f331cdff2466c3",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "07caba511c046edeb032f0a4b75979d94cf1cadf75a7bfea159e175815bb0c48",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
|
|
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
|
|
"sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"f81ee52c-297e-46d9-9205-07e66931df26": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "c4a613fb04e9f97b6a884009449a139ee5a135556512ca5bf96bb5b803db7d8d",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "41f949b2f55eaabf986b67891e7037a89ce1a7964a42ef6e88352b92d52778bb",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
|
|
"rule_name": "Printer User (lp) Shell Execution",
|
|
"sha256": "6507c4745da0b0264ac93849eb4783ca11447050920d70c87be1c446f2206d74",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 211,
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 311,
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "f2423851bfbeefbfcda2a745c74dc1370032a6f7cfe9efbc981454ee74130559",
|
|
"type": "eql",
|
|
"version": 212
|
|
}
|
|
},
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Potential Active Directory Replication Account Backdoor",
|
|
"sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Active Directory Replication Account Backdoor",
|
|
"sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"f909075d-afc7-42d7-b399-600b94352fd9": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
|
|
"sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea",
|
|
"type": "eql",
|
|
"version": 1
|
|
}
|
|
},
|
|
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
|
|
"sha256": "c4508dc7b6251d648197e8d7704c8fdafc973a1a99006c1475d76e67e7d195d3",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"f94e898e-94f1-4545-8923-03e4b2866211": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
|
|
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
|
|
"sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"rule_name": "Unusual Linux Network Configuration Discovery",
|
|
"sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"f95972d3-c23b-463b-89a8-796b3f369b49": {
|
|
"rule_name": "Ingress Transfer via Windows BITS",
|
|
"sha256": "85e0e9eb2f56d40ea5aa97a05e3c9ef70749ffbf72276dfe626c72d1889217c6",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 101,
|
|
"rule_name": "Browser Extension Install",
|
|
"sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 201,
|
|
"rule_name": "Browser Extension Install",
|
|
"sha256": "33fea2e19640fd39808aae6bf7267174995cc0a7e7973f07a4b21fbb2b842970",
|
|
"type": "eql",
|
|
"version": 102
|
|
}
|
|
},
|
|
"rule_name": "Browser Extension Install",
|
|
"sha256": "cdd8f7c92285ec6406bbb7e06fef02eb1458895deda96a9bbd299be408be2026",
|
|
"type": "eql",
|
|
"version": 202
|
|
},
|
|
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 109,
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "8237fdea989fedadcbe0c3d264d0f2e33c15879386f11721c8effccb0b5a1d28",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b",
|
|
"type": "query",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317",
|
|
"type": "query",
|
|
"version": 308
|
|
},
|
|
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "c57ede22981de8ec65a677f491d04e110c3dcbe758924fc37fc34e2b031677a2",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "e2887448f525e4d2fc06229b8d743d4dca3c5ec090ff66e1b0395b0a14a6ffe1",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
|
|
"rule_name": "Potential External Linux SSH Brute Force Detected",
|
|
"sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
|
|
"rule_name": "Potential Reverse Shell via Suspicious Binary",
|
|
"sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"fa488440-04cc-41d7-9279-539387bf2a17": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 108,
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 312,
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "e76797913ea8f33de2a02341ab5af40b4efd31ccdadbb67daf8fcdf5281830bc",
|
|
"type": "eql",
|
|
"version": 213
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "5593d660090874e775e2dedabd7551d2cd2be7a6c684f617ce9b597f367e5238",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"fac52c69-2646-4e79-89c0-fd7653461010": {
|
|
"rule_name": "Potential Disabling of AppArmor",
|
|
"sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
|
|
"rule_name": "Potential Masquerading as System32 DLL",
|
|
"sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "8aae81ad83c8f0921e01112594259350cacae84e8b7a5991c5774c2b12228d7c",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "High Number of Cloned GitHub Repos From PAT",
|
|
"sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234",
|
|
"type": "threshold",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "High Number of Cloned GitHub Repos From PAT",
|
|
"sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 208,
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 308,
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "4ad908e9c0e001298a239314cbd4fc39fb76e0789a62456d4601e31ea266b35e",
|
|
"type": "eql",
|
|
"version": 209
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "db69f7867e43c1d9991d02ca50a537f1688974ffa821585058e225fa254dfed5",
|
|
"type": "eql",
|
|
"version": 309
|
|
},
|
|
"fc909baa-fb34-4c46-9691-be276ef4234c": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
|
|
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
|
|
"sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010",
|
|
"type": "new_terms",
|
|
"version": 103
|
|
},
|
|
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
|
|
"rule_name": "User or Group Creation/Modification",
|
|
"sha256": "d1ea785176a27ff76f628305fa1d57041f59595f8b6e09f99b4b4349c18f1811",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
|
|
"min_stack_version": "8.12",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "GitHub App Deleted",
|
|
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "GitHub App Deleted",
|
|
"sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
|
|
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
|
|
"sha256": "6e4722f7391334da9fa02d2bfe859e94a1110c6b78b728f62607aaa9380b59e9",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 210,
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 310,
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "0c0fb67b6f1fbc64b54c4eaaaf3982e6abd871234c9d741e32cf6111a4b95348",
|
|
"type": "eql",
|
|
"version": 211
|
|
}
|
|
},
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "3a5c29d43ebbadfb3a010e164c997dcdbc2c550226c3129d9f7256ad4204f204",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 209,
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 309,
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "d5f199269d0b8d8ffcb51d4a5be03858a06c561d4d7b5e76ccdb0730fbf5212a",
|
|
"type": "eql",
|
|
"version": 210
|
|
}
|
|
},
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "d283778b33a2eb881ef6542154d6a7a4f20f42620f533ab95ac6e3d92989605a",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 317,
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f",
|
|
"type": "new_terms",
|
|
"version": 218
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 417,
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a",
|
|
"type": "new_terms",
|
|
"version": 318
|
|
}
|
|
},
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83",
|
|
"type": "new_terms",
|
|
"version": 418
|
|
},
|
|
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
|
|
"rule_name": "Image Loaded with Invalid Signature",
|
|
"sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
|
|
"rule_name": "System Binary Moved or Copied",
|
|
"sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"fddff193-48a3-484d-8d35-90bb3d323a56": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "PowerShell Kerberos Ticket Dump",
|
|
"sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Kerberos Ticket Dump",
|
|
"sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 106,
|
|
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
|
|
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
|
|
"sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 213,
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 313,
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "7574ee875c1c9a825dfefa55b0b3b243f5cc25a3f4c7b2a4db8e22dd0cd9b2c5",
|
|
"type": "eql",
|
|
"version": 214
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
|
|
"rule_name": "Potential Masquerading as Business App Installer",
|
|
"sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
|
|
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
|
|
"sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 307,
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "02f53b9ca7444dd33ade4085a8403f9f14298ad57e5cad93a2ba6bb6c64fd758",
|
|
"type": "eql",
|
|
"version": 208
|
|
}
|
|
},
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56",
|
|
"type": "eql",
|
|
"version": 308
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
|
|
"rule_name": "Potential DGA Activity",
|
|
"sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
},
|
|
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
|
|
"rule_name": "Cron Job Created or Modified",
|
|
"sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90",
|
|
"type": "eql",
|
|
"version": 14
|
|
},
|
|
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
|
|
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
|
|
"sha256": "7842115a7191021a44e61d69bdc1563edc6e9d471a1237af41d228647df07824",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
|
|
"rule_name": "LSASS Process Access via Windows API",
|
|
"sha256": "7d8c295d9d5382ec04a6755af94ef4b2f9e3a87942594dc7a1708854f48db9bf",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
|
|
"min_stack_version": "8.14",
|
|
"previous": {
|
|
"8.11": {
|
|
"max_allowable_version": 100,
|
|
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
|
|
"sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8.13": {
|
|
"max_allowable_version": 200,
|
|
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
|
|
"sha256": "a5dc5c08ba531d44f22ea6769d5c2df16f15453f794a715ed59b46054ce95996",
|
|
"type": "eql",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
|
|
"sha256": "fdeb2235369b54f09b8e618dfa7db46fc187a691bc5b60955e67e9bfa1d1a008",
|
|
"type": "eql",
|
|
"version": 201
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
|
|
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
|
|
"sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
} |