github-actions[bot]
9606 lines
365 KiB
JSON
9606 lines
365 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "fcd948028bd42ce890deb31d6aef7d2a5f841d194d024c8a632bd40203c89554",
|
|
"type": "query",
|
|
"version": 414
|
|
},
|
|
"00140285-b827-4aee-aa09-8113f58a08f3": {
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "6e291a5cddac92af2120612d0e5b2a5db1929ee4fb58d53071642dc7e37fee20",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "cb3da7e9d3d8be5b8a37e6526d979d878e4f35a4959e471586e3d34af70bdc1a",
|
|
"type": "eql",
|
|
"version": 419
|
|
},
|
|
"0049cf71-fe13-4d79-b767-f7519921ffb5": {
|
|
"rule_name": "System Binary Path File Permission Modification",
|
|
"sha256": "e48b5dd418c152709c8476f2aafa0a109745c3e9a79bc8a1650b653f591ddf46",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"00546494-5bb0-49d6-9220-5f3b4c12f26a": {
|
|
"rule_name": "Uncommon Destination Port Connection by Web Server",
|
|
"sha256": "45c277342240444cb6c79b535c44066bdbf9deed51d4ced07bb77f3a5f9f6389",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
|
|
"rule_name": "Google Workspace Suspended User Account Renewed",
|
|
"sha256": "f18ac0fef8bbe46018b12cbc49078cde5a800a49a288127e4b72f51ac086b3ea",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"0136b315-b566-482f-866c-1d8e2477ba16": {
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "7f6d05375a42e356e585de8dae220404d3f29030e6ab6b1b566b9a100d448aad",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "485c2fd72b03d329a939d9aa2e0ed1fa869c9af0d75c6d1daaa066f99de00a26",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
|
|
"rule_name": "Potential Network Scan Detected",
|
|
"sha256": "a1da6334debf4acb4122f957eb33cf8d2ceb7345651a6b2ef4bd1721c4b2a9b4",
|
|
"type": "threshold",
|
|
"version": 12
|
|
},
|
|
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Memory Threat - Detected - Elastic Defend",
|
|
"sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
|
|
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
|
|
"sha256": "16a0b6dfba1264d6d8cc8b21b1f6bcc5eb4bc067bdb9224c5076dfda2bb2fd5a",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
|
|
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
|
|
"sha256": "fe62b5817ba03f0b38ab69729436f318b97c12bab5df5d8df29510435350440a",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
|
|
"rule_name": "Process Created with an Elevated Token",
|
|
"sha256": "37acd2334682432817aacdb8d2329e421310824775187a4caefffb7aef87b219",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"02a4576a-7480-4284-9327-548a806b5e48": {
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "62e97c7d00aad9eb5dba5a59ca2ea7e2ef5f9d11050504af0511e9efd98ac08f",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"02b4420d-eda2-4529-9e46-4a60eccb7e2d": {
|
|
"rule_name": "Spike in Group Privilege Change Events",
|
|
"sha256": "8caf70090c5c180faa0955b692debfff1999f7c20aeb1f8aabf07eec4e4ebf09",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
|
|
"rule_name": "Potential Ransomware Note File Dropped via SMB",
|
|
"sha256": "3c0cee1485089d0039569fe729555644745a965f74000c5e30fb73ff1a31a7ae",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "27d2f755c29364e32433065a224cd6626f6d8310b9a12d92bc6e3264c52682e4",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "c26207afa6dd6e1b23a2fbcdb9fec002a011e2436b72cc2f6ff0d033e3a6fc2a",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"035889c4-2686-4583-a7df-67f89c292f2c": {
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "2a22d0f3cf317970be4b88c0a8ccdfe129a55d326c2025d0b931e84121a5ba59",
|
|
"type": "threshold",
|
|
"version": 216
|
|
},
|
|
"035a6f21-4092-471d-9cda-9e379f459b1e": {
|
|
"rule_name": "Potential Memory Seeking Activity",
|
|
"sha256": "8f133c6e9cddf374ce4fd11c281662eae4e7b2ee1981e47aca1d003301d7aa7d",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
|
|
"rule_name": "Suspicious Dynamic Linker Discovery via od",
|
|
"sha256": "6887f99e6c55904c75b5887aa9c04a4d174779e194c44d29ba02141bb6a96821",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"03a514d9-500e-443e-b6a9-72718c548f6c": {
|
|
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
|
|
"sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
|
|
"rule_name": "Potential Network Scan Executed From Host",
|
|
"sha256": "48a116f421a0b1edf99bb7c5016f92835ce1a1159548133e0e2424a43b3b2615",
|
|
"type": "threshold",
|
|
"version": 6
|
|
},
|
|
"03d856c2-7f74-4540-a530-e20af5e39789": {
|
|
"rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location",
|
|
"sha256": "85f6ccd81f36a92f7718a52d0838520307a344ee3c5d3b2cd65ce190375f97ab",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
|
|
"rule_name": "First Time AWS CloudFormation Stack Creation",
|
|
"sha256": "c14f634ac8d501f56487a54ce3e10ac740ec26bf38940489dbec0b47239e883a",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"0415f22a-2336-45fa-ba07-618a5942e22c": {
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "8c55d0a50d9d273e4b94409893d9744b947ad04108f2d38fa12b818acf711e76",
|
|
"type": "query",
|
|
"version": 113
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
|
|
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
|
|
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
|
|
"sha256": "45bafb4d78532d1c14f39e0ec63bd6e8c82780af7b66030bbfcac222cf82913e",
|
|
"type": "eql",
|
|
"version": 205
|
|
},
|
|
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "029a993ab78af773bcd6595b24e077415d99152587534bdf42db0ce55913b1b3",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
|
|
"rule_name": "User Added to the Admin Group",
|
|
"sha256": "fc962dbd88cfb0860ac58c4125afeaaa0668366e0f9d1ad035411aee787a69f6",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "30d23f6e345652ddecf8a6ccafdc4a3f18af50c9a8ecef16578e14094e8d3d55",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"054db96b-fd34-43b3-9af2-587b3bd33964": {
|
|
"rule_name": "Systemd-udevd Rule File Creation",
|
|
"sha256": "bd23f6c6c2e45016b065c2b53b5af3f65e0ead04590e74d78136d893be16b800",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "0959fd7aaf5bc8255ede40413834dc1ccfa5885a9e516724151852e596d397f4",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "f4e1f9d6d33fedcd444fbe238ea99dbeb66031172f00bdf4cd900ea91586d6fc",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
|
|
"rule_name": "Tainted Kernel Module Load",
|
|
"sha256": "06196b8799e99ff82bfbbc6ccbb3635e9e445bf339762edf7e031c9a8f592087",
|
|
"type": "query",
|
|
"version": 7
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "0c49b5b19550bb53fee01e7520f698f46a9a4a4b78d25014553b9557dcf61ad0",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"0635c542-1b96-4335-9b47-126582d2c19a": {
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "d830586c866338070858fc3d79f60a78040bbbbf9694a72accfda57739d022bb",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"064a2e08-25da-11f0-b1f1-f661ea17fbcd": {
|
|
"rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk",
|
|
"sha256": "2d9696b9804309379956f4234f1de956bb83f53271f594fef7e22b983003fb70",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"06568a02-af29-4f20-929c-f3af281e41aa": {
|
|
"rule_name": "System Time Discovery",
|
|
"sha256": "a6862748b17c59d814bdbc083c1cc7d27381aed9732b14f0f1b32474464fd2ef",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
|
|
"rule_name": "Unusual Remote File Size",
|
|
"sha256": "5b526538699a28af2fa84b71bb25ab53268a3f8d61f67af75666b881c6317c21",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "16e3f15d9751ac5e7a214666d2ab0a3a815ecba1a81eee2d411339acc726759f",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
|
|
"rule_name": "Dynamic Linker (ld.so) Creation",
|
|
"sha256": "4352f7d36fe7858d8f13a10091e4507fec8d1caeb62e078fca7f9a8fdf1483d9",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "6ca7734eae8382f1a540c93eb25ee68b216e6cafef14039079486562079a8960",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Memory Threat - Prevented- Elastic Defend",
|
|
"sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"074464f9-f30d-4029-8c03-0ed237fffec7": {
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "58d2522836e9696867c5013f86c837c3de9c6139334c45f21862af1141102989",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
|
|
"rule_name": "GitHub Protected Branch Settings Changed",
|
|
"sha256": "211d86814c799c776291d2387868439b4ebd6e01c2e243d10d387bab0362ac36",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
|
|
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
|
|
"sha256": "2a82445079956301b16981f1c33b9a8f5c65ffee6d2ef7b6948e62f24689a072",
|
|
"type": "threshold",
|
|
"version": 9
|
|
},
|
|
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "0ac96c06799e64900c4d1cc6dc9d7375c5be2979e8aa15d398cefbd5a2eb8f08",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "efff36dcc67637acab70b8bdc118ef3d48a67a477cc5bff8a765be0b98c69d9c",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"080bc66a-5d56-4d1f-8071-817671716db9": {
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "c3033b6202ba8d06a3cce953bf5efde4f3292bfd7e4b02fcf073bcb3b4c38c0b",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
|
|
"rule_name": "Launch Service Creation and Immediate Loading",
|
|
"sha256": "a103bf9dea2202ad2c785712eb8d03c825973f10f2c2237c5fc3640b9c519ee4",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"083383af-b9a4-42b7-a463-29c40efe7797": {
|
|
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
|
|
"sha256": "ecac1068b5efcf837a17aa8bc11ec4898b57cf512f3d3953c575a14de27b12e4",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "92729a5db8411c86f55936222a8fdbd7c1634c859d8453339bf3d82144af86cf",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
|
|
"rule_name": "First Time Seen Removable Device",
|
|
"sha256": "4c42eef9c2804f93e9e02bcdfa8e0f36f462f32538c84ce59afcb648b391cb53",
|
|
"type": "new_terms",
|
|
"version": 212
|
|
},
|
|
"089db1af-740d-4d84-9a5b-babd6de143b0": {
|
|
"rule_name": "Windows Account or Group Discovery",
|
|
"sha256": "d2b0a72d8ef6f07e4647ae018611e94e004d13dbf270da1125381720f769fc59",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"08be5599-3719-4bbd-8cbc-7e9cff556881": {
|
|
"rule_name": "Unusual Source IP for Windows Privileged Operations Detected",
|
|
"sha256": "f0c3939a5957cddd4b6387710c93b4c9797c526fdc426a83b3c681d57d67b47b",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"092b068f-84ac-485d-8a55-7dd9e006715f": {
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "34aa7a13a75998606560cb32b50285f079aa350b0d28634aec6ce222a47b0985",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "b34e09929af575f6b9e1bd42a42623c6f6186c01e5990e8902d9289b53407227",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
|
|
"rule_name": "Member Removed From GitHub Organization",
|
|
"sha256": "2ffad86dda9d63530d2b961af027f8ccf552593370bec658c394b6bfbee14ed9",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"097ef0b8-fb21-4e45-ad89-d81666349c6a": {
|
|
"rule_name": "Spike in Special Logon Events",
|
|
"sha256": "42bb7ebf26e253f5a13b0f718a37a6de590190e051705ab28122bca64c59bbb5",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"09bc6c90-7501-494d-b015-5d988dc3f233": {
|
|
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
|
|
"sha256": "bcca49c3d94598239ea43ddbf6c3c260b33b0a8303e7393520f054c0a61042a6",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "c9c639dd4e00e7e85f8a5970f79bed56d51994ad21504ccce3b4b8f4d5863487",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "6dec72ce9f7aabecc519652ba7299033d64fbfe4d155e3cbb9fff040f62ecef9",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
|
|
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
|
|
"sha256": "b9f9c2acd032277ca219864f2c819167d986f72f5926874ea56998544a0f85a6",
|
|
"type": "query",
|
|
"version": 8
|
|
},
|
|
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
|
|
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
|
|
"sha256": "7e292b37b6c88373ed25a37e2a1b1f82deeb9ca8559dab118b34d2c361a000c3",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
|
|
"rule_name": "Yum Package Manager Plugin File Creation",
|
|
"sha256": "adb171c78e145bb7e7e1525c87e09a70a07e608ece78e0470fe355172a2be4b8",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "5885c1e445642eebfc9b74d7427c15b9a7c7696141ebc1f2032514b026740cd1",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "8306cd0929a80bd742350e33bb52b21777571e2b6fc75217422a551ed8d0ba6a",
|
|
"type": "query",
|
|
"version": 217
|
|
},
|
|
"0b76ad27-c3f3-4769-9e7e-3237137fdf06": {
|
|
"rule_name": "Systemd Shell Execution During Boot",
|
|
"sha256": "93ae40f75225f76dd06c5454b69ea95ccecfa876f00e38aa8b757aa3f1403db0",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
|
|
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
|
|
"sha256": "9dd5bb74969002b406284ec7b5355030491e0d502816b2a068a2aac9e58af4cb",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"0b803267-74c5-444d-ae29-32b5db2d562a": {
|
|
"rule_name": "Potential Shell via Wildcard Injection Detected",
|
|
"sha256": "c947cebb1e87be33e0ee7598eac34dabb449a2ba51d94b993da50309d33f66a7",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
|
|
"rule_name": "Attempt to Establish VScode Remote Tunnel",
|
|
"sha256": "7901e313780731e3cf06385e5d06a1b6d5d5eba1fc338c461e7d9d12752feb8b",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
|
|
"rule_name": "Processes with Trailing Spaces",
|
|
"sha256": "ca6eedb3ff9bad4b3bcaedf3813cec56615c4aa0f3c96a0219713f7fe6b33824",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
|
|
"rule_name": "Potential Hex Payload Execution via Common Utility",
|
|
"sha256": "a136e060e489b1167082f3e16ebc4c713b7e08625e160cbd77e3d51aca074a75",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0c3c80de-08c2-11f0-bd11-f661ea17fbcc": {
|
|
"rule_name": "Microsoft 365 Illicit Consent Grant via Registered Application",
|
|
"sha256": "91a39207de666908bf7de22f812fa33236c0103b9f9c3cd9f7e847353fc6f1c8",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
|
|
"rule_name": "Threat Intel IP Address Indicator Match",
|
|
"sha256": "de0fce0fbcce6580a6a0af3a9cbd36da077ec0b32571149301aaaf7e6b50bc35",
|
|
"type": "threat_match",
|
|
"version": 9
|
|
},
|
|
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Ransomware - Detected - Elastic Defend",
|
|
"sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "d7f8506e81915c1204c05dd7b7969f115103b046e89d6b214aa261cd5cb72929",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"rule_name": "Deprecated - Threat Intel Indicator Match",
|
|
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"0cbbb5e0-f93a-47fe-ab72-8213366c38f1": {
|
|
"rule_name": "High Command Line Entropy Detected for Privileged Commands",
|
|
"sha256": "59c263dc1cdfe3855fdd501367d03907ed748e52353b5e059b96f1ee2c5afde3",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
|
|
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
|
|
"sha256": "2d520b970c95e1e70958288a6575a3b71c21e856ff41cb18b171b44506169b45",
|
|
"type": "esql",
|
|
"version": 6
|
|
},
|
|
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
|
|
"rule_name": "Suspicious Mailbox Permission Delegation in Exchange Online",
|
|
"sha256": "4d8d3bed1120c39b3997ade0ceb78776ea8e18469df1abfa37bb139ab87fc155",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
},
|
|
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
|
|
"rule_name": "Multiple Alerts Involving a User",
|
|
"sha256": "15e804addadde83664812796f8f9823a5c7ebff99e0beb27678162bd9c31e24b",
|
|
"type": "threshold",
|
|
"version": 4
|
|
},
|
|
"0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
|
|
"rule_name": "Microsoft Entra ID Suspicious Session Reuse to Graph Access",
|
|
"sha256": "b32f370c015bc87d3327691efb6c5857e5df2ea848afca06a613dea840949d2c",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "c4bdbe8b150dc0ae69e6b9976ce317d49affb800b6a372b6b57f7aae39e58093",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "c35a544ede6291a5e7cfafd2e811015d5bf703d447b07963ff1e071a644958d4",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
|
|
"rule_name": "AWS Access Token Used from Multiple Addresses",
|
|
"sha256": "e78a9969bc5e054975c375e52db0dac90ce3655bdc77387b2748d688714f3375",
|
|
"type": "esql",
|
|
"version": 102
|
|
},
|
|
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
|
|
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
|
|
"sha256": "7f134644d8273c890ac5ca095836aa00db805397f4b82c8ec536a7663c1c7235",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
|
|
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
|
|
"sha256": "3b560a50fa738e1bf60d7c5c2a58fbb83a908da27531dc856ab4afa168bca749",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "71cf7a280746d9c96b66dba7411cddd394b3955702299e39fba2a9ba988517d2",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
|
|
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token",
|
|
"sha256": "707436cd4db52679e9c2e42f16b61590bd7851a49f03ea02f9c9f53a7c876d62",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "13e3ae6b28abf879bb3effd835f64e3514061113d41c183ecea88cfb42499628",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "8bd791257510714b815ae04669e2f5ed846133f80ab4f376c6541bacd64856b2",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": {
|
|
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
|
|
"sha256": "07263690e8379296f216fcdd9c9c9f5b6b9d4785df9804d973ab13ac573a61c7",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
|
|
"rule_name": "rc.local/rc.common File Creation",
|
|
"sha256": "7697c68ddc7f108cf81c5a47e40272d573068448d1a2d39e502d33e8c1bdcd01",
|
|
"type": "eql",
|
|
"version": 118
|
|
},
|
|
"0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": {
|
|
"rule_name": "Polkit Policy Creation",
|
|
"sha256": "ccb75dd53df28cbeeb9f6a308b39a1045eead4cec778e3c66c14904987670023",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
|
|
"rule_name": "Netcat Listener Established via rlwrap",
|
|
"sha256": "e27a1bbc25757a42efc7fffe568f17116558a3600140907bb6d8c7a4079d90f6",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
|
|
"rule_name": "Behavior - Detected - Elastic Defend",
|
|
"sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "a22ce5b0813ff129839c6ae3330c9cb4a64b73879125342eecbf840e3c1f2c35",
|
|
"type": "threshold",
|
|
"version": 313
|
|
},
|
|
"0fe2290a-2664-4c9c-8263-b88904f12f0d": {
|
|
"rule_name": "Kubernetes Sensitive Configuration File Activity",
|
|
"sha256": "3e237acdd7474065902deb6b49802a72057edeb399cf13f530256e9e0f492b4e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "36da4f7c17d19fd33bbe592e8381c3917e11c309d47f43c7909d76b2740eb47b",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
|
|
"rule_name": "AWS IAM Login Profile Added to User",
|
|
"sha256": "62236c3efc78d49212ef0d41035637d27a8639dc5eb24125db16fc4b5c5367dd",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "5b102cd6d9e208ef30f244a8b4029b391783c1ec3f3bc24d5830028376bf8fd4",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Ransomware - Prevented - Elastic Defend",
|
|
"sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "c564ec0a3d6571899bf9b4573c706d7a88b754f61ae9a3abfee468abfcd88ce6",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
|
|
"sha256": "2f9c6ebcc168fd73263677e3306698c105ac5996bf07026b2d5b29808c561a63",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "b12993087a23a4196dff52b6d262095861045f58a03883e15e371a3d746f3b44",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "0cde2bfbacf1d5ad63f6bb5e0964b3b5a2a15cf4882e8cba347f52c5989079da",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "c53bcf7bfadd682b86b3255c1ba83e2377ade5490ce3ed4fcf679db10915c333",
|
|
"type": "query",
|
|
"version": 117
|
|
},
|
|
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "064c4ddec156a1b2ea065455a460a17c81974239e07c623f01ea2d4f20bba2d5",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"12051077-0124-4394-9522-8f4f4db1d674": {
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "6be4d104b08d49fa50ff285abaa4b58f4f68fd9f022d108916dbe4874dbc80bc",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
|
|
"rule_name": "User Detected with Suspicious Windows Process(es)",
|
|
"sha256": "7f2d9e5d94f4c5e73f555b37e6616ecee53130fe84f4f52617e299de2d14f53e",
|
|
"type": "machine_learning",
|
|
"version": 110
|
|
},
|
|
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
|
|
"rule_name": "AWS Lambda Function Created or Updated",
|
|
"sha256": "1360886265d6aeb35c9b356643d02b243b43284698ffec99bd03641da8d34084",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"128468bf-cab1-4637-99ea-fdf3780a4609": {
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "8fc33262811096f6ebaf8b7fad2b6eed5f0b75c788cdac1c3ca035ea465b07ef",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "18bcbae69b87af3c77a8829ac5c6b2b694c582c1f915a81b0334f2bda7a19b28",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"12cbf709-69e8-4055-94f9-24314385c27e": {
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "94f5a4b12f95d49f1508d5c15a309ac12d286e04d0e26123498a94005fc399af",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"12de29d4-bbb0-4eef-b687-857e8a163870": {
|
|
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
|
|
"sha256": "505e0b601d7587cbd3f1b7ee9245a75299117258243f44320f661a6adb73c77f",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "3158b0d587e1f5c04d72866daa49f755711572ab959d2b9ed59f244d0c20d50f",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "9d888cca63e4fd57e41ada2889695309fd3ca6c756c2a2e915512e7462aa586f",
|
|
"type": "eql",
|
|
"version": 414
|
|
},
|
|
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
|
|
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
|
|
"sha256": "6c429781632afc48e076cecc47bdf28c06eaa24d96391267189ebcffeb6e8897",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"138520d2-11ff-4288-a80e-a45b36dca4b1": {
|
|
"rule_name": "Spike in Group Membership Events",
|
|
"sha256": "e2e661163bffdfe10ea5fed8565f15060b3aa280538e6ab7961a0c4d34d930e3",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "dbbfc73fc0478644faa929c86d67c4ce1a7a6af123ba5c96a3c57ba7454db18f",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
|
|
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
|
|
"sha256": "a5cd731c12b8a6223c831ec20fa4a17a899b903d5629bcc6f0f821342b5bcbf4",
|
|
"type": "threshold",
|
|
"version": 209
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
|
|
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
|
|
"sha256": "c7887e579a03c71e110612389d59d34e3270e6f56f2edc4ccd1f9703a2b6ee1e",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "f1805bd9b2c16aa5c8d09d5011840af47944f141e7a5266d50c111457e6612d6",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "a72b45c3d3656c4c1c594397d228ce07d18624f5c7a8314d0bc95b7f10b1e366",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"14dab405-5dd9-450c-8106-72951af2391f": {
|
|
"rule_name": "Office Test Registry Persistence",
|
|
"sha256": "1f2420c1ad0345dcb66852c413a62f765e3499a3c4dbb67f3b14a010ae460a3f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "420708d5b6f28d7d42a7d6ff9d7e2ab041ee8cfcdaf8ea415f9b44c14bb474f2",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "233001ab1d4e9b16df6638802a83a9ccf377e3ef2380ef7d548ee980f5dcaee6",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"14fa0285-fe78-4843-ac8e-f4b481f49da9": {
|
|
"rule_name": "Microsoft Entra ID OAuth Phishing via Visual Studio Code Client",
|
|
"sha256": "355d09aa7f902af4b7d694675a700ffd0bbb2af0938dd7e9066cf812f38f59d9",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
|
|
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
|
|
"sha256": "a787c8a5d1e30ca3e750ec49ca534e9a496786f700ab8794b3a8449050392808",
|
|
"type": "new_terms",
|
|
"version": 207
|
|
},
|
|
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
|
|
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
|
|
"sha256": "ba9cf2bbbac2b3561e84666a99b2825f8561b5cf3c7e263171ce24135d1c6501",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
|
|
"rule_name": "Execution from a Removable Media with Network Connection",
|
|
"sha256": "9a4f4276c90368c6a8826ebb5a400f92dcee779b4ecfa447e64fec3a3d6441e7",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "21792bd878e448ec862da9cc5bf6e3b5f64978c7a1e9ad278a91cd0dd908326d",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "f3d8e62676ec8a7f2494ca228c62e29e6bc9f3e5d0bf2415ce40916f2e489335",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"15dacaa0-5b90-466b-acab-63435a59701a": {
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "8989fd255ab499907a77f2db83d4e2da1f9652d1ea9fb30aa192586ee11a4e9d",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"1600f9e2-5be6-4742-8593-1ba50cd94069": {
|
|
"rule_name": "Kubectl Permission Discovery",
|
|
"sha256": "af81dab62d4a88b4359136071b95a263a70c91e75bbc8964593fcad6454f9094",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"160896de-b66f-42cb-8fef-20f53a9006ea": {
|
|
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
|
|
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "7e00cd69e253cd1a5ae7696e0662e2fc67b79823720df1a92b0c4df8c685cc6d",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"166727ab-6768-4e26-b80c-948b228ffc06": {
|
|
"rule_name": "File Creation Time Changed",
|
|
"sha256": "1893d694283de0c895199ccaff4ff3f0c595ab567a98ef5c0fa290345b036cd5",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"16904215-2c95-4ac8-bf5c-12354e047192": {
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "c1c429ce7d8d01884d2354119390babd9a3b1cd6c1b082626cdb66adcab48dd1",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "19be9e0465e9ac50b6eb64071b6d45c1670be2e5989f94d305311ae941cb16f7",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"16a52c14-7883-47af-8745-9357803f0d4c": {
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "5993f0d872bbf12af1cc908245ea8a9f120cf044728d32423fa24ddd77f30ebc",
|
|
"type": "eql",
|
|
"version": 116
|
|
},
|
|
"16acac42-b2f9-4802-9290-d6c30914db6e": {
|
|
"rule_name": "AWS S3 Static Site JavaScript File Uploaded",
|
|
"sha256": "de781327d4333f9e6fcc9c4de9aab9ff7e589ff1af6f72061153e350754372e9",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "fe5e13f3787fcc982378ee56140edbaf40dae2433b59f7317df27287c7e6ced4",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
|
|
"rule_name": "Persistence via a Windows Installer",
|
|
"sha256": "9d071673dc778a2ba73f917a3d9f6ec217c7c494f6a407363675471350a5deed",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
|
|
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
|
|
"sha256": "5b8d5a1b99c6b3e9b8f23db751a98aa42d12ea85d9927aac93c2ed685d2b6655",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "cf219e480a43620acf15659f951b5ab4c83d86326bc078bf6b2b9e165c3c30bb",
|
|
"type": "machine_learning",
|
|
"version": 210
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "cf343116462e929ad9523a65633ab5d29d3e34227fb9f496e44e7321c07f75f0",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "1c4ffadb6be238942250eb70da7b3ef6df530fb7793f6ba3c397dc6c585aa53c",
|
|
"type": "machine_learning",
|
|
"version": 210
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "4f6f47fc1343004d014ac17f50a4ada7c10665feaa2e7d259c490c975a0f98ff",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "90b5af752da98e9b3d570fdf8548369f161dbac4cf139339d72de4bccc30fcbc",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"178770e0-5c20-4246-b430-e216a2888b23": {
|
|
"rule_name": "Spike in User Lifecycle Management Change Events",
|
|
"sha256": "9ceb5ec5bf8532d79372332317d958ae4138bcd71f3e24e3f6ee5fe4bb1c3e7f",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
|
|
"rule_name": "Systemd Service Created",
|
|
"sha256": "ee35e7901dc154943c8dfe14e889fb1d021c240700e0c09e41b3c3ee5d11e22f",
|
|
"type": "eql",
|
|
"version": 18
|
|
},
|
|
"17b3fcd1-90fb-4f5d-858c-dc1d998fa368": {
|
|
"rule_name": "Initramfs Extraction via CPIO",
|
|
"sha256": "e41fda7eff75a688b80cd65a4bdc4390b917fc0a54ab3c968b2beb4189ab1e44",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
|
|
"rule_name": "Renamed Utility Executed with Short Program Name",
|
|
"sha256": "6a4e0d226a0e94d9c32967bd9845977a3fafe731a2a258747c1b249a55c4b049",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "599cc8905fe0fb2873fc02bca62c1ebf97d34b684180665e7e909d527e509ad7",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"181f6b23-3799-445e-9589-0018328a9e46": {
|
|
"rule_name": "Script Execution via Microsoft HTML Application",
|
|
"sha256": "132e35479cdc72c87bced9eb39159645e0dac333bed9e051208ed8838a8863bc",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
|
|
"rule_name": "Simple HTTP Web Server Connection",
|
|
"sha256": "727923839de557236140f1a6cd53a8fecc509ccfd588c0f9201b3838ff5577b5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "1d09e6dc623e3a07c2777f44c0be0f4b406a57136bd176f255d6d99ab846bfbd",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
|
|
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
|
|
"sha256": "e799df3465790f72eaf89c4dc3da01f3c8895846a49018b4a4bb6eb80c8df3da",
|
|
"type": "threshold",
|
|
"version": 5
|
|
},
|
|
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
|
|
"rule_name": "Spike in Number of Connections Made to a Destination IP",
|
|
"sha256": "4371659ef32b1ef4816960bcc57044e06a0264e79c1637b78e7071c7af89132c",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"192657ba-ab0e-4901-89a2-911d611eee98": {
|
|
"rule_name": "Potential Persistence via File Modification",
|
|
"sha256": "2bfc3b450c5f44d97b88b26d385af8956ca80d7cb2d78e45b85b0df3fc06993d",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
|
|
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
|
|
"sha256": "b1a4ef07678dea9d63399e559e2bcf5f3d95b5d1bcff931722512eb98daa66e7",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
|
|
"rule_name": "Kernel Object File Creation",
|
|
"sha256": "965638fbd40aeb4cc2ea25d6a0942ffb6508ea59e61962567a94cac7b1d03d1b",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
|
|
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
|
|
"sha256": "93836865cdc9026a4cdaf2a69ae09fc7789927189af5f4ca4a359713fb12d8ec",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "c5ccfa06fcb6ada608a35d93744993c3f48966ce6d4323197e222dcb5324993f",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
|
|
"rule_name": "Spike in Number of Processes in an RDP Session",
|
|
"sha256": "6e9a2818596588723edbf376ee014607852f5cdc7e83a6e9378fc1f71383badd",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
|
|
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
|
|
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "8f2cb136439406c100b10b0adb884a5800658b17c0df46c910f35cf39313dda9",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1a3f2a4c-12d0-4b88-961a-2711ee295637": {
|
|
"rule_name": "Potential System Tampering via File Modification",
|
|
"sha256": "7c83bc5eaa2a069cb0d447c66e1c513d530dd45bc557a9d026acd112fe4dc407",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "0755b62a96de7d1a62ad93b17b76d05e799c2288c120223dc3afbfaece5d8c4c",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "ea6e08aafd627d900f5c91f81ebbe264978623e45c0b04beb2dfe1c4149c7716",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "860d01c2bb53d9b7a09a8718626d0909a9e37d78d4f26bad282749d406874f1c",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
|
|
"rule_name": "Process Created with a Duplicated Token",
|
|
"sha256": "2d3d874eed0f3d13992e5dbaec2e6f002a36fb0df39992d174abd1d48f5610c0",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "8626cbb572cfc946b56467e5360cc17061fe6ed56bfdf6ffa9deb271117d21ac",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "12a99f311fb5dd4253c235e3b6540b50cfa838fffe791b5842cb9346961f3da6",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
|
|
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
|
|
"sha256": "44f0cac3ecaf0fead7add88687995c804cd5c8417d95276cff6081b0c7a80b9c",
|
|
"type": "eql",
|
|
"version": 14
|
|
},
|
|
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
|
|
"rule_name": "Potential Process Injection from Malicious Document",
|
|
"sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"rule_name": "Microsoft Entra ID Illicit Consent Grant via Registered Application",
|
|
"sha256": "6a310f46b8d33d9e702de35ac1b436bc874e148c5f8eac44d17d6bbef6a8839a",
|
|
"type": "new_terms",
|
|
"version": 216
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "cf847fe5e118883f401f0194f9dc8736fb85d9bcbaf36d14d3a4d74b938ed6a8",
|
|
"type": "eql",
|
|
"version": 120
|
|
},
|
|
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "e8150035c722c6b2ebc23d5d8353252a95974cc0de5d5adaaff614a9c629c537",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1ca62f14-4787-4913-b7af-df11745a49da": {
|
|
"rule_name": "New GitHub App Installed",
|
|
"sha256": "2a64f127e91b425ba0867b5db45435456582c294290f7aa666e65b682a28afbc",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "6acfd449e15d1064ff19e9f8a3ed2f814e77e39a7baa5be696eb049d192e2fe6",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
|
|
"rule_name": "Okta Sign-In Events via Third-Party IdP",
|
|
"sha256": "a84e20c2c4fc5066af8592c0955130207146c842eee469e7530c0bf8af7b911a",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"1d0027d4-6717-4a37-bad8-531d8e9fe53f": {
|
|
"rule_name": "Potential Hex Payload Execution via Command-Line",
|
|
"sha256": "d33be9f91f07fad94c4df50f66bb0183cd737599f18f763dcfbda450b73863c5",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1d276579-3380-4095-ad38-e596a01bc64f": {
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "e208abb63a46c842bbc761775a0e3ad1957b29ace3b55ba082ad3794d5179585",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
|
|
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
|
|
"sha256": "c4eda7d661ae49cfe6ed2d528c0498a1d539abf48936b8f3225d174848e62946",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "8d05c32f44d67de63080ae2a1b59170a1394351c67170174791519ff480c2348",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
|
|
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
|
|
"sha256": "5c7adbbf1c05e94781134cd249fe5beb6d03dd6e31b08a32b01adc47a7341d6f",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
|
|
"rule_name": "Suspicious Inter-Process Communication via Outlook",
|
|
"sha256": "390bc042a612982783d6f66639e318555d5edbcbbcd41b6203d0a4c312c2aa05",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "77163f2c8a75481511e44a1f0dde1c220b2317dff48cefe5b5073a90eb32878d",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
|
|
"rule_name": "Potential Linux Hack Tool Launched",
|
|
"sha256": "add8f0ecf98bfcdc50001b5a40e7f3f325feb495eb4cf5f976c2561095f6517d",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
|
|
"rule_name": "PowerShell Script with Discovery Capabilities",
|
|
"sha256": "f70aa045c1e96dec56c971fae0fe82c3717a59df8f1ae64368ae447326947066",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "fd6e6cb7f7375b2bba5197e0a50a67a7f136abdd670181655984505f25881190",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
|
|
"rule_name": "Creation of a DNS-Named Record",
|
|
"sha256": "6727eeb8359a38b6bd76f7f485a4edc0afb2aba6967a5e19c21724161d1d0395",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
|
|
"rule_name": "Creation of SettingContent-ms Files",
|
|
"sha256": "4797e35fc4a38dd74999a3a08a192ec1ca5363c6fbbefbe0efd341d55e664036",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
|
|
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
|
|
"sha256": "17fdd226cfd7e8ab056f39e3f2e0a507e583412f3368654133bc6c3c275ba366",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "affa4cbf4b252e4c8041f18f7949ab5c47ea25f683997a7fcfab80690076234c",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
|
|
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
|
|
"sha256": "6a0e9e8d89d9acb5f15761864de10b2e020d6bd9fd2b38d95b05527ebd265d00",
|
|
"type": "query",
|
|
"version": 115
|
|
},
|
|
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
|
|
"rule_name": "AWS Signin Single Factor Console Login with Federated User",
|
|
"sha256": "d7dfefbed76f68577979701e4d7c33a6f48472d06569c268597a2d9553913692",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
|
|
"rule_name": "Unusual Process Execution on WBEM Path",
|
|
"sha256": "590b9afb0a946a0d20b405f3236763b25916bc1c2865980d1471878bfeb9420a",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
|
|
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
|
|
"sha256": "5950b86e681b4be75861a8e08306a72d54926b09bc5d6752cf63f4877beeb107",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "d4adbf8ea6feea59616adf3ad8302ad326c5860a91a7973921f942b5849c1e0e",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "4464c8de4f4905d81bb1c5f492987ef4c8032d9738d50bf6d5b533da1da754a2",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "7c4db2799c89ee449c815b82891485079d5833e668c3397ab35496c6c65e1c04",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "7b68836a32e1779b0267875f39a97f5637ee17d6c9b4023e6479dc210b6bf15a",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"202829f6-0271-4e88-b882-11a655c590d4": {
|
|
"rule_name": "Executable Masquerading as Kernel Process",
|
|
"sha256": "b483356dc559d907cea1cc9de8308a0286b67c97b78f3e2edd2ce8adf1d438f5",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "cb97ac512379616b3ee47f87a9d7a7f6cdc27f77c1aeb2207f6fa1bbc5fa06af",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "498f0222ddadeb1feaeae0269ce7d3308bfd5d9ad0b21ecc8ac1d84a2a68eca9",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
|
|
"rule_name": "Suspicious Web Browser Sensitive File Access",
|
|
"sha256": "969933445a0d95b7684221b4c55a04a981a502c5061dfdacb076bba52fa14b38",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"205b52c4-9c28-4af4-8979-935f3278d61a": {
|
|
"rule_name": "Werfault ReflectDebugger Persistence",
|
|
"sha256": "5268893db28ba2b8355e2703a825d92212770bc7a639a48c747da8fe62a6814c",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "7ec8afe61b5d5522ddf1602ca5848c01b0299fdc1421f213ccabc57b07849efd",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"210d4430-b371-470e-b879-80b7182aa75e": {
|
|
"rule_name": "Mofcomp Activity",
|
|
"sha256": "069467922720ae9d5c59123eab480682aba33e1683b603c12a13cc2d16d7de61",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"2112ecce-cd34-11ef-873f-f661ea17fbcd": {
|
|
"rule_name": "SNS Topic Message Publish by Rare User",
|
|
"sha256": "8e256f5c59c82008e662a265098cf1faf568d9097724091f4bfbaf86cd2e6152",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
|
|
"rule_name": "Potential Reverse Shell via Child",
|
|
"sha256": "defdab471118aa4973db2b7581403880dc592152944a84b2bf8d6fa88df58048",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
|
|
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
|
|
"sha256": "373fbf888323ceb2b501fedff354a2a9bee1a0105ca631e2d18e381ff2e803be",
|
|
"type": "new_terms",
|
|
"version": 9
|
|
},
|
|
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "2bbcf7084bfafdedf47eb0145f4de495e556088a7daf3e7d6c0e0d7784c736a8",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "5edbfdd3ffac66ba8c6e692fe8b2ade0f9720c0dd3ae72c7ebdd9be57aee47df",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"22599847-5d13-48cb-8872-5796fee8692b": {
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "c954a580d6a107f3549d5eb9ba4cc18b263b5cecfb80b52f61371d0561a8a053",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "bfe89fc99331fc38df8e71483c8ab703bbe05acb317ad2edc308d2dd968a1b0f",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "10057cdacf301c40c25637993cc4b38700c574b3f414544168b5375acb7cf76f",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
|
|
"rule_name": "Kernel Module Load via insmod",
|
|
"sha256": "aec65633074e706b6c2995500f68953dcc5dedc4c5c11d98887bdbbba0bbda22",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"2377946d-0f01-4957-8812-6878985f515d": {
|
|
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
|
|
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"2388c687-cb2c-4b7b-be8f-6864a2385048": {
|
|
"rule_name": "Potential Kubectl Masquerading via Unexpected Process",
|
|
"sha256": "89f70a0173eb14191dc9b5d0fe01c1bfe7085011136b1917556db36f88c73c1a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
|
|
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
|
|
"sha256": "0a25fae6d19ebdfa81eeaf416d24307ef7dbcf257d8a975531024713707fccc2",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"23cd4ba2-344e-41bf-bcda-655bea43fdbc": {
|
|
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
|
|
"sha256": "344fbddfe8b9195a7de719a79c8498619c0b8ae054c9068082d884d5012d536e",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"23e5407a-b696-4433-9297-087645f2726c": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Potential NTLM Relay Attack against a Computer Account",
|
|
"sha256": "49224a1d4f9dd6793aaf01e3e60bbd0e26b0c0efa3fdd05e7a58bac235c0d5f0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
|
|
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
|
|
"sha256": "7bd6191d375f8df11be8e1f01eb80fe5ccf783a1431539a5f1a404e9b571a5f6",
|
|
"type": "esql",
|
|
"version": 206
|
|
},
|
|
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
|
|
"rule_name": "New GitHub Owner Added",
|
|
"sha256": "284425d2163342436ce5a9d1e9fdd61c509eb88df35502cba160ef18c8ca5d17",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "bd35da091eebd6bb34af785cf1de52b0361a62eb9f8cc40804e0864ed4545115",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
|
|
"rule_name": "Potential PowerShell HackTool Script by Author",
|
|
"sha256": "ec2b9766f4880d475594b910e6ce3cec44256f4c0b698a073eb77b47d4147e95",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
|
|
"rule_name": "Potential Reverse Shell via Background Process",
|
|
"sha256": "4b1e929ac8619a74cad3d7c17d919b4bed29e5faf096c10a059ee90541a3ab92",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"25d917c4-aa3c-4111-974c-286c0312ff95": {
|
|
"rule_name": "Network Activity Detected via Kworker",
|
|
"sha256": "85c27973460435a413b6d080b9381b7ea5624d36191a071d581a977d752b5ee8",
|
|
"type": "new_terms",
|
|
"version": 9
|
|
},
|
|
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
|
|
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
|
|
"sha256": "882ff0c3deba5b93ff172e6bb626f39297b8242984e5b7db11bc8ca90e5bcca2",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
|
|
"rule_name": "New Okta Authentication Behavior Detected",
|
|
"sha256": "f8a12d199fb7a1095704fd2f04c3cdf19a78c0eae297510e7225c28990d53ee8",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"2605aa59-29ac-4662-afad-8d86257c7c91": {
|
|
"rule_name": "Potential Suspicious DebugFS Root Device Access",
|
|
"sha256": "c0c3359887ae31c91a2f36ba8659716838b2b3ea8e601eeb98d253ff3f6b2cb7",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"263481c8-1e9b-492e-912d-d1760707f810": {
|
|
"rule_name": "Potential Computer Account Relay Activity",
|
|
"sha256": "7af6eb523b372859247ef0451c75064ef4ca7565d53c8411bf0e615e646bc87a",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "1d779fac11c6117ef47f1518c9a50932ee0bc63326484d9b27cf9db39186a771",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"264c641e-c202-11ef-993e-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 Deprecated AMI Discovery",
|
|
"sha256": "d29fbb36af27e479e3151a63b47436713f655cec342a035d2d5c06f8483610f0",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "716cc35650ba4a9892b5d18a9799bac51553c52d29a9799bd63789601ac6263c",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
|
|
"rule_name": "Unusual High Denied Topic Blocks Detected",
|
|
"sha256": "17f2e732dffccfe95b1e8b3fd5f9806361f123bf905d25230378e2f44b8724f3",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"267dace3-a4de-4c94-a7b5-dd6c0f5482e5": {
|
|
"rule_name": "Successful SSH Authentication from Unusual SSH Public Key",
|
|
"sha256": "b8f51f44908a71953949cf0f0702cc9980b44c6aebdfeb31879ae51ba80901da",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
|
|
"rule_name": "Potential Defense Evasion via Doas",
|
|
"sha256": "487f09f5a78dc9440e204d3bb03ecb8bb00af68bb20334fa5f3841e5396f7ec8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
|
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
|
"sha256": "beb3cd25d9df9767e008011425e30dbaed0ffa3f3d1fc6ba941135fedad0e089",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"26edba02-6979-4bce-920a-70b080a7be81": {
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "269ec5ade45dec91788ebb77c92a2a3b7e22ef55dfe17e6ecfb360438f9c8a1d",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
|
|
"rule_name": "Potential Microsoft 365 User Account Brute Force",
|
|
"sha256": "0fb493e61559cdde3c67997c7b484a73e2f559aaa48ea10c5fa2ffb791811d8d",
|
|
"type": "esql",
|
|
"version": 414
|
|
},
|
|
"27071ea3-e806-4697-8abc-e22c92aa4293": {
|
|
"rule_name": "PowerShell Script with Archive Compression Capabilities",
|
|
"sha256": "610930646b3ee410a43f2a6d94ae9398b6669dc0c344808d98ce8fd6143c22d5",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"2724808c-ba5d-48b2-86d2-0002103df753": {
|
|
"rule_name": "Attempt to Clear Kernel Ring Buffer",
|
|
"sha256": "3c1f7ddd693f9e43e00b09b12c220f51c982c8a60b12ec56d0e04789780fd350",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"272a6484-2663-46db-a532-ef734bf9a796": {
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "1915838e0d942c791f7e945ac5848ab7dfc7b2c573b0e12faa0590a23908e34f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"27569131-560e-441e-b556-0b9180af3332": {
|
|
"rule_name": "Unusual Privilege Type assigned to a User",
|
|
"sha256": "579ed4cf157c5823aba1285af6e70c68cb53ea8b58681a305bb4b2fad6f975e3",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"2772264c-6fb9-4d9d-9014-b416eed21254": {
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "0b92fa2b539cd8298139f4fc871d9deaf90e1cfeee5e16fdca9e0246f72e12f3",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "677e4f99e43770464f7c8109f73a9b6de9e59a595226aadb28817b9892ed438b",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "072621f207e149c93ad20fd577d2294edea61493ec6af111bd16c2dac271b7f0",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "c210414950ec31ff823c23d3d3144c70257e4474bcc736504d465eee96845cc6",
|
|
"type": "eql",
|
|
"version": 220
|
|
},
|
|
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
|
|
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
|
|
"sha256": "ce81951ab3d4a4fdf53ec1d89559c7146d3adb5b6d73f7e417446e8307628be9",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "33c1f21b8ad943e006b0b8c052cb8e8e00dfc46a3d39b3b1baf2da061b691319",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "ea2ff866a53552d5f6b37d8fb6a24a980d6d123a4b964b5f369a83bf3fb5bbb6",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"28738f9f-7427-4d23-bc69-756708b5f624": {
|
|
"rule_name": "Suspicious File Changes Activity Detected",
|
|
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
|
|
"rule_name": "AWS STS Role Assumption by User",
|
|
"sha256": "17710d0dbcea03fc56f14673739c1a5fba549bb4f21d8b2b4c3d2a0e24086871",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"28bc620d-b2f7-4132-b372-f77953881d05": {
|
|
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
|
|
"sha256": "d8189e4d4d87c58434d81440d509cddc5f5851df4ba905bf8d3efa83d8030eba",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"28d39238-0c01-420a-b77a-24e5a7378663": {
|
|
"rule_name": "Sudo Command Enumeration Detected",
|
|
"sha256": "c7e7e68e68ded776a6cb26f46fe6f7578514c8482e90a226136274592d1f964f",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
|
|
"rule_name": "Privilege Escalation via SUID/SGID",
|
|
"sha256": "a0f28f4019bcdc2ec46f08f84bfb25eb3a3c510c7a4e16bf8606a7b721157da4",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
|
|
"rule_name": "Shell Configuration Creation or Modification",
|
|
"sha256": "960cf081df43627f6f9371b360266a01b45c8d4bae647d0c1e9152c5bba3193e",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
|
|
"rule_name": "AWS EC2 Security Group Configuration Change",
|
|
"sha256": "910d019324ad543a1eb73a5b02ccfdecfc8069d437f9a352ec9ff0536760da80",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"290aca65-e94d-403b-ba0f-62f320e63f51": {
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "4bd4408885e9a117457d761703a208973169337ceb574c33f517d95f9b2e4c11",
|
|
"type": "eql",
|
|
"version": 320
|
|
},
|
|
"2917d495-59bd-4250-b395-c29409b76086": {
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "2218a1c255bf313d4fac1bfa65c89a0eaf83fb6b9e130f7b08b7b5006ec5fd01",
|
|
"type": "eql",
|
|
"version": 419
|
|
},
|
|
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "88b3cbb633869eb4f1b3c56cf58082902524668f47bf9c0da1f9d71e5668dd67",
|
|
"type": "new_terms",
|
|
"version": 419
|
|
},
|
|
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
|
|
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
|
|
"sha256": "1537231ffbe3f9f7c4366b5fc908eb9fd04fc332d5810b920c40f450550dc123",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"29ef5686-9b93-433e-91b5-683911094698": {
|
|
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
|
|
"sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
|
|
"rule_name": "Linux SSH X11 Forwarding",
|
|
"sha256": "422904218232bf8f3987431c10b2f795fa972b2aef5a52beff47d02665c3e482",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Graph First Occurrence of Client Request",
|
|
"sha256": "b4148f8d9943e630d980806e0c498a1c96623a4c53fbd882da857b6004a18c27",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"2a692072-d78d-42f3-a48a-775677d79c4e": {
|
|
"rule_name": "Potential Code Execution via Postgresql",
|
|
"sha256": "28deb348694abf862e1107f51e2ab84f574cb8042b7d896e63059d608eae04db",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "c92d0dedf58fe91d8544ae9e0e6b3bfd3e2d0e07b1ac785743deecf4313da818",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
|
|
"rule_name": "ESXI Discovery via Grep",
|
|
"sha256": "18bcbddcbb5f347ae6a6f316bc54875c97f2e2a4102849800b3600055a9c247c",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"2bca4fcd-5228-4472-9071-148903a31057": {
|
|
"rule_name": "Unusual Host Name for Windows Privileged Operations Detected",
|
|
"sha256": "09d0cf5e77010be2cc43c4031d377ce5839b0314b7c66300b0bbcf1eaef32711",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "5cabd557042d3452a4bd6b95008843d8d496d4c913bc33f5c9109c6df32a7080",
|
|
"type": "eql",
|
|
"version": 418
|
|
},
|
|
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "97edcf002d5b54384c4481eb6f11d314671d3d193ca79b8445658cbd54e0a2c5",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "94590de540b69a69312f51d1f069adec57f1c9744166166497c75c55d812574e",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
|
|
"rule_name": "Potential Foxmail Exploitation",
|
|
"sha256": "f9995a1f0a95afb24be29dd71a3ddf5c203bb6c2b32550ca795e94f59e06b674",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"2c74e26b-dfe3-4644-b62b-d0482f124210": {
|
|
"rule_name": "Delegated Managed Service Account Modification by an Unusual User",
|
|
"sha256": "21e09dab982fc75a8effbb761eed248ac52d6662278b026bc12407896cfda7c7",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"2d58f67c-156e-480a-a6eb-a698fd8197ff": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Potential Kerberos Relay Attack against a Computer Account",
|
|
"sha256": "f447ca71b251486b3b8cedd1c5d1c3fd8ef2cc2d6d7fff0d4869dbe86bd982df",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
|
|
"rule_name": "Command and Scripting Interpreter via Windows Scripts",
|
|
"sha256": "02ff68c3e74a02dd1c10175b332be482843ce4eccac1fb124a8ca96b399b8705",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"2d6f5332-42ea-11f0-b09a-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected",
|
|
"sha256": "d304c5fb26b7457152ba6e6cc30c1004b3cd8c072c951f3451d6bc7d15b07dd1",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "32aeae8271aadc06ca29f0a5bdc384f811d8f1bc3da2df99cdaccfd42035f467",
|
|
"type": "new_terms",
|
|
"version": 213
|
|
},
|
|
"2dd480be-1263-4d9c-8672-172928f6789a": {
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "725b9cc7320e57d8119fcc676c6b55409e1a37ea68929837b4e16654b6105966",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
|
|
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
|
|
"sha256": "97c58a6f4dc17b84d34829fb9627a541d04d868dc6fc2ccf9fc9b776b824aa2b",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2de10e77-c144-4e69-afb7-344e7127abd0": {
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "06828e03ec49e22eab2ba0721f2ef363b4f5ed757bad891ae7b3c189f3ba1e64",
|
|
"type": "threshold",
|
|
"version": 210
|
|
},
|
|
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "931d384242cb325d15e63af27218a647c2acce98a2c49398df4b115f0ac31854",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"2e0051cb-51f8-492f-9d90-174e16b5e96b": {
|
|
"rule_name": "Potential File Transfer via Curl for Windows",
|
|
"sha256": "24a5a79f109f05bf21d2f754c52ffc6b254ada0f09dc5a17a35dc19a34885963",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"rule_name": "Renamed Automation Script Interpreter",
|
|
"sha256": "6a560a6ffcbba02c197efbaa1459015a7ee1a9f0dc30546961d0c558b4c86638",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "4f26a82b4aa211fad7b97f56c12a4d21842d5b79785bd735f84a8af4ecbb505c",
|
|
"type": "query",
|
|
"version": 216
|
|
},
|
|
"2e311539-cd88-4a85-a301-04f38795007c": {
|
|
"rule_name": "Accessing Outlook Data Files",
|
|
"sha256": "91a6e248732a14c80990696a2fd6c4b667418459b6a00227136e0249a419f6bd",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
|
|
"rule_name": "Okta User Sessions Started from Different Geolocations",
|
|
"sha256": "34161e67dda644eb6d3c363c3518925d284fb179797218c5277aba283ee64021",
|
|
"type": "esql",
|
|
"version": 307
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "8e69b1881bc5d9e9b7cb08a41c64dfbc871b30af555dd21d9af9f47c6da2a3de",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "fa987929fc52327c1216c3eb0cdeb12ad53aec394acd16dff1a1e3ade053edb0",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "3800e4eeb11bcd2d1f6285aea2e290d6efd3fee146ac7a3fd8be669f22d60db3",
|
|
"type": "query",
|
|
"version": 214
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "56419c8aa0b98cd941a5119ce9a289448d5a6fe496b9f1fca636ac3efc743b97",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"2f95540c-923e-4f57-9dae-de30169c68b9": {
|
|
"rule_name": "Suspicious /proc/maps Discovery",
|
|
"sha256": "9bcfd15c8355e1483f675042cfb8851e541357ff83b2185fcd81ded9aee9acbf",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "ca7ce2c52ed307c8e0dfdc3196ada1ba7743edbe12ba4c4f6a5ee659403fa32b",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "a6bde68683d9c99f460b23f1e21e7f1ab65298609f2036cefc6cad4d24bfdfd4",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"301571f3-b316-4969-8dd0-7917410030d3": {
|
|
"rule_name": "Malicious Remote File Creation",
|
|
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "373eac2208e12bd5891af7081fd3241bc526ffffeb55efa28a459d5647c124c9",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
|
|
"rule_name": "AWS S3 Object Versioning Suspended",
|
|
"sha256": "e8038fba993b33fd9a9cba680cbdf6f6c2d75e00ede5f4405fad2dca66f1ec7c",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
|
|
"rule_name": "ESXI Timestomping using Touch Command",
|
|
"sha256": "0803b6abb72d53ff4e03e0a82bb6729e4adceebe4e21f5846840b73ad1105a91",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": {
|
|
"rule_name": "File Made Executable via Chmod Inside A Container",
|
|
"sha256": "64627b19064e86285343db76d24b4eef37ac65417aa2f240d10c8a0d06713876",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
|
|
"rule_name": "Network Connection via Sudo Binary",
|
|
"sha256": "c918463ab1db322045e0f55f3f228818397bb2734801b45cc6bdba9b29181ebb",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"30f9d940-7d55-4fff-a8b9-4715d20eb204": {
|
|
"rule_name": "Windows Script Execution from Archive",
|
|
"sha256": "9aa5c9aced2b2c00f42c467774366d05a2b8edd0dd84dcb6df6ffbac36efbebe",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
|
|
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
|
|
"sha256": "d0a538eca3e53a0b766d51bc2e1cfd3c7c34e55419b44ff625875fe71b156609",
|
|
"type": "new_terms",
|
|
"version": 7
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "a008c8165baa887d0f799ca34dbe16b08a499c28c83ca4cfcaac485bba2d9fb1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "22a7b42cd7db90c18eec4376c4b459b6c966d9abf31f08e91303adf90d243eee",
|
|
"type": "eql",
|
|
"version": 320
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "92ce4a83bef3e49c7d7d4de7aad7116cf2ebb8f4deb88788ee2ef780d7e62b56",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"32144184-7bfa-4541-9c3f-b65f16d24df9": {
|
|
"rule_name": "Potential Web Shell ASPX File Creation",
|
|
"sha256": "706d6f81cd64e9b7c43d7e6547570fcd8295082645940422412c06cc142acb03",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"3216949c-9300-4c53-b57a-221e364c6457": {
|
|
"rule_name": "Unusual High Word Policy Blocks Detected",
|
|
"sha256": "5e62d95bdfadfdce8505ea429f74acce99d2c32d8fc2ca48883884f599022754",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"32300431-c2d5-432d-8ec8-0e03f9924756": {
|
|
"rule_name": "Network Connection from Binary with RWX Memory Region",
|
|
"sha256": "998725b58b5c35040d582310e4cd184d4e78cab9aebaf9bbe55dce7bfd31e54e",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "4f3560c2d4f086ef0ef0084c3ffb018e3b5da20844da3ef4f5c0fd12c051cd40",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"3278313c-d6cd-4d49-aa24-644e1da6623c": {
|
|
"rule_name": "Spike in Group Application Assignment Change Events",
|
|
"sha256": "d5a88c5d3cd16e0906a590a49c7ef668ec5f349624dbd24d53e48b0e0928742e",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "52eace0c1aa59cca6016fb9f15f526f1609d7dc2b94b05825d6f7a9b7a34ec3f",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "a03ccf37c802b63d09323758b889879448364d3ce1787e95db677ef788265161",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
|
|
"rule_name": "M365 Portal Login (Atypical Travel)",
|
|
"sha256": "cd8506a92089084d040969a20d1ccc5b2fb5736e176ba3fb3e6339a0ea066f53",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "835cae7a4d3ce95fad31a8965f6443101566d4d85e7e1013fa1d8788fd80ffd0",
|
|
"type": "eql",
|
|
"version": 419
|
|
},
|
|
"3302835b-0049-4004-a325-660b1fba1f67": {
|
|
"rule_name": "Directory Creation in /bin directory",
|
|
"sha256": "d334b3b5e0cbaeb5d6399a7ab2af111cf2f4f90a72ec4c864463e7dced71e8ff",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "5751958a88f60f0c981a64662d1af1be4115fc8b2be682c1cb07105021293c30",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
|
|
"rule_name": "ESXI Discovery via Find",
|
|
"sha256": "c7b7f9f935e9474b3895d3a351676769b4d658903ed79cd92cd86631456f6b83",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"33c27b4e-8ec6-406f-b8e5-345dc024aa97": {
|
|
"rule_name": "Kubernetes Events Deleted",
|
|
"sha256": "0bf498be725596cb62f89e675d15ce2efcd2380aacacf369c0e088f4e3efa47f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "09b1d81d0502706b885718655ac15e456d5dd6b94d4a9dd2eab8d63ea2cebfaf",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"342f834b-21a6-41bf-878c-87d116eba3ee": {
|
|
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
|
|
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
|
|
"rule_name": "GitHub Repository Deleted",
|
|
"sha256": "5b506ed4d8840b778d0b592753b40d79a8dd07c7bae0cf37aa6fd2b10f8933c6",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
|
|
"rule_name": "AWS CLI Command with Custom Endpoint URL",
|
|
"sha256": "d06be28d3364dbd350dea7c15a7869236ff9071a5f45073b7d34dc5d3ecfb65f",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"rule_name": "Accepted Default Telnet Port Connection",
|
|
"sha256": "25471abf314a6e6870ba5924b33e35fc68a643f8944d627af6505a08a298bc11",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "4ebbd5cfc55a9e5f65b0b34f53162cc5ffe1409cfc36197862c2df1b74591fd0",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "1cfa7770bfca864df1b18fd84d7c054c4f56be21ec171828d78e7b892f66e45d",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
|
|
"rule_name": "Spike in Bytes Sent to an External Device",
|
|
"sha256": "7561c0ed3d1c144a972a8eaa915a539f587e6ef68023c251fa8487c2ffd986ac",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
|
|
"rule_name": "Microsoft 365 Brute Force via Entra ID Sign-Ins",
|
|
"sha256": "0223f10070fdf5546242cb47177cef7a4b2b183ba9a1deb3b04ef8303d0723c9",
|
|
"type": "esql",
|
|
"version": 106
|
|
},
|
|
"35c029c3-090e-4a25-b613-0b8099970fc1": {
|
|
"rule_name": "File System Debugger Launched Inside a Container",
|
|
"sha256": "3127e57c1a692231a31a20d783e45dd5372621d16e598bf3c8917ebcee63c693",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "dbd205d0455f5c80c9c6ef5c0bc88b7a2028098a9aefde11c54d3b8b9f3fbcca",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "f387323689ef2cf34009ce6de40a191fa010ffb20334c5a343789667490315d6",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"36188365-f88f-4f70-8c1d-0b9554186b9c": {
|
|
"rule_name": "Suspicious Microsoft 365 UserLoggedIn via OAuth Code",
|
|
"sha256": "67b5c49045dbc6a01a55180ea1f17a136b2ab1c100276532ea61421b798e9604",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"3688577a-d196-11ec-90b0-f661ea17fbce": {
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "6165a31cec72ee460cd8e53b67fe0da967b0f32bbe123f7ad1243b90483dcb9d",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "8490f06845e72c6453d237d605f6cf7d0ad70db3477dc1eae14b87f8fb9dc42c",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
|
|
"rule_name": "High Mean of Process Arguments in an RDP Session",
|
|
"sha256": "dbbb08b080eb8a0dc6237a8fa9403fcee35c264da5f27da443d5e71553ddfd01",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"3728c08d-9b70-456b-b6b8-007c7d246128": {
|
|
"rule_name": "Potential Suspicious File Edit",
|
|
"sha256": "d63517c8906dad8af61b5965cf2b74af9be8714918eee953fe5fff9f31607e92",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"375132c6-25d5-11f0-8745-f661ea17fbcd": {
|
|
"rule_name": "Suspicious Microsoft OAuth Flow via Auth Broker to DRS",
|
|
"sha256": "e5b671ce06f5ad1ae25c9d980e8f28fb4dade80b6a6ac8785137e6ca22ba322d",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "214d63a52ae0355ff3cb42b688eefc344b7968960bacf35052c88b801ce22381",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"37994bca-0611-4500-ab67-5588afe73b77": {
|
|
"rule_name": "Microsoft Entra ID High Risk Sign-in",
|
|
"sha256": "1d35cfbce798e2708c203ef68dc41b4a78d4a8690f839136b3da3c56e2f7c659",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
|
|
"sha256": "875a515147c0850d9b1d30b2c70e06da3654d604253413fa960d81ba9df5f424",
|
|
"type": "new_terms",
|
|
"version": 215
|
|
},
|
|
"37cb6756-8892-4af3-a6bd-ddc56db0069d": {
|
|
"rule_name": "Disabling Lsa Protection via Registry Modification",
|
|
"sha256": "bcda7d22eba2491baa39d158b4381eec6d1df82b9d2b4c534e474a7f7c384b0b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"37cca4d4-92ab-4a33-a4f8-44a7a380ccda": {
|
|
"rule_name": "Spike in User Account Management Events",
|
|
"sha256": "bd6a9507ccb771be5c4d84d5289168f672b66e36e548c57fb2b4c8c99b6fc847",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"37f638ea-909d-4f94-9248-edd21e4a9906": {
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "b96238524f55ee991b4d048d01069616a1e1cd0bf41dd07a5f82e5c52387cb95",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "be1bd9b556ac557afbe8f745f307835a1dc26a7d90561ccfae0c1e6c05c8e6cd",
|
|
"type": "query",
|
|
"version": 414
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "fe0ac836d1b43d51e68aa54e4ef57826d67680dcf11888e6e66fc7b46063fe1d",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
|
|
"rule_name": "Prompt for Credentials with Osascript",
|
|
"sha256": "7dd8ee328e2ef5fa7aafec424fdd0433a803f6b5ea76afe2f9d07ab2a427eb5a",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
|
|
"rule_name": "M365 Portal Login (Impossible Travel)",
|
|
"sha256": "c0b3fdff344187ba74e33c839e4148dff4b058f036d74c25ecf27ff52d71bedd",
|
|
"type": "threshold",
|
|
"version": 6
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "0149f3fbd05885013991842d4ac8bb45ab8225000712d6748e8656d2498daefa",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
|
|
"rule_name": "External User Added to Google Workspace Group",
|
|
"sha256": "0489e57457017d44cad2f7c958d916daa747b2818dde332ed7113b56f323f582",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "91741e10ac5227692cd6659e65bdb206406e59a0bb49b4beb07ee9b30d3d6a23",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
|
|
"rule_name": "Downloaded Shortcut Files",
|
|
"sha256": "ded93faac0894e933d7149edc58d04b9fc25d90319023229ca2ac82a295aab13",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
|
|
"sha256": "de1af1001bd67fdd967b116f1da6193d98831a0be504bea9b4c08d2628929381",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "faeda0ecc334d9a83831ab6154315aeb7c2686fd6f4cd6f8244eefe72f46dd30",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"39c06367-b700-4380-848a-cab06e7afede": {
|
|
"rule_name": "Systemd Generator Created",
|
|
"sha256": "25ba6e20c27c3621267818e934eab5a0c72078569b9157f4bb103cada31022aa",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "a48541ec5ea28eba5a75f325730d4f1b8492343efbdee7039f65b368fd650367",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
|
|
"rule_name": "Suspicious Module Loaded by LSASS",
|
|
"sha256": "e71a8895b84bf69f2ef7b6d3e9eafc406daeda7066b2dd7b15f74627bead842c",
|
|
"type": "eql",
|
|
"version": 12
|
|
},
|
|
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
|
|
"rule_name": "Rapid7 Threat Command CVEs Correlation",
|
|
"sha256": "578f758b47b1aead0b38e093c09d6cf0b68b2f4f3b8412cb9e7a7aec89f7c7c9",
|
|
"type": "threat_match",
|
|
"version": 107
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": {
|
|
"rule_name": "WDAC Policy File by an Unusual Process",
|
|
"sha256": "2f64969093014bc671fc8724aeb9018b2690f30500934734c6a4a0b25bc995f3",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "b2370cf022a97844dc68bdabfcf7602ace007aad1da28145f9832a3f8104bcc9",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "ae0ed62bab848d26860958b2c45d2cd88da41b853757ebe321cef8a8bb8944c1",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
|
|
"rule_name": "First Occurrence of IP Address For GitHub User",
|
|
"sha256": "c0626b7b44094eb5cd17b89cda0c31f0c21f15dd3046b942a9ad486892cfe07e",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"3aff6ab1-18bd-427e-9d4c-c5732110c261": {
|
|
"rule_name": "Suspicious Kernel Feature Activity",
|
|
"sha256": "b19a71af0dd3d0c65908e3a07b6073800094a1af6be7b8e8457d6de5650bf438",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "e1d1e24c41ffc15f2af27ca5bffcae7132edad1fef3f0ae1b8f21d8428eedda5",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "440c3ea8936f58e36bcf475f0e64f03e4fd2a222675ac584b203256450b3b70e",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "aa63bdc2a7538eec3f979380907645702455792bf47303a3d54536b535759cbb",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"3c216ace-2633-4911-9aac-b61d4dc320e8": {
|
|
"rule_name": "SSH Authorized Keys File Deletion",
|
|
"sha256": "98046f7aa4814a8e89b796fd8e48e7ff0565d43c5ce60bbac8daff38428938f0",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"3c3f65b8-e8b4-11ef-9511-f661ea17fbce": {
|
|
"rule_name": "AWS SNS Topic Created by Rare User",
|
|
"sha256": "f95af67b1718bc838064eb5cff6a41b8318bf03fe0193dc1b2edfb9c75e81dd5",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": {
|
|
"rule_name": "Potential Impersonation Attempt via Kubectl",
|
|
"sha256": "4597696932e3aa9c2338fbf7be2a82d5cd5fb2964dd01eae70f7b1e4bf1bef72",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "e28820cdef8824c303418b68a7e76996a4b6f9692520a06646c81c82c8ab4d6a",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
|
|
"rule_name": "Kernel Seeking Activity",
|
|
"sha256": "d8db5d368e080f90d2cc4d955ea26f2b786f55c3bd04d25030630e62d4b78024",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"3ca81a95-d5af-4b77-b0ad-b02bc746f640": {
|
|
"rule_name": "Unusual Pkexec Execution",
|
|
"sha256": "8ce31a70b33672aafcd5575458c4191b1a0acbff1ab3e944ee3fc75d063993e2",
|
|
"type": "new_terms",
|
|
"version": 105
|
|
},
|
|
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
|
|
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
|
|
"sha256": "ec1f9a5db847b5ee7337de5d58e367e15d071615a3da8502f74073a8b94a0699",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
|
|
"rule_name": "PowerShell Script with Log Clear Capabilities",
|
|
"sha256": "ed6a046d68911151897cfdcf2a0520e0a12b11fffcb854b12c8e2cbde2d954b1",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
|
|
"rule_name": "AWS SNS Email Subscription by Rare User",
|
|
"sha256": "c83ec09fca8600fea07fc5cf1b06c642fbc48905ebdaf13aaa4ee47a02113828",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "3b78f735a76296059bda2f739f4559826f4d8518abc0fd001d20fb424a6a7d01",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
|
|
"rule_name": "Spike in Number of Connections Made from a Source IP",
|
|
"sha256": "016467d7811dbed00476cc447016562141917373e312230a7d3573d566e96ae6",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "ad39e0da9f1528903f7b948f8722a764d84af29138f38e7e451b2b69d31dda52",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
|
|
"rule_name": "Kernel Driver Load",
|
|
"sha256": "1cfc003150210222cb170a89f51cbb0bee81d70c92b6c8e2693294d342150c76",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"3e3d15c6-1509-479a-b125-21718372157e": {
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "4fa0ac66cb92ef74e5a36e307cba5dfe26c171ba3a6bd0eb01fc3749398e7eb4",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
|
|
"rule_name": "Potential Remote File Execution via MSIEXEC",
|
|
"sha256": "cb3453ce4f1b900e13227ac8b2a43f98f7f8ec2fadf350c28db58c5506bf5858",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"3e528511-7316-4a6e-83da-61b5f1c07fd4": {
|
|
"rule_name": "Remote File Creation in World Writeable Directory",
|
|
"sha256": "e968fb193f4905138eebbc7e67f37d5b0111d0d3c09e330d342b47fe4e49d39a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "fa87191c3cf871683d788f6c4d5cc2edb041153f3a910a86bb2f52dd63f9bf30",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "c0abb71eca9e028ab82101da58ff61404406b4478f3dc27ff4585f8a484b1bc9",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
|
|
"type": "threshold",
|
|
"version": 208
|
|
},
|
|
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "3eb94d24ef340393e84bcccc412d51e707667d2b28aaa9d880f3fffa449e518f",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
|
|
"rule_name": "Potential Protocol Tunneling via Chisel Client",
|
|
"sha256": "e18262459f2b99f78b7faec42f0133ef7cedced09e4474fe2cbe02c68311d06c",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "0e35e31aa1f0b62be4a6548d2b2e07aecac4513b2fee0f8ca7013f7111027fc7",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
|
|
"rule_name": "Process Discovery via Built-In Applications",
|
|
"sha256": "8db85a6516d24cb122416ce246f44d2e341a2c0ead1223e3c849c0a020ac3420",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
|
|
"rule_name": "Unusual Time or Day for an RDP Session",
|
|
"sha256": "d632667d0e14ade78c1787c32a0a5345f42684f5878a360c8941eecb586f9e79",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"3f7bd5ac-9711-44b4-82c1-fa246d829f15": {
|
|
"rule_name": "Command Execution via ForFiles",
|
|
"sha256": "52dfba1710882deface62f84708fd3cccd841f5ddf31288b8eeeb5086022ae37",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
|
|
"rule_name": "Microsoft Entra ID MFA TOTP Brute Force Attempts",
|
|
"sha256": "e24bea46745eaea032be645e39a5121b68afd6151e6a1cb54438d89df40610e0",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
|
|
"rule_name": "DNF Package Manager Plugin File Creation",
|
|
"sha256": "8cb8fa19e84518bb9c07cf8eb073fa9c1010185a7434041bc2feaaf435acb023",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
|
|
"rule_name": "Unusual Process Spawned by a User",
|
|
"sha256": "861bb0285ecfc831be0ed890516dad1897e980cd14f45cfb90f50367e05fdcc9",
|
|
"type": "machine_learning",
|
|
"version": 110
|
|
},
|
|
"4021e78d-5293-48d3-adee-a70fa4c18fab": {
|
|
"rule_name": "Potential Azure OpenAI Model Theft",
|
|
"sha256": "f5943841572ea047091c8d64f568053c517e10ee41b48cb5f13a403583415c62",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
|
|
"rule_name": "GitHub User Blocked From Organization",
|
|
"sha256": "7b0f9689a8a45ba9dde72567402b194089a439875f380ef1ece3fbea910dfe3a",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "3b86134e6a85714e4676aa01b2952e1a4936c55d61269d6858ab4364c23badd8",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
|
|
"rule_name": "Suspicious Modprobe File Event",
|
|
"sha256": "f74b29a60a90fdca80a92b306db20a9ad31e53709a4d46bea0308cb9f1bde95c",
|
|
"type": "new_terms",
|
|
"version": 110
|
|
},
|
|
"40e60816-5122-11f0-9caa-f661ea17fbcd": {
|
|
"rule_name": "Entra ID RT to PRT Transition from Same User and Device",
|
|
"sha256": "cd97bacbb3e7425efbda7be5344388dc13d2fe490acd5adb2f25e7dbdcb558ee",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"40fe11c2-376e-11f0-9a82-f661ea17fbcd": {
|
|
"rule_name": "Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails",
|
|
"sha256": "2b4c21afcd84ae10ad9914fe8bd9cbce95d0bb7876d9b07c65c5a750e25048f1",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
|
|
"rule_name": "Unix Socket Connection",
|
|
"sha256": "f9818727aa0de6e62f321106e05a53d222d1d6f05fea7da47f6428bb18106dce",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"416697ae-e468-4093-a93d-59661fa619ec": {
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "fe7c4d3464cff0dabddfb6424b2fbd4e36eedae5bf156da320f3a9f43d4068cb",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
|
|
"rule_name": "First Occurrence of User-Agent For a GitHub User",
|
|
"sha256": "d477cd8806d2e4ac6a2cce05b31c62e2f311c41d8fbafe32e550d4e5f2d953cf",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "c6db4a83796d7cf928722343a6a4db5399169434467a6a3af013e63c9ec4b104",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
|
|
"sha256": "c5f336182037e4433738832b6d5bc28d622dd67871af0e6e43f012b1667671f1",
|
|
"type": "esql",
|
|
"version": 7
|
|
},
|
|
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "516ad5a0c30748314f1cd52da501ad91627b02886e06d85affdabc86ebb8a38f",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
|
|
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
|
|
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
|
|
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
|
|
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
|
|
"rule_name": "Login via Unusual System User",
|
|
"sha256": "1ff8ccd39dcd1e5f4d40b9976c9c305434c1af042566d632ffe584ca76c9b0d2",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "f2cddaf0e60500a194a108dfe0e27c92610bd4a455cdc6613c978dffd06b1881",
|
|
"type": "threshold",
|
|
"version": 415
|
|
},
|
|
"42c97e6e-60c3-11f0-832a-f661ea17fbcd": {
|
|
"rule_name": "External Authentication Method Addition or Modification in Entra ID",
|
|
"sha256": "c84e14522bf4143797aa4ed6cf8ff7b32cfb30da267e0506fb557c6680139281",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"42eeee3d-947f-46d3-a14d-7036b962c266": {
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "321279138933588e4cd1959d5601b2daa6fa30ac3195d4bcfa1842501c66222d",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "12ada8027cc4b74be40a4135f2de36c58b9e21027dd2c0987441b08f97e69590",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
|
|
"rule_name": "Linux User Added to Privileged Group",
|
|
"sha256": "38b1b4f54bdb9c4893af98f0643302460fc5ec8dd4fcdc32bb2280d9c6ebaca8",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "b9df7ce43be836f72812813398926c6d65b207b67ed79c5de0687dc3e1ff82fc",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9",
|
|
"type": "machine_learning",
|
|
"version": 210
|
|
},
|
|
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
|
|
"rule_name": "Potential Masquerading as VLC DLL",
|
|
"sha256": "a3ea7556a748c2042b4ddc53356093c97193a916b4a367701ae9c45c75e2d656",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "ba626ae140ee500b51b56f1fca6b0eaf817eab8f0c540706fe7c3579779d1309",
|
|
"type": "eql",
|
|
"version": 115
|
|
},
|
|
"453183fa-f903-11ee-8e88-f661ea17fbce": {
|
|
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
|
|
"sha256": "60f64fc9a10ac0ad67673b4e47411ef41734e6d8b8d851e2350c4242f731c9eb",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "a9591128215a5ec0b9ebce85a74cbb8d346e601ad9c1a77447b066f0d77cee20",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
|
|
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
|
|
"sha256": "0a49b0bc11b7b7734b51c058fb7b983d9dc746749a1489031c26efc399d833fb",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "bee917766b11138e5e5ef204095d1635504bfc3802adeba79a2740870b10cde5",
|
|
"type": "query",
|
|
"version": 215
|
|
},
|
|
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "976a7216513f549bc9459fe3a970cfbef0d4d4e058c30ff781aa46a3b6c302c4",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "bf0dc3f9af62bcf975d6708ddea0834bfc5563351cec9db10181d602016abb45",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "e4d8e7444b42bd9bae0893dacdaa1532c6cc36480a2100ee2ae9a27922f2b0b3",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"46b01bb5-cff2-4a00-9f87-c041d9eab554": {
|
|
"rule_name": "Browser Process Spawned from an Unusual Parent",
|
|
"sha256": "7a34269b905c935b622166cefde9ec843b43f40a4c1f33fea3cf3b297c84d4bc",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8",
|
|
"type": "machine_learning",
|
|
"version": 108
|
|
},
|
|
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
|
|
"rule_name": "System V Init Script Created",
|
|
"sha256": "962ab60a7b6b0263c7388f0355f15fac1e3a3d9003b2d0ab2d625af6b790d76a",
|
|
"type": "eql",
|
|
"version": 117
|
|
},
|
|
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
|
|
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
|
|
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"476267ff-e44f-476e-99c1-04c78cb3769d": {
|
|
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
|
|
"sha256": "d4cf683f05e6166f5ded6247948a4c8098ccebb8419921179ed3b00c4b7575f1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "8727fc826eaf7015ccceac437bcdc362a2208c80673423bc328d80ba495085c1",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"47f76567-d58a-4fed-b32b-21f571e28910": {
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "b4330f7c0ad66d1ea72157d55fa7ee76b34f1a8874ea8a9125aa105875f73fdb",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "efe13789f0e114a22962a031a630587a9068815b16a6fecfd9212043b5c8e175",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"48819484-9826-4083-9eba-1da74cd0eaf2": {
|
|
"rule_name": "Suspicious Microsoft 365 Mail Access by Unusual ClientAppId",
|
|
"sha256": "2be611553ebbaec865d5d3f80c0a9c513bbbfca9ffa3bd72f429e49583f6150b",
|
|
"type": "new_terms",
|
|
"version": 111
|
|
},
|
|
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
|
|
"rule_name": "Potential Reverse Shell",
|
|
"sha256": "682081ebf08f8dc40fd707e604925f72f87f95b22325ffd57df9b97158e99a19",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"48b6edfc-079d-4907-b43c-baffa243270d": {
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "4c73316143920ff67023902a288992409ad2105e7cf86e260ec1123a2699b99e",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "be6c7b51b8751b54b6b8c450645ccbe983f6d0ad6b84552de2019226faae60b8",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"48e60a73-08e8-42aa-8f51-4ed92c64dbea": {
|
|
"rule_name": "Suspicious Microsoft HTML Application Child Process",
|
|
"sha256": "ca1b5ca19262980e5766116e70f08a65f1eed7775f88a4c285ba663ed4106a12",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
|
|
"rule_name": "Remote XSL Script Execution via COM",
|
|
"sha256": "e4bf09e686462fb9baf9d6d83508dc82620348bfe2ed3c7d1168344e63c8d406",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"493834ca-f861-414c-8602-150d5505b777": {
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "6144987feeea5f57fa67484e121452ca28b0a522c8ee105f48e14de7fd4ef115",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
|
|
"rule_name": "Potential Linux Backdoor User Account Creation",
|
|
"sha256": "203e85a7c03c95927f253ca2323d1e74806a1c4a6d76262e1fa80d146b2751dc",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "ddbea71b52b73ad21036e2450178461c83e9d6076e9758efe70ec27b6f51afc4",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
|
|
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
|
|
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
|
|
"rule_name": "Process Discovery Using Built-in Tools",
|
|
"sha256": "b60d914ff82331c9df019f7f02dab5a3856abc22e83b6d282f63f36bf0ab59af",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"498e4094-60e7-11f0-8847-f661ea17fbcd": {
|
|
"rule_name": "OIDC Discovery URL Changed in Entra ID",
|
|
"sha256": "8f940ce690e48db3775aed4269c61cf79ee17ca1d9632ad3edf914233b972974",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "dd05e7d6c7892b37af6ce478458d3a6f3871020996bc0929e482c9e16fb134cd",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
|
|
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
|
|
"sha256": "7f532fc29bf742276d5db169adf2fa693048bc742956ab2ae382d86ff58b0259",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
|
|
"rule_name": "Potential Cross Site Scripting (XSS)",
|
|
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4ae94fc1-f08f-419f-b692-053d28219380": {
|
|
"rule_name": "Connection to Common Large Language Model Endpoints",
|
|
"sha256": "c76a051731982498c30d4de759dd360f9f9dd6617102e0143a3ed622b1280d5c",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
|
|
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
|
|
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": {
|
|
"rule_name": "Entra ID Protection - Risk Detection - User Risk",
|
|
"sha256": "c5af00471be7064f2bfaee19936213324f7b4fa530bd99fdc16906ebab0a5800",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "8b0ebf29f24beae56eb99431550627a0e281254d764c3580a9a8d69ce2e6b145",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
|
|
"rule_name": "Deprecated - Container Workload Protection",
|
|
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"4b74d3b0-416e-4099-b432-677e1cd098cc": {
|
|
"rule_name": "Container Management Utility Run Inside A Container",
|
|
"sha256": "773a6f1539f3ddbe4a7ccc56216caa6b20e7fd231b42179cae8005b092865955",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"4b77d382-b78e-4aae-85a0-8841b80e4fc4": {
|
|
"rule_name": "Forbidden Request from Unusual User Agent in Kubernetes",
|
|
"sha256": "8bdae1dfa71ac3ac4496f71a3ac201fb9856ea16bc90b26ae24513284927a10e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
|
|
"rule_name": "ProxyChains Activity",
|
|
"sha256": "a2f3041ace29c4bbcf9f47317a9879af99a7c0ab0dedecae18edc28453c04398",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
|
|
"rule_name": "Unusual Process Writing Data to an External Device",
|
|
"sha256": "be73c5ed12e0253799f57a2dc46812a22b59acc194e0151b9a0b49121a071e60",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "08f92365c8289d32623711be239952da8e2d840c26fc0c8cd00126ee17684e8f",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
|
|
"rule_name": "Unusual SSHD Child Process",
|
|
"sha256": "ab437647e4c42b5dbbef390721e127a7bbb847211dbd4e8525aba85f0bcc36c9",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "c6ad717010035336451a227f68b1e9c169b8913d0c8d3227bc0c19dc890a6e97",
|
|
"type": "query",
|
|
"version": 113
|
|
},
|
|
"4d169db7-0323-4157-9ad3-ea5ece9019c9": {
|
|
"rule_name": "Potential NetNTLMv1 Downgrade Attack",
|
|
"sha256": "8dc9a67886d1c45cb259c5bc2ca6d2a2b56e44b4afdaae58c692f7b3a58b3d6a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
|
|
"rule_name": "Kernel Load or Unload via Kexec Detected",
|
|
"sha256": "7582f3655463b124e403267694305115a82d73b7b14e99c7f49b282ab921e75b",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"4d4cda2b-9aad-4702-a0a2-75952bd6a77c": {
|
|
"rule_name": "Docker Release File Creation",
|
|
"sha256": "33b5e88b7d8ea5375efa4f55d9b3362062f9efa89840cf4bc6b11ccb256ceb28",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "46fed600c5e09c71e595ea8fba723e6da3eca531ac34ece084bb236a5755e711",
|
|
"type": "threshold",
|
|
"version": 210
|
|
},
|
|
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "eec67c093d03b4278ef06c5c3fb57728ac4e7f26c2fd9148fa049687b0874c0d",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "6f71b90d34a16c61fe28ce3de74b6384b3e873433f05c7fd24a99a9f8b899303",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "80ac76f8070bb71bd567002e3c114ed7ee36b1536213b3e0e5a26a68bb3077c9",
|
|
"type": "eql",
|
|
"version": 115
|
|
},
|
|
"4ec47004-b34a-42e6-8003-376a123ea447": {
|
|
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
|
|
"sha256": "74e26fb0e62373ce01b09f8a4c7b6e7218dd547ecfbe74fd717f70f68611365a",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "e83d31d2f2045bd4a904365e77ede3c00d17f5969f78df29b0379fc1612ea527",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "72dd52f88f0c957bd2e6d26f2d78ea3aecaf8ebbbc994fcc72baf28fce12fc4c",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "1da534261dd74dbfe7a88a3120ea11d3178d0d7d15bc26c55663375b183b66ce",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
|
|
"rule_name": "Kernel Unpacking Activity",
|
|
"sha256": "e14fa44d0e76ad8d310dad540237720902ad9918b75467ed552a078192a3890e",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
|
|
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
|
|
"sha256": "e5102d089042d08384dbb93e20f1d6ca500573c87d6000063ca8dabf14ba8ce6",
|
|
"type": "esql",
|
|
"version": 7
|
|
},
|
|
"4fe9d835-40e1-452d-8230-17c147cafad8": {
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "0f48a61ca555356c3d245243f9e62a82d9a3dc30915701f68c281590c1712afc",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
|
|
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
|
|
"sha256": "f2424834e44a69340ce5568b0d5fe81eba881e0c3a8bef999f8951a46b3106a2",
|
|
"type": "threshold",
|
|
"version": 209
|
|
},
|
|
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
|
|
"rule_name": "AWS SSM Command Document Created by Rare User",
|
|
"sha256": "28b1e5a0e4c3e07dd157f7004dca638856150b66910942f40ebe3de18fc16311",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"51176ed2-2d90-49f2-9f3d-17196428b169": {
|
|
"rule_name": "Windows System Information Discovery",
|
|
"sha256": "92df936b5c9f8126935576c6ee8792aa9b49ee7ab49dd26a96de5d5812293028",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
|
|
"rule_name": "Hidden Files and Directories via Hidden Flag",
|
|
"sha256": "ec87bac168b19acd672bf169318034196e34dd110a7fdc2c70679006f0e079d7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "1210bd635a5f10b91c32ed2675bbce9dd1590f829d331d1646fc29bef344b08f",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"514121ce-c7b6-474a-8237-68ff71672379": {
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "58ea68c7a5835e3d3b99fae848f9ae03126d3671516751da965905ddceaf3253",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "2d8881e424afe188907789186fdf2aade7107730fdb292c3ba0aa7f9193281ac",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"5188c68e-d3de-4e96-994d-9e242269446f": {
|
|
"rule_name": "Service DACL Modification via sc.exe",
|
|
"sha256": "129e731066612ab4f0fb68a77299875530e032fda26945ae4b97f420099df286",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
|
|
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
|
|
"sha256": "883d26b9d63521a8b567e833d0a2fbf7362d9126c72b7e50d1a63681488fe72f",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "f00b370497ce5969ecadca0e206dee295d1ff4035feecadd855b451da24e4b8f",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
|
|
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
|
|
"sha256": "d30947ea5cc2e26d513094401fea71311ebfd5eaedb57952d615b084bae10e02",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "b6f73e3443bb342cf69d377c5c8b571e9ab5ac56cda6280a5e3cd24691472b15",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"52376a86-ee86-4967-97ae-1a05f55816f0": {
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "e1fb508059c6652d413df5acfb4e4d3e699d3220df1821f42fb7c53dfbd55edf",
|
|
"type": "eql",
|
|
"version": 117
|
|
},
|
|
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
|
|
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
|
|
"sha256": "a646f739b6321105caf7f40d15ddb77bc29668a1f12c883ed026d7680fe6061a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "90812c1c9901f3f69bc370a453a057fbf7475807091099873d900dc451e7c486",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "ab770d636e60e934030892c3300fbde621dafef776555bd84887bb2d146ec07d",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"530178da-92ea-43ce-94c2-8877a826783d": {
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "1dade4110ac7b55a500a7fe97a1a86de13e5858a566842318543c910dafe18e8",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
|
|
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
|
|
"sha256": "937b80edc9af486f626f90a862b96a362dc3fa4fd55e45096b3780dc6d57a408",
|
|
"type": "new_terms",
|
|
"version": 14
|
|
},
|
|
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "0937e3ed0e1bfaded40e2d98b86747c93987130ca395825e0d477467a192e258",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "4b6405dd5a810aff9d79987d733ec66824d5af7e259804deb115f5335145e643",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
|
|
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
|
|
"sha256": "7298e067ae7df7ada3b5061b2f4fddbd40508f911cf0156071f9a0fd3957e8e0",
|
|
"type": "query",
|
|
"version": 9
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "d0f06b830a6476ff9a07972ea36ba0f652acd5ae46fa229d3630f98e5857443a",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"53dedd83-1be7-430f-8026-363256395c8b": {
|
|
"rule_name": "Binary Content Copy via Cmd.exe",
|
|
"sha256": "0294867fbd8ba3c9141d4557d0eca1f503d2bc94440bee39f8aad70295442ea2",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"53ef31ea-1f8a-493b-9614-df23d8277232": {
|
|
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
|
|
"sha256": "6561e4ef2050da23f60447670d9e59c3ddfa0c5da7d115c2deb810ca982fbf21",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "85b3ae783986f75b82921357341bc4ee866a9da2bf84fdf8a1c810f6ded404b1",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"54a81f68-5f2a-421e-8eed-f888278bb712": {
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "f3db37c5995ca1922f0f5ef5d8f42c98be68375486e044c65fe06e76e3aa763a",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "8559ba99f619be1e87b32244f4b2d26bb2bc5c1d0c40ea0780192ab395054472",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "ca9db385c3cfb574b246035ad74f0343c577db921ac9a6e0341c758e17e26ca2",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "e668e79265b55406cd93383522749d6bce039b43589478b9a489a0a5b77b8b67",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
|
|
"rule_name": "Windows Installer with Suspicious Properties",
|
|
"sha256": "a8fdb430eef1c2a8a281cadce30763cc48c12db7cd45cafcc018d558cac60d8d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"55f711c1-6b4d-4787-930d-c9317a885adf": {
|
|
"rule_name": "Suspicious Execution with NodeJS",
|
|
"sha256": "703c739baa06c65f081e0a6f4d49107b415aef292f2d9e69d0ee75fe9768e379",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"56004189-4e69-4a39-b4a9-195329d226e9": {
|
|
"rule_name": "Unusual Process Spawned by a Host",
|
|
"sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f",
|
|
"type": "machine_learning",
|
|
"version": 110
|
|
},
|
|
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
|
|
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
|
|
"sha256": "e5063799ab10aae18df8b80273efb3ce5480722024992f100e3a70f3f4ccd897",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "3a242f21a87f21c464c0cfe42e52881f5dca8297e5ceb5cbb98215aaa42fe75d",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"565c2b44-7a21-4818-955f-8d4737967d2e": {
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "4ce263d173a70707a23ec71e9d047dcaa6073d6e38f210d0ccf8ebc29318b608",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"565d6ca5-75ba-4c82-9b13-add25353471c": {
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "e402572e5dc8c2c7305905227898b75e4d1a151ec425b3c8b433e5816cd325d4",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "01315f67e14fa8ba6873b6f6773f13ff2b404f9a5e551ab293a0bab6031404d0",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": {
|
|
"rule_name": "Windows Sandbox with Sensitive Configuration",
|
|
"sha256": "94be0dc595363ca7f2604e399af5a08685b8fe50a3780c410ab319cb8637a99d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "09a841c5118a34b8d536f6f40cebadb5f41059cc12cbb7dc807ab4f32267e616",
|
|
"type": "query",
|
|
"version": 316
|
|
},
|
|
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
|
|
"rule_name": "Execution of an Unsigned Service",
|
|
"sha256": "962e242f06e97443f0e68323e3eb817e85896b5eb926c984b30c2ec8d960498e",
|
|
"type": "new_terms",
|
|
"version": 107
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "a2ea199f37920a1f0bdc7b5a401338b7ac2ee4316586ee61f879f019c7fb7854",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "c7c3ab0c50a276ad16b97c50145d1b1c44b1d09b2582d5f75868b68006f33c2b",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "914135ecccac7234592a2f0c768301fedcf43c6c78e8ec8977774bcd9ecb70aa",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"5749282b-7524-4c9d-af9a-e2b3e814e5d4": {
|
|
"rule_name": "AWS Credentials Searched For Inside A Container",
|
|
"sha256": "f8644d6a140c9e4255e5fa4b6887d40afb1e96a0f5b1a8d390b2f0fe9694c61b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "cb30764dd830c6b3280ea3ae57751b9f7e01af80dcb5d53a1a9acc14281aa3d8",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
|
|
"rule_name": "File Staged in Root Folder of Recycle Bin",
|
|
"sha256": "200c9a6cf6ea2b424d9f8f4c5fdef6b620058afef51217c3581d139a0f79adf3",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
|
|
"rule_name": "DNS Global Query Block List Modified or Disabled",
|
|
"sha256": "45f445274735262eed52517014047be86ee5efa40278bfde4ec07e09ad01577a",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"rule_name": "Backup Deletion with Wbadmin",
|
|
"sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": {
|
|
"rule_name": "Unusual Web Config File Access",
|
|
"sha256": "b794e93559c621d6e245068b3dbad5a07ac97d1e4cdfd00b3083ca2c15ae8594",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "572350cc1b7ee9eb743fe3f4cfba0c9b6316477ce99490cc1ccffdf8a74bb4ab",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "32fd6f9021368cd31c5f61a2ea6c916fa1c6c5afb895e7b5f85cdb74cf3b3150",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "aa0faf0feeded63930dae2ccaac0af504981592f7e7e9ecd84e12b30fbe3dc0a",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"5919988c-29e1-4908-83aa-1f087a838f63": {
|
|
"rule_name": "File or Directory Deletion Command",
|
|
"sha256": "580ad4755828bed2eed4fc05fda6a383cb56bcfad28fbc5784fe8aa3b56558e2",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"5930658c-2107-4afc-91af-e0e55b7f7184": {
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "b5f3c767c08e1da87b89ac7ac2be6461f221276a0d51a73c4d7ce07646b10a18",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "1601c2ca6b0a5cb05cbee7c9cff2704894d2a1e0f6af8be3ffd74063875d5d34",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"rule_name": "Unusual Linux User Discovery Activity",
|
|
"sha256": "1b3e6cbb40f046d22b7ccadce341898603e5676bd73c703a48a3dd0a50beae19",
|
|
"type": "machine_learning",
|
|
"version": 108
|
|
},
|
|
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
|
|
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
|
|
"sha256": "afd8f32f6156383a46c4c1d56ca7897828ee05b79901ae05dd3d0d647211b298",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"5a138e2e-aec3-4240-9843-56825d0bc569": {
|
|
"rule_name": "IPv4/IPv6 Forwarding Activity",
|
|
"sha256": "6306291aafc48fbdf6884e130072d6f64ac51aec5a1a517ebde694fef182f68a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "af550c49b54fdde4f457b46291419fcce1a52c87f48f17702fea4f9f646df8a7",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
|
|
"rule_name": "Potential Reverse Shell via Java",
|
|
"sha256": "27296c203efdb6c08fccfb95e4725ee33b4421224fb24563c0272800e7b6d4cd",
|
|
"type": "eql",
|
|
"version": 12
|
|
},
|
|
"5a876e0d-d39a-49b9-8ad8-19c9b622203b": {
|
|
"rule_name": "Command Line Obfuscation via Whitespace Padding",
|
|
"sha256": "e8e4200bfd160124ebd18fa2e0136a6e6a467bbd77c38003b4679d2c28ac425a",
|
|
"type": "esql",
|
|
"version": 1
|
|
},
|
|
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
|
|
"rule_name": "ROT Encoded Python Script Execution",
|
|
"sha256": "2b7ba34e350a043c0b1190aa7a10e4c9ccc9d59bdc70a8557087fa86129f17ad",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
|
|
"rule_name": "Potential Chroot Container Escape via Mount",
|
|
"sha256": "b4059f1489642cfd577781cc4bb592210ed1eb9478f8810f63a8d6d4cd9a99f0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "801b331954e244547654f39e1cd8f34d2021a71a4b42b41e160a8ac6279bd843",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "52e50adab24a9c98ab490445823f19da1c977fbb1095aa36f198857a03f478f5",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "a68d1197dbfcde78c418443b44873deec4a06a2723022ccad6b4b536998f5849",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
|
|
"rule_name": "SUID/SGUID Enumeration Detected",
|
|
"sha256": "d5ba03af6e11399e765a1e6092052af914d8a5a819d419e147a2fce9997e7882",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"5b18eef4-842c-4b47-970f-f08d24004bde": {
|
|
"rule_name": "Suspicious which Enumeration",
|
|
"sha256": "586b56458f4d63afd014b8dbb35e00f09492345bfd80de251a5c644f7f95b60d",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": {
|
|
"rule_name": "Successful SSH Authentication from Unusual User",
|
|
"sha256": "ac9dde5d814487dcbb7df690f4de9d537b6611768502f6dfae5d1946d55ca067",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
|
|
"rule_name": "Potential Masquerading as Browser Process",
|
|
"sha256": "4556a2b4d9ae5c0709537287d7c352c49fd07266ec3e249028df8c684d8e7bf2",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "70177fc265fa2f24acad68cd0ef289816432b3766a1b8a43e6e4742eeb754522",
|
|
"type": "new_terms",
|
|
"version": 318
|
|
},
|
|
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
|
|
"rule_name": "Boot File Copy",
|
|
"sha256": "cd70f8dd5abeab850d1532330903eff14dbc6a90001d79216e4b74845f3b843b",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
|
|
"rule_name": "Base64 Decoded Payload Piped to Interpreter",
|
|
"sha256": "09b7736bd172c70c630af6568b3e22a57d3aa2c0a8bd1cda795ae81551904c4e",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "785974f24b64cb645aa6fd98283d61acd5febe0ab47b1b2672d2b22ab35d6857",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
|
|
"rule_name": "Process Capability Enumeration",
|
|
"sha256": "50cc17826fabfece21adc7a22a8409597934cfaa43d6c4781b3febbc06ec32fa",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"5c495612-9992-49a7-afe3-0f647671fb60": {
|
|
"rule_name": "Successful SSH Authentication from Unusual IP Address",
|
|
"sha256": "8ed431643e8c3857abb8da10d97dcc5df59d874cbb47919ecb87ccdb07777cd4",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": {
|
|
"rule_name": "SSH Process Launched From Inside A Container",
|
|
"sha256": "aca0bc31635b851cb04cba107bc057f1e52de42a29d9fb238caf3c470557944d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5c602cba-ae00-4488-845d-24de2b6d8055": {
|
|
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
|
|
"sha256": "be1394a99d666d5475ec563878af49732fbfaa9557e34605989f84549355c625",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
|
|
"rule_name": "FirstTime Seen Account Performing DCSync",
|
|
"sha256": "8e90c908d2605d14a26425a59c2464ebe616002059670f3d59c10e03735403ab",
|
|
"type": "new_terms",
|
|
"version": 117
|
|
},
|
|
"5c81fc9d-1eae-437f-ba07-268472967013": {
|
|
"rule_name": "Segfault Detected",
|
|
"sha256": "2e81ce6769021daba9c871cf5baf734f4fb6fbbdc9590bcc56e0bf1853d51d1e",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
|
|
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
|
|
"sha256": "32a473a51dd3f37a92b8392e5e856d789fc536f75e7a25d15fc044ca7f82e08e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5c895b4f-9133-4e68-9e23-59902175355c": {
|
|
"rule_name": "Potential Meterpreter Reverse Shell",
|
|
"sha256": "f43fdacea654dc618d56148168d52abff8acb3c09b63d3741bda04db943d0ae6",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "73a2b26e4a677c2f45db8dfe14c180513fa2b5b51e66828388e71dd909955e75",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
|
|
"rule_name": "Potential Defense Evasion via PRoot",
|
|
"sha256": "4676a1a02b7db809541116e47f39e53bf6f019a45a42756bb42f35853b79f29c",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "f32d65f7e822e33bb971f00791642cb5337c8501b4919fb8280b5f52393799e2",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
|
|
"rule_name": "User Added to Privileged Group in Active Directory",
|
|
"sha256": "9c592d696b111ba2667fac67712827ef98ca432b69f7dc378b1cf79c1902bea0",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "1de4421d5b5299213d99591da32512ca3a1acf592d3d8a5e9f9f512812cf976d",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "1b07692857d4196dca0282c0a6b818c123b5d8d3fcc412fb9139a364e2a4a08d",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "fa2a33e6373f41cd2d51778ba3915f14895dec9843ce9e39e1d6f507a3f383d8",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"5d676480-9655-4507-adc6-4eec311efff8": {
|
|
"rule_name": "Unsigned DLL loaded by DNS Service",
|
|
"sha256": "fe9828fdb1e826e9a4887dd4b52754e5a56c0b775c59963881f4538c3dc240fa",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "e8fa74379179a6e9e9280508afc640cb96c331cc171808a748ed740b40cef25f",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"5e161522-2545-11ed-ac47-f661ea17fbce": {
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "fdff095d924623c81dd84192e86d2cd857ea9237a184331ffecbc98be0f08e7b",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"5e23495f-09e2-4484-8235-bdb150d698c9": {
|
|
"rule_name": "Potential CVE-2025-33053 Exploitation",
|
|
"sha256": "e515ba416d112f154ee9c1ea73f1ac151201233455473ca6ac4c7bb238c79648",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
|
|
"rule_name": "Memory Swap Modification",
|
|
"sha256": "4057788684412d061d4da08a599e2826415b89cea6358903f10773366b45d795",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"5e552599-ddec-4e14-bad1-28aa42404388": {
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "cf01790da09ac08fc249d7887a8a2497be15225eb566534e7e1f8349eec40c0f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"5eac16ab-6d4f-427b-9715-f33e1b745fc7": {
|
|
"rule_name": "Unusual Process Detected for Privileged Commands by a User",
|
|
"sha256": "c9aa68e0bbefe704a06a42460c07f488861cf71aaaec68520a0c536c8084352e",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
|
|
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
|
|
"sha256": "b3ecf40e44a7d3998e8adc142b39d8177a9ccc2dbb6b8b38a086bc7f6ac11ec3",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"5f2f463e-6997-478c-8405-fb41cc283281": {
|
|
"rule_name": "Potential File Download via a Headless Browser",
|
|
"sha256": "e53bd1c61f4c344019fc1486685bbeff6040e549e4a75c172d4ef57fb4466686",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
|
|
"rule_name": "Docker Escape via Nsenter",
|
|
"sha256": "6506a2368e148aa7554ab2abb1130f71065652782164f42455e07b305a9d4c1f",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": {
|
|
"rule_name": "NetSupport Manager Execution from an Unusual Path",
|
|
"sha256": "c80b105dcd79c80989bff9ac24cf5177de43e229e7d10b6401345ba38e066596",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "220ed9f1c624434cc370940d6cee814b44493918f6d6ac305b251398fc63ff58",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
|
|
"rule_name": "Microsoft Entra ID Service Principal Created",
|
|
"sha256": "040d3f31d90baa93524c9d627ffa97109ff4d5c31aefaaf89ce9fc0328943d37",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"60c814fc-7d06-11f0-b326-f661ea17fbcd": {
|
|
"rule_name": "M365 Threat Intelligence Signal",
|
|
"sha256": "aff5572a6b6ac9bb499203df4a6dd207f564d69215adcf84c625763e0ff03e7c",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "ce9ed4361e91b450cd43a5fbe9083995234c321108418dda2702a5239066b816",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "eedf094a7798099e64d10398f58d50331624cf7b56aa5b1d6cf30a6ac7ee5c40",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"61336fe6-c043-4743-ab6e-41292f439603": {
|
|
"rule_name": "New User Added To GitHub Organization",
|
|
"sha256": "65d60bb1e3e58c78ebdedb1c5ef222be1b3beda2413b057f21671ccae8870b82",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
|
|
"rule_name": "Interactive Logon by an Unusual Process",
|
|
"sha256": "89c4a7e78c150d6be51a0ac7825e8c185a6b6079831022b8ba59a2cfd77f7047",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"61ac3638-40a3-44b2-855a-985636ca985e": {
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "6444953107ff83401fc01f27ae794d13e3408444ee70c27f3b40202cdc04c216",
|
|
"type": "query",
|
|
"version": 318
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "569d7dc0fde872b71fe21289c4dd3664d0b86aa98f876f99ee70b2e67848bb43",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
|
|
"rule_name": "Multiple Okta Sessions Detected for a Single User",
|
|
"sha256": "8718b5f7766c49df934b5a358670fd814c176f3dba6835a0ec719cd8c6560b56",
|
|
"type": "threshold",
|
|
"version": 210
|
|
},
|
|
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "25f5507d36b8030ec4b934a15054ff440470648a722b209844f64d8f983b3975",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"627374ab-7080-4e4d-8316-bef1122444af": {
|
|
"rule_name": "Private Key Searching Activity",
|
|
"sha256": "f361f680a803cb70a49fe36ce7d3df8930c21fb79cbeb26aad44fd00bb4864b2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "8f5451e26ac0b2ec8d6274f9cf8c4f90ead9a3b42453322334620f2e494bf627",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
|
|
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
|
|
"sha256": "a26ae91664bb40987e814e0bae49e1aca9e145ed503991398c69106525152bb4",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"63153282-12da-415f-bad8-c60c9b36cbe3": {
|
|
"rule_name": "Process Backgrounded by Unusual Parent",
|
|
"sha256": "51ce3806828472f22e8ff071ef1debf363ec444244cf7baf191d1f43121f4c4a",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"63431796-f813-43af-820b-492ee2efec8e": {
|
|
"rule_name": "Network Connection Initiated by SSHD Child Process",
|
|
"sha256": "c85bcaf8b8f1934623c6ee69da81c6fd9979a821a9deb249c60532eb2909abd6",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"63c05204-339a-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
|
|
"sha256": "9f435a9831cb785e2b5c2aa59f2c2f214b372f26823c951d64a269d307591e30",
|
|
"type": "query",
|
|
"version": 10
|
|
},
|
|
"63c056a0-339a-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Denied Service Account Request",
|
|
"sha256": "18aa9f9e78bf1f5f528922bfa2420988c64ddf1d85a04ba6234d3954b6e8caa6",
|
|
"type": "query",
|
|
"version": 9
|
|
},
|
|
"63c057cc-339a-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Anonymous Request Authorized",
|
|
"sha256": "93b73fe3d15ca4f29227bf0188faabb45ee0a73da43affd5fabf3f85e275e954",
|
|
"type": "query",
|
|
"version": 10
|
|
},
|
|
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
|
|
"rule_name": "Sensitive Registry Hive Access via RegBack",
|
|
"sha256": "f1b41199a328bd02b1d8e68577dea1a0148279f462f58eb741ee169e443888cf",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "9dc44d0287d85742433a237643de326b02cb67b5850c7c1cb67d39e39ff29d97",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
|
|
"rule_name": "Dynamic Linker Creation or Modification",
|
|
"sha256": "e0f1dd84a2173083fe722d628c8ab0b8707074ae153f36a707312aa2e01fe63e",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"642ce354-4252-4d43-80c9-6603f16571c1": {
|
|
"rule_name": "System Public IP Discovery via DNS Query",
|
|
"sha256": "5eed6d39b3ff549f9fad07deb25f6b9f17ef4b11d01d6291bea126940dfea36e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "e58f9a734b08aaa71549e4b36faff3a83f6755807a7120cd13d38d06a684c382",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
|
|
"rule_name": "Network Connection via Recently Compiled Executable",
|
|
"sha256": "8042233e0f892f2407f56cdad86abf500c3ef3e10a0c2d4f9c34fb82522d0aaa",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"64f17c52-6c6e-479e-ba72-236f3df18f3d": {
|
|
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
|
|
"sha256": "fda6cdc3f42b88f38449c8dc374c2474384889313433b94cfc507f47fcf813c9",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"6505e02e-28dd-41cd-b18f-64e649caa4e2": {
|
|
"rule_name": "Manual Memory Dumping via Proc Filesystem",
|
|
"sha256": "89a286c349078a24d4e2fecde0750a185236c0c290092176cfdbb711f9217d26",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
|
|
"rule_name": "MsiExec Service Child Process With Network Connection",
|
|
"sha256": "f57dea79c94f721b7f8cbc38f822f95a03a7020cbcef7591ff7b6834bf00038e",
|
|
"type": "eql",
|
|
"version": 205
|
|
},
|
|
"65613f5e-0d48-4b55-ad61-2fb9567cb1ad": {
|
|
"rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments",
|
|
"sha256": "2b3c16cfb34b61af6507557a60d2afb7a9f8f8b1aa93204f8026476e3f6f2b01",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"656739a8-2786-402b-8ee1-22e0762b63ba": {
|
|
"rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent",
|
|
"sha256": "85068828f8ad2c6992b31af574b8eea3dfd7d81c7609c50c3d09830098e83a94",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"65f9bccd-510b-40df-8263-334f03174fed": {
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "2962f75c4c913a7ae6568d692aa100bc991b3f0a49913ed652b7423b7d56b4cd",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "7596d477c75194501eab55a1d56dbc23f408e9b52f0d6e9477fa3caf989cd8e1",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"6641a5af-fb7e-487a-adc4-9e6503365318": {
|
|
"rule_name": "Suspicious Termination of ESXI Process",
|
|
"sha256": "790e3ecbcdc60ea5dc2354a92eab59b577b49b446d8974b50470c28828ab826e",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
|
|
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
|
|
"sha256": "73db657803846bffc7d107cbc8bf0cc7d9bbda6f034becce1f0990588362cb7f",
|
|
"type": "new_terms",
|
|
"version": 208
|
|
},
|
|
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "9b067a4e19e27494227981d9814f26e3262881c5cb3f74ed5c0a1d833408f0fb",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
|
|
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
|
|
"sha256": "9dfa1666e6adb79b948337da7f7034bcc8984e563c0888374801758c0a4771b2",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "e0bcdab50088ca7a1827ec90afe4ec21cf937ffaf9b9069142b1709b1dae722d",
|
|
"type": "eql",
|
|
"version": 121
|
|
},
|
|
"66c058f3-99f4-4d18-952b-43348f2577a0": {
|
|
"rule_name": "Linux Process Hooking via GDB",
|
|
"sha256": "17f4fe2ff61bcd9e8f15d4be875e352215f40c08ee78633c078953f304b1a7b5",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "1cbce0d436f0e84332bd5c6fdb6208ea47ff267a6c91804b470dc6f0f25e0c04",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "0c4d5dabbc1a6db4cd15fd8dd45645288de81b4bb4fd936c34e4eb7cb87c19d6",
|
|
"type": "query",
|
|
"version": 117
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "a641b7d199f4e4fd832c1dc4b7bb8e8e0693119f5efdf132d673600f1a67de92",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "d9ca008bbae2521398aed0e6e676a30df987365ec3e19898bb5d238df2fd0efe",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"6756ee27-9152-479b-9b73-54b5bbda301c": {
|
|
"rule_name": "Rare Connection to WebDAV Target",
|
|
"sha256": "226bc2c66a12087220919af679f96b33f238a293993cc8a86a3b04d4544dca5f",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "46ce327e5a7721a4232d054cffea7064e587e8fe9066deaf0b52b4dce137c44e",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "b70379162e6c43363d0f74d4e6d6f9a914c5fba08a7e2e0d774ea7d2fe4a85d9",
|
|
"type": "threshold",
|
|
"version": 114
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6839c821-011d-43bd-bd5b-acff00257226": {
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "c27202eab20774ab1eb8e25fda99113ea2cdb28f9e3dc0dbc5cea32eff56ace4",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "eb632e823fffa93830ea299b42c8526ad8eccfa083efef9016c1a701dde51c33",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
|
|
"sha256": "0213339b429615707aed9697fd239830b2cc1c6c0f4d8b8ea9c25c860c76c36d",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "762b94746bef2ca7e80bb657ace66afa3602a6c62a978487f801d78e7d744308",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "1532614e797cd095c55034b762a0bc6b838adcd29d3c103a933df074cc826f7f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "d16ac49d6c15b783cff7f695326de41b63df37f6a44a4fb2840ac736b581fa1f",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "113bc535795bcc0c6ccdd3b9c6b0d905ad36ab8ece4c1ad5bc8a0000d99d10fe",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
|
|
"rule_name": "Suspicious Access to LDAP Attributes",
|
|
"sha256": "bce5140482d1ba1ce7f47b0bb3a39d375abf3c7ed00c4a7b49ebf194b2e94f80",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
|
|
"rule_name": "AWS RDS DB Snapshot Created",
|
|
"sha256": "ad69aa058d530466a81bf883cda42a241f9ad8a415e5291d1aea004a51787720",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "77f75f86866b174600e6178727630e93c2e2eb7a46ef23e7e0395d266892854f",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"68e90a9b-0eab-425e-be3b-902b0cd1fe9c": {
|
|
"rule_name": "Suspicious Path Mounted",
|
|
"sha256": "0e0471d9d546ed74ce3ec0a1c5ad172159811d292cfbb0355f78d643645bc777",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
|
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
|
"sha256": "dd12550a3cff20c4f63fc6067d74d35429245b167537619b73a3d2a44d4250db",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
|
|
"rule_name": "AWS IAM User Created Access Keys For Another User",
|
|
"sha256": "888041749b4414c84d0be90a29ada95f7951e481609ee11d11d96c9f959546dd",
|
|
"type": "esql",
|
|
"version": 7
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"69c116bb-d86f-48b0-857d-3648511a6cac": {
|
|
"rule_name": "Suspicious rc.local Error Message",
|
|
"sha256": "4fca7cbe95b1e0dd955f572b633b6cb7e22b34759a5970fd74cf531e5d0ff34c",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "062ebbb18e87088c2415a14ef1813c552955a440c290ca1cd073a4f6e9b42770",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "a03120071cd58fed8c869795a758044717e224f1b2806cf58bc0e62c11612b04",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
|
|
"rule_name": "Attempt to Disable Auditd Service",
|
|
"sha256": "67da46c6d778a1cdb269de0632d9fa23d719b5a5102bf664650e5410468179cc",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 AMI Shared with Another Account",
|
|
"sha256": "92a73731285ad8a586f20c44168203095329ef10c5faa34456fd4fecdaddbbc2",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "95af9566aea54e42762a51b57cd302ff63e6aa9f85764d94bf0c073f89f67e72",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"6aace640-e631-4870-ba8e-5fdda09325db": {
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "5095fe669c7a28cd0bd4ac67b605eac71f438d90afe54c8b6c1d52d1bd3efdf6",
|
|
"type": "eql",
|
|
"version": 420
|
|
},
|
|
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
|
|
"rule_name": "Suspicious Utility Launched via ProxyChains",
|
|
"sha256": "3c617ea8ef8e592c6c0ecb915c7d082c83de2de0068c2edda2c34bc3a69cc1ae",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"6b341d03-1d63-41ac-841a-2009c86959ca": {
|
|
"rule_name": "Potential Port Scanning Activity from Compromised Host",
|
|
"sha256": "4b223bbbb2de1fdda098f39923b4c779a6e2bfdd88ccf0137b08808a96c02042",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "724f5833d51b354c3f8a947bed2780063bf8a7a36a995b9a61edfdcd958c1cf2",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
},
|
|
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "c4c3950bbe859665917f01d249b583baae5cdaf7e8fa2de6b34a9e9c79a37581",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
|
|
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
|
|
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "69a395d0e80347499365554d56ecb7013b51d87f12d29487a7c19e439da8ed6f",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
|
|
"rule_name": "GitHub Repo Created",
|
|
"sha256": "531384d15d52b8c071346a4f472a9f04c83f068c11e87cf028088200812078e7",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"6cf17149-a8e3-44ec-9ec9-fdc8535547a1": {
|
|
"rule_name": "Suspicious Outlook Child Process",
|
|
"sha256": "ead3bdb03abbff29fb244e73d16f7594a5225127c4cf750abe0bb59b4f881ff9",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "a9d9339a8264b3d2300490621a7a0ccff22ea03e314c0467ae20f9d7c0df0b13",
|
|
"type": "machine_learning",
|
|
"version": 214
|
|
},
|
|
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
|
|
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
|
|
"sha256": "b4a42530866bb3fcf923be492968e1ec069ccff128907752f4eb635c73bdbaa8",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"6ddb6c33-00ce-4acd-832a-24b251512023": {
|
|
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
|
|
"sha256": "8c4f5c161d76288dfa5f503ea1353b52bf9fc70d4dc497687833391b1952227a",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
|
|
"rule_name": "Root Certificate Installation",
|
|
"sha256": "00c16c5651bd3bfbc8171580c45de1fe5d519dfd069eeb0a487d3209b1041f9d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
|
|
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
|
|
"sha256": "f2678627c0e56eb4770e873cc45c7aefb4d5ee4d62ae0f5f2e5ac0951de029d2",
|
|
"type": "new_terms",
|
|
"version": 113
|
|
},
|
|
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
|
|
"rule_name": "Loadable Kernel Module Configuration File Creation",
|
|
"sha256": "9b9b7f3c885260e578a0b82883d82007dc06ce8b50492c1ca835a211db9d8dc0",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "0e4aee03edacf69e9198f2b0c2990d55cea3c4c8807f745eeaada13da2490dac",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"6e4f6446-67ca-11f0-a148-f661ea17fbcd": {
|
|
"rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)",
|
|
"sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "49503ed912d9968186dd5b4b47de003255aa7ca2b4311d8cd8d0102e65ac3e56",
|
|
"type": "query",
|
|
"version": 214
|
|
},
|
|
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "ee1131249647118b84975962d58442cf80fa8283768385f7427a1880ed82cfcc",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "5c64c10228a0a54dc71ec736d0ceedf77938cee9b5bc4431aaa0997896c72131",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "1a271b28efc2579203a371e1810f70f4c164c9030910f0cc18297ec982ee80a5",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6eb862bb-013d-4d4f-a14b-341433ca1a1f": {
|
|
"rule_name": "Unusual Exim4 Child Process",
|
|
"sha256": "be950898e5a8ba78609a95cacbe9417ab15c13a2c743efa79b5d5fa39311573a",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
|
|
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
|
|
"sha256": "a7302dbb6645ae4c4dcddd494f0781ad2388a5ddea1341fcbcca11455fe8765a",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"6f024bde-7085-489b-8250-5957efdf1caf": {
|
|
"rule_name": "Active Directory Group Modification by SYSTEM",
|
|
"sha256": "da293aa9452ee7845abaf5b12c58972177020377e4cd25286313013d62cf57be",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
|
|
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
|
|
"sha256": "9868b324f20d976867393dea2d166df6dc944a6a56def58191886a560e656fce",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "59cfd1766bf59330cc09e1890b460c610c178db06840e3d7abc6ef15bdafba7f",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6fb2280a-d91a-4e64-a97e-1332284d9391": {
|
|
"rule_name": "Spike in Special Privilege Use Events",
|
|
"sha256": "ed6ffa275f2e757c537e56f54d8322172b0f69b4f8654de69c31e43cf69165f2",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"70089609-c41a-438e-b132-5b3b43c5fc07": {
|
|
"rule_name": "Git Repository or File Download to Suspicious Directory",
|
|
"sha256": "f1a4739bf59819f1569e930eaad799c4719c6ed30ad5f4eb2fab50bf81151f87",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"7020ff25-76d7-4a7d-b95b-266cf27d70e8": {
|
|
"rule_name": "Unusual Interactive Process Launched in a Container",
|
|
"sha256": "7e4aba06e06e21dbd41febca8830202c92f2a6b4efc7a54d9065b8c0d2ff9615",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "9c1c419acc1c5382728b1438c0379f6cb40f4ef3707cbeac52da4002951e2cf7",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "5c1da231570a43505ed47b60bd7789f3c89d221ccf90c7fed99148c2b5c3b786",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"70558fd5-6448-4c65-804a-8567ce02c3a2": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Google SecOps External Alerts",
|
|
"sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
|
|
"rule_name": "Suspicious Execution via MSIEXEC",
|
|
"sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "864ff665dcbced65f2a50abeae6420224e6af1557598ac0a35e6405ebf5a78df",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "12adb8caa4cf41e1a492cf42db6b2578138926e4fc661af44d4ad81f498d9768",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"713e0f5f-caf7-4dc2-88a7-3561f61f262a": {
|
|
"rule_name": "AWS EC2 EBS Snapshot Access Removed",
|
|
"sha256": "52024b2e77cc4795b4f03cbcbc178c5b1ef9142451d06b12605d4031d44923d9",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"7164081a-3930-11ed-a261-0242ac120002": {
|
|
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
|
|
"sha256": "02a340a8f7a03f9f711f2ef54847fafadb802ebf54d749f2dde581698a9e874f",
|
|
"type": "query",
|
|
"version": 9
|
|
},
|
|
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "5606dcf89a5cf45608021e4996da8e5024e50197149189c87ad8e27999fb234a",
|
|
"type": "new_terms",
|
|
"version": 212
|
|
},
|
|
"71bccb61-e19b-452f-b104-79a60e546a95": {
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "cdca3037d4e82a827463d44736431dcdca113631f41343c8eb87c12fdcc7473d",
|
|
"type": "eql",
|
|
"version": 320
|
|
},
|
|
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "1477e66dec703b018b8fa3520a35c332275b252a01e165852dbf34f41d35a41b",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
|
|
"rule_name": "Suspicious Passwd File Event Action",
|
|
"sha256": "5c1c2e9bc622fdfd22307f8a78bba011d594c683e3261da78070e1aa65082567",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
|
|
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
|
|
"sha256": "2db348e2a4fa78dd2e6207f126cfa55b903bfadf722dcbe0d3ccc2a69878d2e2",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Elastic Security External Alerts",
|
|
"sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "efcdb7e0993e29ec64fe324c23c28c6b84a1994689b6ebab3cc2d46a4740d321",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"725a048a-88c5-4fc7-8677-a44fc0031822": {
|
|
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
|
|
"sha256": "f3a375efa9dad165b0ceee2708b1a82c91b5e018d88c7a9b2e3e9b92105cc17e",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"7290be75-2e10-49ec-b387-d4ed55b920ff": {
|
|
"rule_name": "Suspicious Network Tool Launched Inside A Container",
|
|
"sha256": "25ef5d9ba0393a3d8df5a73607b421d6f605be3de44681c516ddfdea8bc55112",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "cc1423cbb9a6308b079d91c2db23175ab961848433acd76b756d3d618d8ae37f",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"72c91fc0-4ac0-11f0-811f-f661ea17fbcd": {
|
|
"rule_name": "Entra ID User Signed In from Unusual Device",
|
|
"sha256": "a74bc110e5c0b8a6fc1bef55bf18b245e848e62600e4d21755d76a3c47d0c464",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
|
|
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
|
|
"sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"730ed57d-ae0f-444f-af50-78708b57edd5": {
|
|
"rule_name": "Suspicious JetBrains TeamCity Child Process",
|
|
"sha256": "51694939fb7c336362382b2eb663e0be6f71da0693aa969468b3052e2048e38c",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"7318affb-bfe8-4d50-a425-f617833be160": {
|
|
"rule_name": "Potential Execution of rc.local Script",
|
|
"sha256": "cfe8403a49d49c0d00f9e597d19d1f9524bed254d508cf494cbe246f5885f019",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
|
|
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
|
|
"sha256": "73cb8609a6210c24331f116dd203187bc4f50ff4c1030ccf157e4ba21fbda471",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "8879780b1e7f8e78d71a5f73adadde4ba4d0ed831e4b18682eca96c1d3d0db5d",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"74147312-ba03-4bea-91d1-040d54c1e8c3": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Microsoft Sentinel External Alerts",
|
|
"sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
|
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
|
|
"sha256": "ddf21d53d6b8b8924b7cd9e99aa28d4f195a780f81fedcabd802cfa7f5eb3443",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"745b0119-0560-43ba-860a-7235dd8cee8d": {
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "cad0a70827a88e131e905da0a07e883407cc68f8408f036139f4501e8e78b192",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "3bb8a6e567f321ccd00a7d8e30e775bc9185cd5cfd1f86345dfac966d25b186a",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"74e5241e-c1a1-4e70-844e-84ee3d73eb7d": {
|
|
"rule_name": "Kubectl Workload and Cluster Discovery",
|
|
"sha256": "8ff0a1414ddc2ca23f6b2cc65b8d0d14ab94dbb3f7b1eadd08db69f34c251759",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
|
|
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
|
|
"sha256": "53be035e01bd869c4c8f86c9ace24ef2f4e616229a67d7fdc7f988937f3027c0",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"751b0329-7295-4682-b9c7-4473b99add69": {
|
|
"rule_name": "Spike in Group Management Events",
|
|
"sha256": "1f0d951f0aa45a48dc46316b1f1d4e02ff8c900e6c997441383ac1f247d42aa0",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
},
|
|
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
|
|
"rule_name": "Suspicious Sysctl File Event",
|
|
"sha256": "b2b915f63505fa9e1b94d88703a92b853e0816d9256254fb02fb96f84189550c",
|
|
"type": "new_terms",
|
|
"version": 110
|
|
},
|
|
"75c53838-5dcd-11f0-829c-f661ea17fbcd": {
|
|
"rule_name": "Azure Key Vault Secret Key Usage by Unusual Identity",
|
|
"sha256": "86b02f24180bc8fc24a9e75fab2d34798126849ea8f3815ba770e056914eb64c",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
|
|
"rule_name": "Service Disabled via Registry Modification",
|
|
"sha256": "99972be3aaef2b87210728a09b1bcabb051d032b977008f6cc411bafbbfe88b8",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "134c4594176dbca2b7f74074f945c476a08d79d6a308778f0f010a173d7a48da",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"76152ca1-71d0-4003-9e37-0983e12832da": {
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "b16e7aa630bf09efd8c9c4b5abd21061b8abe08ed648b264ae75cdd15c7444cf",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"764c8437-a581-4537-8060-1fdb0e92c92d": {
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "08c7392344a8d4c14e89412d74635a4e2cdb2169726330efa92df7708f7c358b",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "da5b757e25b0954265362edb8d0c7553dfc610e3a6f0c454aa40410d3976b845",
|
|
"type": "eql",
|
|
"version": 116
|
|
},
|
|
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "aa69e969e138f517e5b970bdfd65168c2714e6c42dbe3df65d20154de710b6a1",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "58a655e54c5cb166ac6ab5498819171cec1889190859287d7c41626ff6632018",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
|
|
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
|
|
"sha256": "e37578d05357bf909b630eef6138c68d1fe2d0d1da0edd81db1acd44ba659e46",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "2f1dc5042c5324178d8de82aebbac4085da8ad4cdf63a22939b6c481f989c4b0",
|
|
"type": "eql",
|
|
"version": 419
|
|
},
|
|
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "b9e24cba4cbda3e2ed33c9da86174cd9d7e7422319ea041848dcf546768713fd",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"77122db4-5876-4127-b91b-6c179eb21f88": {
|
|
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
|
|
"sha256": "bcfd7354aed5a764e46baa036e742d25e5e2d484a217268320a01bf60b2a2bc1",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "5546341ec9db7c46ffb5111006b0514d9269f48d393325dc0065f056cb30256f",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"7787362c-90ff-4b1a-b313-8808b1020e64": {
|
|
"rule_name": "UID Elevation from Previously Unknown Executable",
|
|
"sha256": "bd2fd646de5b97382ba0ef0b474c21b0b4da1df3c24daa233360ec844ea300c6",
|
|
"type": "new_terms",
|
|
"version": 7
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "e51927f3ba4b177d5d468bb2d7ca79af15177de99cc468aff4c790fe8b29fd75",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"781f8746-2180-4691-890c-4c96d11ca91d": {
|
|
"rule_name": "Potential Network Sweep Detected",
|
|
"sha256": "5c20b27d9972a603b528e757f9a230227c795bc88289b7bb230b6f6bb2112750",
|
|
"type": "threshold",
|
|
"version": 13
|
|
},
|
|
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
|
|
"rule_name": "Yum/DNF Plugin Status Discovery",
|
|
"sha256": "e4500f6b2f6896f0cf5806abdc3e8e1c302dd5224589f31f2dca2206f09803e1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "d8715340030f5e840104979c68ca6a5bee643b38558bc0f8cefeeab653cb8c01",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "918e5b35239f7a3671fef90e9272322a3eba40039c3a5975854e2d9ae0325db7",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "23b9183b0b627393d88469e86e1b3ed49184a6b912ce0286003e993fe66341db",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
|
|
"rule_name": "Suspicious ScreenConnect Client Child Process",
|
|
"sha256": "030f794bc9fe8acd0c6e7d24f93ccf1656808b54cd87b4027d431fabc125dce0",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
|
|
"rule_name": "Suspicious File Renamed via SMB",
|
|
"sha256": "8707838785d36a930a0b2e027746fc7dc78264f09fc45fdec3a61d89ae361de0",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
|
|
"rule_name": "Unsigned DLL Loaded by Svchost",
|
|
"sha256": "727bed32f960f3646b304cd0dddef223d4d3389c7f0f1fe781a6429f84b3eebe",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"79124edf-30a8-4d48-95c4-11522cad94b1": {
|
|
"rule_name": "File Compressed or Archived into Common Format by Unsigned Process",
|
|
"sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "662dc91439e997c034a7d87f072269b25668dcb3444557e4beac3dbf2ebc5f40",
|
|
"type": "new_terms",
|
|
"version": 107
|
|
},
|
|
"79543b00-28a5-4461-81ac-644c4dc4012f": {
|
|
"min_stack_version": "9.0",
|
|
"previous": {
|
|
"8.18": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Execution of a Downloaded Windows Script",
|
|
"sha256": "e952b2c22ea74d519101db31f240accb3c939550221f13dc5f35591267a4d717",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Execution of a Downloaded Windows Script",
|
|
"sha256": "9230aff8470d6cf4f90ca1386ed2eda9416b1028b41d3e3b69304f8d26829e19",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
|
|
"rule_name": "SSL Certificate Deletion",
|
|
"sha256": "2a6184cdb4ed56b8bb33e42415b358d21dadf077cb1243b0f284a9c2b5fd6a05",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
|
|
"rule_name": "Potential Masquerading as System32 Executable",
|
|
"sha256": "8b980b38e01743202bf213e8e3a1684119d087b4ece47c02ca74498829afa271",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"79e7291f-9e3b-4a4b-9823-800daa89c8f9": {
|
|
"rule_name": "Linux User Account Credential Modification",
|
|
"sha256": "475e4f38684ccea1a906973569b419c40736aaa2efd1cbf137beb9b51bb38a05",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
|
|
"rule_name": "Potential File Transfer via Certreq",
|
|
"sha256": "739bccdcfd3db9fb32edaff3316a98acf52b7a8558af12bc59d2855b1961179a",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "0510724ee7be3dd0623b1e00c63aac8cd79a53b18287f476cfa8f3af3d7345e6",
|
|
"type": "query",
|
|
"version": 216
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
|
|
"rule_name": "AWS First Occurrence of STS GetFederationToken Request by User",
|
|
"sha256": "c1ad2b67bc76a44043c0d9cc9a233a0291e39e29cb490fbe01115d9b9d342503",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
|
|
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
|
|
"sha256": "25ceb2317db65f25c36e30c0ef8c8fa5042168f40262eb917405a7b1ca074005",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
|
|
"rule_name": "Potential Execution via XZBackdoor",
|
|
"sha256": "9e4f02b2533923165d5d42127ea357c3fd8e3dc87e8520988614f93e07555d7d",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"rule_name": "File and Directory Discovery",
|
|
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "afc21b014ae12b2467fa23ac00a0ea65cfdc9694fc23d43db8cd05b95b3a0dd1",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "1287015e2cbbf36f6c4fd25871e0f13e424829e01845ab1568b70bc999cc1c93",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
|
|
"rule_name": "SELinux Configuration Creation or Renaming",
|
|
"sha256": "873586d99be1693225ad6dc1701f18678b981b927866f1bada9871d2b49ebc30",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "e0970ad84e517e202db952ebde06a5d447c4632796391a9ff76564e69d0b1ab7",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"rule_name": "Tampering of Shell Command-Line History",
|
|
"sha256": "ba48bc4848dfec38a48930759cbb6eb959f0282ae18ed1cc3f158e9f2d508098",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
|
|
"rule_name": "APT Package Manager Configuration File Creation",
|
|
"sha256": "1e00a965b43a18561e0a7082c400d4889a2e4429c82c8b60a7ea0bbde8b5e0a4",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "157e5ffc06f419ad6940e871b764ead2932667dd53a17c103978827e8a3116f1",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
|
|
"rule_name": "Git Hook Child Process",
|
|
"sha256": "2b948a24a1d68fe44454533c60d7e7dfe09f0e6e1c16f089d337b6c5dd003dd2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "1ff9d6f50da5c85c4aba702a23bff1479031602cd3c7b1418f230190dcb0dfe8",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
|
|
"rule_name": "AWS Lambda Layer Added to Existing Function",
|
|
"sha256": "de9e2f06ac233b18717fc0fd650d667ca13b785a9bf7cffbe31045d94bd63124",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7dc45430-7407-4790-b89e-c857c3f6bf23": {
|
|
"rule_name": "Potential Execution via FileFix Phishing Attack",
|
|
"sha256": "3a1b732e8be3a1cf4952a67727c6163f1f442150dc53f09939833ae406ce4ab2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
|
|
"rule_name": "SSH Key Generated via ssh-keygen",
|
|
"sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
|
|
"rule_name": "Suspicious Kworker UID Elevation",
|
|
"sha256": "bf59b10250da89d024f6f5d1f4c7e97528116633e4d8418f440ad65dd0424702",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
|
|
"rule_name": "Microsoft Management Console File from Unusual Path",
|
|
"sha256": "8bd90f260cdbeb5d6567c41d2954e4ee3d028c6594291717fab5917b67d1358f",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"7e763fd1-228a-4d43-be88-3ffc14cd7de1": {
|
|
"rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed",
|
|
"sha256": "f568ead2710b37deeb2320ef4fc6ea487c4490d7ddb3b1b30f2a50461fbabeb5",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"7eb54028-ca72-4eb7-8185-b6864572347db": {
|
|
"rule_name": "System File Onwership Change",
|
|
"sha256": "81a9e544cead76ee7b81192939ed74e86ec20a6e1ace52d27147aaaa2aa0cc93",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
|
|
"rule_name": "Security File Access via Common Utilities",
|
|
"sha256": "629e259fc95453f3de0e1fa2134039f0371043cc2b4fa9703296a46ef7d8dc69",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "209bb76a623ef2ceecf2a1aee175416811264a846f5849790c6d7cbb8ef45131",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
|
|
"rule_name": "Python Path File (pth) Creation",
|
|
"sha256": "51f4a31fd30564d6ed4c5f7b2b7fc3a1dcc968bde90c6d00593f4bc6e8ac17a3",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
|
|
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
|
|
"sha256": "63bf1b6a1cb881c4b835fa9658024abdbb4762b887b80930acde8b6883a9a2c1",
|
|
"type": "new_terms",
|
|
"version": 104
|
|
},
|
|
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
|
|
"rule_name": "Systemd Timer Created",
|
|
"sha256": "f2d9c02ff7869120342d9c262c8d1afa3adbd88800abe6744d0d605b59182b16",
|
|
"type": "eql",
|
|
"version": 18
|
|
},
|
|
"7fc95782-4bd1-11f0-9838-f661ea17fbcd": {
|
|
"rule_name": "Excessive Microsoft 365 Mailbox Items Accessed",
|
|
"sha256": "b741065a55b3437b861e17871cd9a198a211a2bb9a6b035fee3b3b7331428b29",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
|
|
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
|
|
"sha256": "6d88b7bf2484d20a30c85309900202651b324407d516d569f99e2d282dc2a8ba",
|
|
"type": "esql",
|
|
"version": 6
|
|
},
|
|
"80084fa9-8677-4453-8680-b891d3c0c778": {
|
|
"rule_name": "Enumeration of Kernel Modules via Proc",
|
|
"sha256": "82c12d5219a3f622f4632a3e6c9a468676fff8dc5b04f9714e2f74d8ab6d33bb",
|
|
"type": "new_terms",
|
|
"version": 109
|
|
},
|
|
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
|
|
"rule_name": "Unusual Process Extension",
|
|
"sha256": "85aada873799d2431ff32fe657e4ba002fcd4cf73c7d5d23d9660764dcec119d",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
|
|
"rule_name": "Potential PowerShell Obfuscated Script",
|
|
"sha256": "2704d9f00e0dde549f0ed2acc2e4b4c78b56ce3b6abbbce8060a543e57798f86",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
|
|
"rule_name": "SSM Session Started to EC2 Instance",
|
|
"sha256": "504f3a50d1bd25b8e6af53a7de52f7536a9a2b90a733395388672099dd77243f",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
|
|
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
|
|
"sha256": "e7c4132d51d3d348842c0ba1e39ac406a80258333d648ada160ba675f302facd",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "badc6a5976ec7afe16af98d9d59d033002ebd31687f59d4d87a8427d710dfbeb",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "3d170371447ea0ae70919136a26912497111be7f8e2587724e3d9187e4608f77",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
|
|
"rule_name": "Unusual Remote File Extension",
|
|
"sha256": "6639f9ff4a1f988b52a9cf37174c52d2d2aa6b81df7e3d3959341cd9178e1f55",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"8167c5ae-3310-439a-8a58-be60f55023d2": {
|
|
"rule_name": "Suspicious Named Pipe Creation",
|
|
"sha256": "494984781f6a9d1a60f60d5ddd02a51a71de36c58fcf5889976860b913bdfbd9",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "cfe3053df0db70d67a72023180094f2722668f0335e1ad4d7a844576c4da0d23",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "d5686f550627a508b223292a2b247f4a7f7f4d16821b6a75ecd4c7a04bd3c934",
|
|
"type": "query",
|
|
"version": 317
|
|
},
|
|
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "87186c115e345e916305a0c9a4a12164a6e2e3d346976ac6190fbe9dbbc6322a",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "05adc3d0061ec5ff0fcfef1b7b4774742c17bc49ce1d5932c4ce5a56238e3ff4",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"82f842c2-7c36-438c-b562-5afe54ab11f4": {
|
|
"rule_name": "Suspicious Path Invocation from Command Line",
|
|
"sha256": "32ac8209c6206e97dc33d6cb67e3dc680bee351c575462757458aa6178e30ba5",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": {
|
|
"rule_name": "Manual Dracut Execution",
|
|
"sha256": "7476c9ca4dfbd1e2d146d992f3f7bf32a2fb8c9e4756b2137fa09e6ad31d354c",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"835c0622-114e-40b5-a346-f843ea5d01f1": {
|
|
"rule_name": "Potential Linux Local Account Brute Force Detected",
|
|
"sha256": "d1bc46bcc14a8781571f47f38848258a847c19db5b94a1b3be7c2ab3cd1da749",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "3c2ebbebc751d69b387b81a34be2f0f49c8e1bf0d13210ccef06e55ef62855cd",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"83bf249e-4348-47ba-9741-1202a09556ad": {
|
|
"rule_name": "Suspicious Windows Powershell Arguments",
|
|
"sha256": "8cde4f0e13db1dfbeaf85432fcc0c28798349173efe32eb81bfd38c946484bf4",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "b51f47ab87ee888749da2459cdd62ef2c9e3d47b48bcd821d7ca42601b6595e0",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
|
|
"sha256": "09f6c49d3b72f57141f343b4f77c8b4112cb859139b6ef1a85f09ae998fb6a1f",
|
|
"type": "new_terms",
|
|
"version": 7
|
|
},
|
|
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
|
|
"rule_name": "Microsoft Exchange Transport Agent Install Script",
|
|
"sha256": "9f08eb1c4f45c16bdd270d3cdd1c7a218ca1b406833cb1a35646cd235f82c3e8",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"84755a05-78c8-4430-8681-89cd6c857d71": {
|
|
"rule_name": "At Job Created or Modified",
|
|
"sha256": "4b40c8d4568713d94d3041b310220b96e926d642d9216b845db1d0aca6f8a500",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
|
|
"rule_name": "Potential Upgrade of Non-interactive Shell",
|
|
"sha256": "1316e3fab4c857c35c5b972f7e149867b9ecdb821144631ebc6c7f557e0c651c",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "8624f4e60af1f160aa68e3c6b11686acf57681f4864862952925ef57000708d8",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "205dcbab529bfe7df0ee458c41dc53611d1634570eba8540c5243e4cca827912",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "ede8e2003489d4e45326e71312a1e8e4f29c41c17b541fd6895feb548eb658ee",
|
|
"type": "new_terms",
|
|
"version": 213
|
|
},
|
|
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
|
|
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
|
|
"sha256": "d20f6ac63151a8527f3e3d7607516b14c02b5d6b364d23f9271adb90900ea3cd",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
|
|
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
|
|
"sha256": "6937741695dc02c9bf74f0e166bf81212b51bfd952ae6f5c91c84cc592a66e86",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "c274913be86de801027a68714627b0f65176fd765156673efcebb2bcd5996bfa",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "ff7be0f614d45a1eced107bbbb41abd87777ff4c5f4509330a0bc338b7e9b121",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "bada191a149505da085f1ada57ea5321346849eb5dc0e430c7bc4befe6072b9e",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
|
|
"rule_name": "NetworkManager Dispatcher Script Creation",
|
|
"sha256": "08d7e3708c0272d295f9664d7c1a448fe3fd19068faef63ea7b226a774a5f4ee",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
|
|
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
|
|
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"870aecc0-cea4-4110-af3f-e02e9b373655": {
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "9c27e817350dbd08dc61d8370dca3e347fe4982b295ab1564fd94b663d5ac4af",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"871ea072-1b71-4def-b016-6278b505138d": {
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "16a09969e21612a30a1b6a5e8210ee37ea2c34d611997845e31c136980d6de63",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"873b5452-074e-11ef-852e-f661ea17fbcc": {
|
|
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
|
|
"sha256": "2f9acb987606670ee684082ddc4ae38064488e0333b5be54d7f7000c85689401",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "538d46c449202f011f72c3d97d889a051e1acf5e471b34d7b3fa52120de2b745",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"877cc04a-3320-411d-bbe9-53266fa5e107": {
|
|
"rule_name": "Kubectl Network Configuration Modification",
|
|
"sha256": "f52b65c61add58050fdf37f23b51c7f49e70f75ffcd36f2a268c0c7d8fb5b4c7",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
|
|
"rule_name": "Linux Clipboard Activity Detected",
|
|
"sha256": "3103b6fd533966d95b245a9b35c541d45780672fdfa91ab299b2afea77a19523",
|
|
"type": "new_terms",
|
|
"version": 8
|
|
},
|
|
"88671231-6626-4e1b-abb7-6e361a171fbb": {
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "15c2ef603fa386034d9c15726475fdb118c5068f3a25df4559a4213273c5b1f9",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"88817a33-60d3-411f-ba79-7c905d865b2a": {
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "dffeb89bd2bc7aa9295056acf3f3e48cf641480002098af31aac13a9fd518282",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
|
|
"rule_name": "Potential Sudo Hijacking",
|
|
"sha256": "a532864b163d06996dc8f971781b80a9eb9f1b6ef8d322fa58e2893129192bef",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "09e1c7f150b87198870ffe8fc507a6dc726cee93d0b56ac28541e82f1e09fdf0",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"894326d2-56c0-4342-b553-4abfaf421b5b": {
|
|
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
|
|
"sha256": "806992ca659709f31c282aa36432f26f3390a06a625c9a7a25de043e9d5f394d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"894b7cc9-040b-427c-aca5-36b40d3667bf": {
|
|
"rule_name": "Unusual File Creation by Web Server",
|
|
"sha256": "fa5fc4ccea16df933ee8257a2e7743b75e88d0885c61ae805f69b2541793766a",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "ebee242d6ebd5dd4df5eb9d53e35e8796a2b0bcb6e499808ec159da4d51abda8",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "49bfbc43dd89ec3bafeff899df67ba47d7277ba6fe766a6d712ab996f5e26918",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "e1d2923b4618260ae746187c3d2d189c499dd85784378c90e3221265517e2688",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
|
|
"rule_name": "Suspicious Symbolic Link Created",
|
|
"sha256": "c626e05d95bf6f2caeec7338d852ca07b9d6465fb05303e6c68a3d8ab6196eb4",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
|
|
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
|
|
"sha256": "5b134678f04342b904ee4c63980fc14bdcf2f7cbf135b07967094491c2b4da6f",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
|
|
"rule_name": "GitHub PAT Access Revoked",
|
|
"sha256": "f2df2aa417dd23bf02331ebd404b3dd336f446beb1284f6393f29558895e7cbf",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"rule_name": "SUID/SGID Bit Set",
|
|
"sha256": "443df4aa3ba8b66d3df4e7c1f7c47f61c8bacc4d16dfad4e120a59da423b436b",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "473eabf294ab4380f9f702623f6fc613eae4d0c69170277bf305be4e4261264b",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"8a1db198-da6f-4500-b985-7fe2457300af": {
|
|
"rule_name": "Kubernetes Unusual Decision by User Agent",
|
|
"sha256": "16245d0f0188b84f8ba8bfd90fb7a575594bdbe27999abb3cddc4e4acd2ff740",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "dbce4eb6536e98fead4c6b92a94a9dfc69b503211cd450e3c89655a61ff3653d",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
|
|
"rule_name": "Unusual Command Execution from Web Server Parent",
|
|
"sha256": "9f04d7a84b28aa6755992666e62838bd70bd7b7b428ad1d9788f1a083e115f6b",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"rule_name": "Deprecated - Suspicious JAVA Child Process",
|
|
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
|
|
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
|
|
"sha256": "bd756e5ab70fb9674d36a0fd450a5d44f61f0c6d300408746bc5cca85c52856c",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "795dc8b265d22118111f0d5222bd9a7cd27f3afa85be0ed6cf1a82ebeeeff7b5",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "99dc7a9c6876fec4e4060cdbcf28d7130c3565fea6a90dd59ca66e76b6b32c09",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "2c77aa12b22f5cfb250f1491aebdce093524d64675148917ec0bf0d00ac232d3",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "dcdfd61701dea4fe94233755e511f8bcf367c7b025cf088786c7a2d094011cec",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "bc0a906f4a1bb8f44279b6c9baf876b4b66b45f19e8afb6fe1d23e5ec613a4c9",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "6d506eeffc6b03a3695cc525f379e6d1c988c17a56a8b90f8f8e202c073febb8",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": {
|
|
"rule_name": "Unusual Host Name for Okta Privileged Operations Detected",
|
|
"sha256": "7a6965067decb91421ed50757505f4af9ffd89cf9cf0f0e91cae128d11f3a3e9",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "2011f6739abbd03c4369c3fa7727c0657b1f67a5333d12dd0d202ebdee66f918",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
|
|
"rule_name": "Potential Successful SSH Brute Force Attack",
|
|
"sha256": "e91d5c6c36ea008088f229fd3965255cb4eae323aaf66847a843041435991871",
|
|
"type": "eql",
|
|
"version": 14
|
|
},
|
|
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
|
|
"rule_name": "RPM Package Installed by Unusual Parent Process",
|
|
"sha256": "3c4af02088247445a602b9d7547d09687a7bb9f7bbde9399e2ac423f58aee14c",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"8cd49fbc-a35a-4418-8688-133cc3a1e548": {
|
|
"rule_name": "Proxy Execution via Windows OpenSSH",
|
|
"sha256": "b2cbea79be7cb1bdd6745a9aa091c6bab2f473f2dbbb56db20f761cb3b44584d",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
|
|
"rule_name": "File with Suspicious Extension Downloaded",
|
|
"sha256": "f9b8f99ec26b989e24f1152d9ad42ab9af8e41d40acd404ef8667b07cb6f0ac4",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"8d3d0794-c776-476b-8674-ee2e685f6470": {
|
|
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
|
|
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"8d696bd0-5756-11f0-8e3b-f661ea17fbcd": {
|
|
"rule_name": "Unusual ROPC Login Attempt by User Principal",
|
|
"sha256": "bdd2581f51ed95a53f55aee72dfc8534239a594983d1ce3fb1cab7d57cc78893",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"8d9c4128-372a-11f0-9d8f-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID Elevated Access to User Access Administrator",
|
|
"sha256": "ec9ac65f7b62971dbd3b66da050bb66e142abaf6931ac3230abcd430d612f8b8",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "deb464e30e85354dc3dcfc4f32483257772a7a1b609d9dc33a8560f230be4e90",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "ab2ea4a3b43651bea71fae7c55eb7e232aafc0466f4f570ab0b4b0cee4a78229",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
|
|
"rule_name": "Potential WSUS Abuse for Lateral Movement",
|
|
"sha256": "13e32526ec5f3ea8afe105014601fb2d3cf7ede6434f1558469e2246d7a17072",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
|
|
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
|
|
"sha256": "4d5ec92b6f2172b7a6f70ad0e96425134d404f434be5f19e8347ab2f531bce2d",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
|
|
"rule_name": "Bitsadmin Activity",
|
|
"sha256": "ebcef83158cf83d309f5a795e4af56f9baaf29a4683c7458757351eec539a0f2",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
|
|
"rule_name": "Unusual File Transfer Utility Launched",
|
|
"sha256": "69c8afa3b8a767b0a2458a7b93bb995598c358f351aba9f58d4c8594929e3d74",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
|
|
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
|
|
"sha256": "148b2bc654243c7d2b288bd24935dfcf2bbe95f5389f6b3e61979400f65a353f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "90bfca890a90f146165106b1404b8a6885c1a3564652b5582fa49eba3b3ea4a9",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "5a6c0fd9f1056ae1872a6860d6986dba91877e1eeb3641f5a39569457c350d3f",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "d28cb031d8ed5b38960fed5ee753e8fcc442cf190199f12d1d7b4e3d117d8de1",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "1209b2a3c652cad88138da2eb87892666eaa6d7c4a8b6182d2134dd19b745c51",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "c0ced9e98431f4313c2ee2846e7d348cf0c0a199a2116036d425cee836f6e272",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
|
|
"rule_name": "Simple HTTP Web Server Creation",
|
|
"sha256": "09d1e2572199485077d735bffff652219048ec73fa86172f00923373d98172b4",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "c39cbcc9ec00fb8b8524d9882aa4493642e4a647cde6977cb299df8d20c86b1d",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
|
|
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
|
|
"sha256": "e530fe9184fdc063881be5f579bf5183c9a5b55dea8ce6896ad4580f3df72b00",
|
|
"type": "threshold",
|
|
"version": 4
|
|
},
|
|
"90babaa8-5216-4568-992d-d4a01a105d98": {
|
|
"rule_name": "InstallUtil Activity",
|
|
"sha256": "1f836d04fff5d1714236d933b95423d63a44b8df46085065d9e394338ffd3e8c",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
|
|
"rule_name": "Linux System Information Discovery via Getconf",
|
|
"sha256": "de08bafde13be30f25eed89b257f1dcb7cf6d1b591601d9b550285c585feda80",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"90efea04-5675-11f0-8f80-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID Suspicious Cloud Device Registration",
|
|
"sha256": "683463ee25470818dc6bcc33030de6312d9f7b10ac0408b7e01f3317845b4e0f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "9ed99ec9a3de42fb40262d6e25e3ad8a768e7d263d9871a96371fbd40bab8993",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "6363def11bfe62bcbe494e149a9bfc79bddd95d0b22db0a1bb4785503f70bf7c",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "ac0052e2c70450d918b677a7f8f2d3408af1b451b1788e4f8c86581933e2603e",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "48f49cf6ff7a2b88e730b821486130bdeb51163a054125e315df8a5b5f18e1f5",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "2871a56af162b6dcaa9cb770f845ce1100523e91f5cf859a93332be52e9d4a0c",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
|
|
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
|
|
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"92984446-aefb-4d5e-ad12-598042ca80ba": {
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "1900e8b5d7fcee1a459e9679ad51643080f62aeca67caae4f511dfb6a093f9aa",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"929d0766-204b-11f0-9c1f-f661ea17fbcd": {
|
|
"rule_name": "Microsoft 365 OAuth Phishing via Visual Studio Code Client",
|
|
"sha256": "69ec4930f25e7ceca53b47c161c1c163a656a0077256cf62957b709a3059adaa",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "7934e4ed22a27c1b5d20983cf6b8666433a3535dff45e1cefc66f45152fedb52",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"92d3a04e-6487-4b62-892d-70e640a590dc": {
|
|
"rule_name": "Potential Evasion via Windows Filtering Platform",
|
|
"sha256": "adef5e4455f6e473e36a4449f35b4cc39bc56074ba769f171a3fa2a7514b6f83",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"93075852-b0f5-4b8b-89c3-a226efae5726": {
|
|
"rule_name": "AWS STS Role Assumption by Service",
|
|
"sha256": "46cd3290d2453975460c945776cbf4599d425f40debf643e90ec2e298c3644dc",
|
|
"type": "new_terms",
|
|
"version": 213
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "fc92a6f4fda2c89dab1cdacc3e73b7ea65c24e8ce57b85aa72bd578b403a9b40",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "a7065e1b8fe61ce3a22ffa4ef3c73475edafa82b86918e0e0c1225bc06fd4203",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "2f4bef09433201d5737c30386cbb965fe99bff5eb973d5f4b5d9e32905e035d5",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "28e1eea911bb6da17c9e7545b44f86927de6020e8e4ea22af960a2610cd011e3",
|
|
"type": "eql",
|
|
"version": 415
|
|
},
|
|
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "7be1cb011c38151697499b5072f449871604670f61f78a51bcc8cd4f20891454",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "a3ec4aa1bace9ef4e52df433a1a9130b8ea7d6ed43756319c31ea2a5eb523627",
|
|
"type": "new_terms",
|
|
"version": 207
|
|
},
|
|
"94418745-529f-4259-8d25-a713a6feb6ae": {
|
|
"rule_name": "Executable Bit Set for Potential Persistence Script",
|
|
"sha256": "3293b5ab4e50b1c4105bbceb0c7387478f8a08ab9dba1242d52e7b0fe2e5657f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
|
|
"rule_name": "Creation of Kernel Module",
|
|
"sha256": "2f8ab1f735866250beea8676143a799545d6c2a7737d1deaeaddae3082bd58de",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "17df1e8317f166bef619db95bf42ae315bcd87b76662babd058636cf0ed7532f",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
|
|
"rule_name": "Multiple Okta User Authentication Events with Client Address",
|
|
"sha256": "c0ff54d33f87c27d8078d40c14cf9ececf62c8a21b351855ec3eaa69805547da",
|
|
"type": "esql",
|
|
"version": 206
|
|
},
|
|
"9510add4-3392-11ed-bd01-f661ea17fbce": {
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "9e8da7966327e7084cc501b66081920953cc7c1339a8928f7290e52a4d2ef593",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"951779c2-82ad-4a6c-82b8-296c1f691449": {
|
|
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
|
|
"sha256": "795307cfa5ce885d42cef8999051b0002e6cecd2dfeaf564ec0acf070ed356dc",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
|
|
"rule_name": "D-Bus Service Created",
|
|
"sha256": "a87d692f51495c10a178636bff52caeb6b6be4413b4620d6af670c058e9cce56",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "8cd15104409a97fd4438abc212c1c0ff0707de6458eeb1e1d8f7420e40c241c2",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"9563dace-5822-11f0-b1d3-f661ea17fbcd": {
|
|
"rule_name": "Suspicious Entra ID OAuth User Impersonation Scope Detected",
|
|
"sha256": "33c7c9940abee6fa81c1f68a2e97a979319e1c3bab0dcdefa4eb9d5c2e6675d9",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"959a7353-1129-4aa7-9084-30746b256a70": {
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "bd130b1a240a37f0fcff67e573d62ae151f92eda3579ddc0b040387d42c80804",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
|
|
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
|
|
"sha256": "89975c16b8a516727a9b1cae53a92a59cc0eacc72527c5a2bb22ec2ed9ef8c4a",
|
|
"type": "esql",
|
|
"version": 206
|
|
},
|
|
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
|
|
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
|
|
"sha256": "f1670dfd45e43ac5895b53ca679f177046d57bc693a881636a01300acff3ecbb",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
|
|
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
|
|
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "1da15587c447348c4434f306511cf018983792105bde2b4ae6627cd619ae47d8",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"96b2a03e-003b-11f0-8541-f661ea17fbcd": {
|
|
"rule_name": "AWS DynamoDB Scan by Unusual User",
|
|
"sha256": "0da9d5a9ea1fe0814c0fa7782ac2a24f7f7f89aeb8855498aab85a14ed332a58",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "a5d1a18063a75668e70700f1528f8337ed0d0f3744f711f615a6b1bc9a4164c7",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"96d11d31-9a79-480f-8401-da28b194608f": {
|
|
"rule_name": "Message-of-the-Day (MOTD) File Creation",
|
|
"sha256": "d889a1413faf932bfaf1dff530c67c6c93a601b5e764e613a57f9509f200a23e",
|
|
"type": "eql",
|
|
"version": 15
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
|
|
"sha256": "c279f98199a5b04feb2862a6366b838116076f27a12f928988e6fa4747284e71",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"96f29282-ffcc-4ce7-834b-b17aee905568": {
|
|
"rule_name": "Potential Backdoor Execution Through PAM_EXEC",
|
|
"sha256": "f3793cbe0f64d4a603f9bbcf1285df18b8e61f72444c22cdabf08f290ae1a57b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "721369ff74415e524db18c08b07e924d7fc2afb77dd0de54c0094712ccad6b66",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"9705b458-689a-4ec6-afe8-b4648d090612": {
|
|
"rule_name": "Unusual D-Bus Daemon Child Process",
|
|
"sha256": "461e15979a131ccd6a47fdc6d7d88b4f0c3661b906cb5ad43d94be136d34e3e7",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"97314185-2568-4561-ae81-f3e480e5e695": {
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "8f228558c28a8d6278f0419ab277faa3dbb02172782509af99a4a14bf8a3234e",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "c138eb09128dd118093e7159c1ca2369fe0593b5c3cfead636e46f3864dae12d",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
|
|
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
|
|
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"976b2391-413f-4a94-acb4-7911f3803346": {
|
|
"rule_name": "Unusual Process Spawned from Web Server Parent",
|
|
"sha256": "450d7bfd876b254e435bbbab830503697dc8637b22533ccdebd455e521f31ac0",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"979729e7-0c52-4c4c-b71e-88103304a79f": {
|
|
"rule_name": "AWS IAM SAML Provider Updated",
|
|
"sha256": "8280df81d9c1a20110f986792b304bff16932b6084d084eb2b040d6dd3744f4f",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
|
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
|
|
"sha256": "4041c4ae09570e6883d75b0cc6d734066a4ad40fdd5c2249576cc80d9efac0c3",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "49e682ed0900fe6b4dd64afcb66820ad063b579ddb64ab9e0f6f7ed0df6b229e",
|
|
"type": "eql",
|
|
"version": 420
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
|
|
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
|
|
"rule_name": "Suspicious Renaming of ESXI Files",
|
|
"sha256": "44f27c7249bafcc36b63740acc5ee15d6ece8db5bbc0d0a3feb7507e1c6ba859",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"97fc44d3-8dae-4019-ae83-298c3015600f": {
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "39c28c83008ef62eb99a0de82b8be41f060c25120f83de8cd7666d847a57279d",
|
|
"type": "eql",
|
|
"version": 117
|
|
},
|
|
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
|
|
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
|
|
"sha256": "a0ba2bcc49a34c7465962ad88f73de571ce3f2066628be2012d784ad3c144815",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"9822c5a1-1494-42de-b197-487197bb540c": {
|
|
"rule_name": "Git Hook Egress Network Connection",
|
|
"sha256": "e1c4baf61a1fa1e0dba355a4011dc0d61e5679e77b3a011b194781f84f4c4074",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
|
|
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
|
|
"sha256": "cb9a8717146f6e34600a679ddc6cd6389f9467ebaf8262cb9fb5bd4aaa054eb7",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
|
|
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
|
|
"sha256": "1d8b7387ffc9ba14ad87292fe10c366ccadee0b56b8e0932723616aa4afb8154",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "117b18f02e0d843e522d6111e758b53add8d55cb5ea06ccb3cb11fe297f88a4b",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "4a3916adc7c515a672a6aeb510e774ae1e57ccafa2ba7c24c14427e013695c8f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": {
|
|
"rule_name": "Kubectl Configuration Discovery",
|
|
"sha256": "8e19fcd9899ba3285374e1499fd908f19cbeb9940fd3a022e3629576ac485425",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"rule_name": "Deprecated - AWS EC2 Snapshot Activity",
|
|
"sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "a0bffa98b85b5302f04968bd516704fa0a3f9b1d3c9378af798ce9ddbae69612",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
|
|
"rule_name": "Suspicious Installer Package Spawns Network Event",
|
|
"sha256": "36abc0c0a66851f146ca5de478c883481a4db57dc1fa336a5e0434091e7e8288",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"994e40aa-8c85-43de-825e-15f665375ee8": {
|
|
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
|
|
"sha256": "87a4644df0fd8f0a046677d6b1a8af3beb420efbcbfe4436f6e44bfce6b47200",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"9960432d-9b26-409f-972b-839a959e79e2": {
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "8644c4d2fd74db78d00a78306bbc41d28e0fa36336de210c61211c8d3b8b4c9a",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
|
|
"rule_name": "Access Control List Modification via setfacl",
|
|
"sha256": "0f5698493739d75cf02fb28516e118e26b5890d48c2d6e796244f89605812d0e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"99ac5005-8a9e-4625-a0af-5f7bb447204b": {
|
|
"rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
|
|
"sha256": "386127d0c66af62ae5577f0cd57b8f5c8627cbcc9d3484f413ffe10d01dcabb2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"99c2b626-de44-4322-b1f9-157ca408c17e": {
|
|
"rule_name": "Web Server Spawned via Python",
|
|
"sha256": "77b22cd08b5914432d68b171d61a3905c8672618463d246175b170c87f519845",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"99c9af5a-67cf-11f0-b69e-f661ea17fbcd": {
|
|
"rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS",
|
|
"sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "f86fdfd7f9e5f3789e9063903170f36e24b74691d8e3c80a274cb3ad7158f35e",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"rule_name": "Endpoint Security (Elastic Defend)",
|
|
"sha256": "9a34f25056907f42962de240e218fc715885d5e29636b34368c1b817e89a3e25",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
|
|
"rule_name": "Unsigned BITS Service Client Process",
|
|
"sha256": "e5e1fcb9ece7005ef0bf2067c7f44e12d243276d89aa4b0a9100bfab5196ca5c",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "6d8d777083d498769a0e564ef9e68a5e6ccfafc6305b934e9b4ed64825b8dcc0",
|
|
"type": "new_terms",
|
|
"version": 212
|
|
},
|
|
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "dd80f5817acac0027dcebc6619363825539469594a770675572c555afdec7fb7",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"9a6f5d74-c7e7-4a8b-945e-462c102daee4": {
|
|
"rule_name": "Kubeconfig File Discovery",
|
|
"sha256": "62774744580848e336d482245061e0a5f8f1d339f2df4400d951438aaaa5921f",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "a18589e10e7f28f4117607f6677da79ad0fff040ad5c9d28e93f837471c51963",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
|
|
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
|
|
"sha256": "fe18f1e29bcdc1dcebe1106d801d86351d22fd0e8f8cf68879814bf0a2cc1c96",
|
|
"type": "esql",
|
|
"version": 7
|
|
},
|
|
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
|
|
"rule_name": "GitHub Owner Role Granted To User",
|
|
"sha256": "f2f81d6a850a0317bfda8ce3adb7dc062645f5850734d86e983f453a3f48bcd4",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"9b35422b-9102-45a9-8610-2e0c22281c55": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "SentinelOne Alert External Alerts",
|
|
"sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "c41ecc6deef7ce4de642b215d877cca87c3bdd1c8dbbddece705c8d211f78b82",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
|
|
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
|
|
"sha256": "ceb770bc643864431d0f96f8cc58ab5eae521602391b142b823453b323972348",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "390ab06dca3ca8c0b33b0af8548cfa728ba4c0ddd18d67a0435f3209a453f6da",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
|
|
"rule_name": "Unusual Interactive Shell Launched from System User",
|
|
"sha256": "67c5bf3ca9eeb3d099eef811478d0c7b5acb41fba1716cd4d7cd2ca2f8a48c47",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
|
|
"rule_name": "Remote Scheduled Task Creation via RPC",
|
|
"sha256": "512d0ce91eb5c57aa7ce67c0cabbbd50f562b5583b728978d370142b6f8625c4",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"9c951837-7d13-4b0c-be7a-f346623c8795": {
|
|
"rule_name": "Potential Enumeration via Active Directory Web Service",
|
|
"sha256": "01cc2728a3aaa64490a4359643d8ef66af312f2ca4a2e9b3c9cf9d655fafea00",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "379df55e153fd1e17d278871998bcf006f466b6c83ec9dffcb79da7c95d5c2fe",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "3bfe7eaae5117b71fc1a82223959ccd472cabbc6ebdab8c26f4711762ad6eafb",
|
|
"type": "new_terms",
|
|
"version": 315
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "ea39741402eae1c2de3b16ea9b7967105bb1104d83fde8cee5a1ed125bc989b6",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "f6ac7fc8d32860bef59151f6f6bd9f35f7f4a0d8c9b4030c1f4ece5e3958cfaf",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "c0a27cb947621baeb5635ca97bbe0d49655c9dc8093857231da6d79f7279c93b",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "f086d2d4cfdaf54e148ce831bc493cb4f91a0fefcac59b581211c43406e7679a",
|
|
"type": "new_terms",
|
|
"version": 318
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "a072afc3d6fd07513849b5a4100fd01811c2a7a1f13ddf178a7e069277df0073",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "1f613942d9635e2ee4408f035335dc11248c2834c138baa4e331d1a0ec21274c",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "17a28b4dce20cb1cb51218cf838490173d818ace7c6afb91e9ecee3e1b61b565",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"9e11faee-fddb-11ef-8257-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID Rare Authentication Requirement for Principal User",
|
|
"sha256": "55518202fed5ff07044b06a1121036f4f5cbf940e71927154686fbe000ac04b2",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"9ebd48ac-a0e2-430a-a219-fe072a50146b": {
|
|
"rule_name": "AWS CloudTrail Log Evasion",
|
|
"sha256": "9e5d44c6c292f3f18557af3764294a0e03bfcc100c90a5eb9a012b201ecdaca2",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
|
|
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
|
|
"sha256": "818f3ee681de149ffba0cd3b9141ac53f478b6a921c742d6025a2ab0b70fc92a",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
|
|
"rule_name": "AWS RDS DB Instance Made Public",
|
|
"sha256": "6ab37a0c54d41e81d56ba27c0ad3dcac227dc7a8f82cd0f4324da20cc757080b",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "50ccc8e65d6465a917ff7fa3562a3a954ad11bef6c770626aa05198f1a57c385",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"9f432a8b-9588-4550-838e-1f77285580d3": {
|
|
"rule_name": "Dynamic IEX Reconstruction via Method String Access",
|
|
"sha256": "d780db42a9137fadf25fea4f63c471704e7c6f0b488e4dbb61ceb66ce75e0efc",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "6d3f6bb39a4f822e9bf45d3e0eb26e9ce75a3107ccb975e76fc570cb3436a1db",
|
|
"type": "eql",
|
|
"version": 219
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "dbb55b7547fb9d36e6450abf01de10f62f95cb186abb9b849f2e2ff477d216e5",
|
|
"type": "new_terms",
|
|
"version": 214
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
|
|
"sha256": "5acc1b7578cb1c9aa94b918567c2c4f457ec1f3f9e675ad3f8a027688bb51ed3",
|
|
"type": "new_terms",
|
|
"version": 316
|
|
},
|
|
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
|
|
"rule_name": "Unusual Scheduled Task Update",
|
|
"sha256": "47f99411f4f5c8f031955187c6b959863cc23626e0f8c69ae04fd61f5a0210b4",
|
|
"type": "new_terms",
|
|
"version": 115
|
|
},
|
|
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
|
|
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
|
|
"sha256": "3cbafc482604e164777c0a7d8abc26b64c3333f50c2129c8182d169c747e8636",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "99fda56283f6a5bc7b7a2a8f783178516e9590efeb3d04c0a96f7ba53346810e",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "422c5f78e61e61a60f06cc1a38e9759242687246cda0c59c36ef24db0cbd5359",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "38364f20e36aaae29e165a3e0c9c3193d18addfb698d1ab56197ea8fd52725ff",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "e387af91f7e1e693d71caa63bc7a80a8cad970b65d3b9b3790eba5b894e71fae",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "12fb13bd4b276eee68b30f7ce5743d3f6da9f2da1f47d5c77aee0fb852f1eab0",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "354d06b8918adc41575d74a6e7c19525f434aef4a51c270d1a82c77a009f667b",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
|
|
"rule_name": "My First Rule",
|
|
"sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba",
|
|
"type": "threshold",
|
|
"version": 5
|
|
},
|
|
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "85632de93b14e074f7b1cd989c58964ffacc5f4c3adb2d382c0092498fb89563",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
|
|
"rule_name": "Linux Group Creation",
|
|
"sha256": "117c5642bf9abb1c8ced8f0fb4f7ea6f53eeb0d759dcd7d7ef8d94931407ed0d",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "f5f6233b37a46200c93eabea190aaca9549c10deb5f9d832bc8cbff7479e5302",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
|
|
"rule_name": "Unusual Preload Environment Variable Process Execution",
|
|
"sha256": "2c2b62f69d09f9d5daeeb85e8e5eb3f4e29cabb513e56058cf5fa85b0c8b5116",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"a22f566b-5b23-4412-880d-c6c957acd321": {
|
|
"rule_name": "AWS STS AssumeRole with New MFA Device",
|
|
"sha256": "9d63088e2b97717ca7c8c9b31b18c2ff3c6c8828c47e29e07b65de8806351bf0",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
|
|
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
|
|
"sha256": "290f5dd4735fc16f954e39d424d7f47daab28148de0828a8a22ea588eee81314",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
|
|
"rule_name": "PowerShell Mailbox Collection Script",
|
|
"sha256": "5f446fb38d518c427dbfd811969facf2a57d911b25d6114a49f2c87041288f1c",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"a300dea6-e228-40e1-9123-a339e207378b": {
|
|
"rule_name": "Unusual Spike in Concurrent Active Sessions by a User",
|
|
"sha256": "6766dc8f5e02b59766bf64222d202554ead379489ef45a93a89f75f34701b72b",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"a3cc60d8-2701-11f0-accf-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker",
|
|
"sha256": "5b4cb946748f0ce168135326a6b785b8d6237caab940d43e42792bc51db177e7",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "15ce53d9971d69e0cce8aa48ed7d5d0e8f07262067920ed25643ff74947439cd",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
|
|
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
|
|
"sha256": "7f99f097bb57ddc1941d88331bcbee883d0ab39981bc2f9b36b90e3de2a4f6ed",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "0597bc8c77ba3bc0acc1e91426b0c1d17bd1799128e2d8549593007939740fbc",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"a52a9439-d52c-401c-be37-2785235c6547": {
|
|
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
|
|
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
|
|
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
|
|
"sha256": "4adaecd2293515c5f6c49895be9c4114cc48c7c7231d21c5f7070040c396724c",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
|
|
"rule_name": "Potential Reverse Shell via UDP",
|
|
"sha256": "beeef4982724e59304f296b9d9db1dd7417b9b2a15dd286bce75abf5833adc84",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "21d94406a3d63d314f653dea6624998e6edbfa4446a66522afbd290e43744e4e",
|
|
"type": "new_terms",
|
|
"version": 214
|
|
},
|
|
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "25a6223c61eedf1ee2446bc9258d4a0a239ea8cff49147150ff56b04e9526014",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
|
|
"rule_name": "Threat Intel Windows Registry Indicator Match",
|
|
"sha256": "13b8297ead30f89bf1e834ac869dc0d250d9ed0b8604dea85acc5c85584ada84",
|
|
"type": "threat_match",
|
|
"version": 9
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "c26ba77509e14edd7a244af9e057ae5c8ddde527759809d383616b2ad6d1dbb9",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
|
|
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
|
|
"sha256": "7a829aa92921bd6efa6172be1cdfd034abfc510741566956703e5412f91935a5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "f6db651d781c09513c5a405895ceaf3b0365f2c340923c3dfb7af7aa8094a077",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
|
|
"rule_name": "High Mean of RDP Session Duration",
|
|
"sha256": "366b162a996ea520f1cbed83376ae554313278cf6473bde2325bcce3e66fc4c0",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"rule_name": "Suspicious Print Spooler SPL File Created",
|
|
"sha256": "7e536fc3989bef73d2411edbb92974c04d3cc027f95843bd49731c3a42aa5367",
|
|
"type": "eql",
|
|
"version": 116
|
|
},
|
|
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "6a81227e9d0bdc6b5dfa8718dd52f25b2ded9ee3476c28f289aa5a5f2ac132f2",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"a80d96cd-1164-41b3-9852-ef58724be496": {
|
|
"rule_name": "Privileged Docker Container Creation",
|
|
"sha256": "470da7ed5484807dc9d800f3ed4210eef0dacdd8e00575156ea0ffac18e9538c",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
|
|
"rule_name": "Entra ID Device Code Auth with Broker Client",
|
|
"sha256": "c5189ddbe37e93e72ff9216c3153f0562ec061b50945c73c62665f6e8f8d467a",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "5477bb1770d6318e393bcc2afa8bb0beb8c77aa1af475f245c7cb193b9f51338",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
|
|
"rule_name": "Authentication via Unusual PAM Grantor",
|
|
"sha256": "025dcd8142199c93fec069bdc65f1e231918027d198d691ccd38a05407957f92",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
|
|
"rule_name": "Suspicious File Downloaded from Google Drive",
|
|
"sha256": "a986702b7238a13ac729d815815083fad17ac0cb185b211b536aafa325fda726",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
|
|
"rule_name": "High Variance in RDP Session Duration",
|
|
"sha256": "ab11651cb3fb46c70c3fdbf4479abc32ea2fb7d096747443517a1d135615d72c",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": {
|
|
"rule_name": "Unusual Region Name for Okta Privileged Operations Detected",
|
|
"sha256": "c1754fb24018b0b1ad18dda900585a848ef023365ffdb417c9ee87a5e201ac4c",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "6d2b61ca49fb83244548b46e0063494f2539ce8d11d35efcaa251588131b821a",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "81d1942ffab6ae0133a69e39a646edbdede691809bcbafff2767f9f328c796b0",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "544161a59a89370ab4438a8bd397acb36f3567b1c2af131d5856d084531ea717",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "b03b17a6bc41837d91b2207e76fe08aec227bfb082ba903b23cd1a007cde63c8",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": {
|
|
"rule_name": "Spike in Group Lifecycle Change Events",
|
|
"sha256": "3ab7c41b734b153c7587be53dfc664648e566347fe8811622b4ec7949d802ed9",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "aa97f5795e7ab2d0faa239249f1d62103360fb6dbacdd0aabd4f4b4bb16e3be0",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"aa895aea-b69c-4411-b110-8d7599634b30": {
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "07fd0c5d1603fe18af061fae98f59ba35a8a12e96adcf5cc2152ec59961bae57",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "a4fab962e929045f641696e751146d262d934876aa3bd42a8e4724c004a6e2d9",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
|
|
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
|
|
"sha256": "b3a7cd498fd33ca79fa1c69681eed2d788109c32e03d62a5bebd236cc6300abd",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"aab184d3-72b3-4639-b242-6597c99d8bca": {
|
|
"rule_name": "Threat Intel Hash Indicator Match",
|
|
"sha256": "e2a2498e73e3f61c27758713a85c042b5c136d49093f9f6e33faaf38267ece36",
|
|
"type": "threat_match",
|
|
"version": 10
|
|
},
|
|
"aabdad51-51fb-4a66-9d82-3873e42accb8": {
|
|
"rule_name": "GRUB Configuration Generation through Built-in Utilities",
|
|
"sha256": "b4be41bbc293233c88a0722943fa3afedb97759d9194f86aef9fdc8712cf6b10",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "1b613902a9aa3ad498f7900c9f46a694be4b4e7e2cfcbfb1da8d53bd0131831e",
|
|
"type": "eql",
|
|
"version": 119
|
|
},
|
|
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
|
|
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
|
|
"sha256": "757b1c1389a22d0a43661670468aaf5f14b82e884b26c8905f5e9c19b20f0259",
|
|
"type": "esql",
|
|
"version": 6
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "f4415dd1ab33127524c8f8e5d3d96559ff08c874c75581ea1f418527b37f297c",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "8817908d1fcc931d10eaa32b81fbcb6a57cbbb8130bf2b99e7f1ded843a88c10",
|
|
"type": "query",
|
|
"version": 111
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "059547fd67e3b5a221405c2f551459a0e5da4b472574b7b0a9f647824eca93b2",
|
|
"type": "eql",
|
|
"version": 418
|
|
},
|
|
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
|
|
"rule_name": "Git Hook Created or Modified",
|
|
"sha256": "b2c85ef8e404a0de195a17b967494fd57eda1aa70faf91ee8a16e994a013589e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
|
|
"rule_name": "Outlook Home Page Registry Modification",
|
|
"sha256": "e9af0100dd5e405bec735bd4a058de9c52e7f4715ba7f3d5594024939f5744ae",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
|
|
"rule_name": "WPS Office Exploitation via DLL Hijack",
|
|
"sha256": "1f09c70ccb7bd829212e7f28d45b59ad23a8b162294e57623f186995150eb12a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "22dee7a0dba4259dae807f0636fa682ffa5c2f3fa4a3025aefea153263a89744",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"ac8805f6-1e08-406c-962e-3937057fa86f": {
|
|
"rule_name": "Potential Protocol Tunneling via Chisel Server",
|
|
"sha256": "4c30d5d514e885b91c1976da006b1c2b0b6fb8d5c45cda349ea50df43a312f88",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "3626032cffb8627b180064a9b6073e2f35f82c1c24525227e1a769596da297fe",
|
|
"type": "query",
|
|
"version": 213
|
|
},
|
|
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
|
|
"sha256": "269058c6e89f4b6bc7158aedc2e877924bd1b4c12f2370e52061d34e70314ad5",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "268da22fe3012eb7235a40832d96ae587a9b50ab8bbb40fbf09a44b3912383c7",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
|
|
"rule_name": "Potential macOS SSH Brute Force Detected",
|
|
"sha256": "dd2d6c056560cc33d94c90d31c595af511cc7337acf1609880294a656269fe42",
|
|
"type": "threshold",
|
|
"version": 111
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "0e892fd6bcef9c6cf7081f8e1038b23eed575c1f75deebe83a933f7b038987bf",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "08722f5e5dd94f6aa3a6b9f961dc93e655489cf429a7bcc8d18387cad4c6ff0d",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "10870b0be6a523545f966558befd0ad3a93708d00bc14db5a1770e6c942a9596",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"ad5a3757-c872-4719-8c72-12d3f08db655": {
|
|
"rule_name": "Openssl Client or Server Activity",
|
|
"sha256": "197affa6066a6076605607d69455f7a36b7d30250c8e3444684a872d59a9f3e3",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": {
|
|
"rule_name": "Decline in host-based traffic",
|
|
"sha256": "2437e732072bc33cbbc5ba0bd9ea39c6556f00672e79ac4e3f3bdc54398e324f",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "c73a0960053e36648a945ab8f7cd8431069521c690ad6b90c76f619dd2779fd1",
|
|
"type": "query",
|
|
"version": 215
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "d5725f7f8e8be780fd21622817a7fba7953922117e6f18da9a72966708dbe4ab",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
|
|
"rule_name": "Suspicious APT Package Manager Execution",
|
|
"sha256": "a5b4fff58ec10241b63897d27655953599e22b8f0be8b6b8df4a941fe7f423a3",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"rule_name": "File Transfer or Listener Established via Netcat",
|
|
"sha256": "def8106673121987611eb73a47a5bdf8f12fd1db3da28561cbcf18fd15935ccd",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
|
|
"rule_name": "Suspicious Communication App Child Process",
|
|
"sha256": "2e3d15a9795d39424cf69ef915f4bfee102eb97d82de899b1efb894591a4b11f",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
|
|
"rule_name": "Suspicious File Creation via Kworker",
|
|
"sha256": "335102af08ae42c73773c0a4bf008d375f9f7e13ced2cd5b35d8c74d71618f43",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "967c59ea43c5beb353059b127aead53cfc4bb82df6b3deffafa653e4fea554c8",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
|
|
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
|
|
"sha256": "e8b02a425bbf282dd1d25c80a6383823bdb63a6989e939f638f5d2259b8298d8",
|
|
"type": "new_terms",
|
|
"version": 13
|
|
},
|
|
"aeebe561-c338-4118-9924-8cb4e478aa58": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "CrowdStrike External Alerts",
|
|
"sha256": "3ed638538030b56001a17551427ce3c28872dc46cc8d25eaf05b09d40b3973c6",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"af1e36fe-0abd-4463-b5ec-4e276dec0b26": {
|
|
"rule_name": "Linux Telegram API Request",
|
|
"sha256": "6ac91d1a303eaa48227d0640d61daf8090249c5177fec04c8eab7eef3e42a2c6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"af22d970-7106-45b4-b5e3-460d15333727": {
|
|
"rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol",
|
|
"sha256": "c2f5295802a072f58704ecc1fefd7e82f1c0e495c6d850576988c946ac0b99f3",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"afa135c0-a365-43ab-aa35-fd86df314a47": {
|
|
"rule_name": "Unusual User Privilege Enumeration via id",
|
|
"sha256": "b6cb1022de1d8d9cade7586c7b18c5f0226ecd9a0984d2836e2ee3a756644cc3",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "b39882a9dab604277a59054b6df0d7b8110f25764a4dab64f049de9fe081793b",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
|
|
"rule_name": "Network Activity Detected via cat",
|
|
"sha256": "d9d414912ec98ff3ea9ed2d91a6e5322d592eab91245690dd56007f3b0c5d6dc",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
|
|
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
|
|
"sha256": "606f67c60a547a01a67291cb2d5f946b410738bf0fdbd018bf597dd1f8c5873d",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"b0046934-486e-462f-9487-0d4cf9e429c6": {
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "8cd68708542a4cb34c49cfef562b9f9ac7b316c4fd0f214987b83317a453530e",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"b00bcd89-000c-4425-b94c-716ef67762f6": {
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "1a1342dd0291e3a2607fe7016af4f30658ce19b6c109196a12a2edc9103fbcef",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"b0450411-46e5-46d2-9b35-8b5dd9ba763e": {
|
|
"rule_name": "Potential Denial of Azure OpenAI ML Service",
|
|
"sha256": "c1ef34302dc9874b98d408675be77d3bbd72765a0566a6b19735cd3f44abfcf7",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"b0638186-4f12-48ac-83d2-47e686d08e82": {
|
|
"rule_name": "Netsh Helper DLL",
|
|
"sha256": "a50c04fdc476c71125eea0ba039cb89bf18e557653c7d2c893bd62b964d5d703",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"b07f0fba-0a78-11f0-8311-b66272739ecb": {
|
|
"rule_name": "Unusual Network Connection to Suspicious Web Service",
|
|
"sha256": "fc7f704d5dcc9301e09f1db4409626544ca1a2e150ffe2ee6a7a384bc67bd015",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"b0c98cfb-0745-4513-b6f9-08dddb033490": {
|
|
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
|
|
"sha256": "9107236bf5385a208a94f3b3a6934b5e38c8a96c3e94b398a2ca18dfc47a82c6",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"b11116fd-023c-4718-aeb8-fa9d283fc53b": {
|
|
"rule_name": "Kubeconfig File Creation or Modification",
|
|
"sha256": "f2260460d8647af8afd2d4328ff171ce732b4d0c1fc2763c777441f98da0fb53",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
|
|
"rule_name": "Hidden Directory Creation via Unusual Parent",
|
|
"sha256": "0cf427bce0665a9f2c65ff8c2a3e0e55c2def5a3360f8fe744de9f85b85354ac",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b1773d05-f349-45fb-9850-287b8f92f02d": {
|
|
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
|
|
"sha256": "fe2dd63b825311ec149f4abbb7a2b4ac98755b8186de5519e40c46a42669e1c2",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
|
|
"rule_name": "Potential Network Share Discovery",
|
|
"sha256": "bb9bb0209d6b77927b4ec4b99c54e1510142c41168681b3eeb06a29054ae1d1c",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "5dbb9eed1f0e10b192dc7c2f72a009a668a5dba1bb5dc8fa0c86326ff2bd145f",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "52aa8a7867e9c06d8ac41bc7e4a521146e2bbbe4c7596ce8c45461962588f3ba",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"b2951150-658f-4a60-832f-a00d1e6c6745": {
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "fa4a425c0bc6a57bce5511892d687d7056c4a1ec1e37f8fa0cf7e7cc49baff58",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "5ae46136e4a5238cfa794a88f7f0b05e83998ae1b1211edf89c69ad05cf6b4d0",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"b36c99af-b944-4509-a523-7e0fad275be1": {
|
|
"rule_name": "AWS RDS Snapshot Deleted",
|
|
"sha256": "ade98e7953750dbc98194e18eb9a5c0b009482bdd4291ee0afa7c090646fd8a3",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "663662cad8b04fffd15af7a0863496bc68ba12a9ac0245a2bfdaf1b9c63e284d",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "b39b64612ea429e5a2ed645157eee033df7f908d4e338f5dc7f27ef9f7257b39",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"b4449455-f986-4b5a-82ed-e36b129331f7": {
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "20bfd59b3360c88f5f3e56a5321f9e88ffc3bafa00b215c52a612b5cc107f44c",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"b45ab1d2-712f-4f01-a751-df3826969807": {
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "1b0a758c075ee9399a3f692c0f6e53fc2cf032cd299391413df45cdcf2935acd",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"b483365c-98a8-40c0-92d8-0458ca25058a": {
|
|
"rule_name": "At.exe Command Lateral Movement",
|
|
"sha256": "d31b85a4a0c3afbb2fa6829eab9297104af0e9d5fb668fe2f19260b5b0303df0",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "774aa21659a63c8b8b6166215078531f5d94fd43b5e2ee37fd411ccca68d5991",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
|
|
"rule_name": "Potential Privilege Escalation via OverlayFS",
|
|
"sha256": "3852b315ecbd762ca27f312ca2ad0f3b674dff45eca735c17f0bdddcd36e9769",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"b53f1d73-150d-484d-8f02-222abeb5d5fa": {
|
|
"rule_name": "Kubernetes Direct API Request via Curl or Wget",
|
|
"sha256": "c6b84606fbf307db29f742b1b75c904b596d3bc7e07acea0e2cd27aa07901c65",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "1849ec3a92f24a502e0be40851768bf74b4cf3dcc88de15152a1d57fd5f54841",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "c6f479ab0fcd76fd0a3254a67a74547f22840b4bde814cf46af69361e36d4d85",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
|
|
"rule_name": "Systemd Service Started by Unusual Parent Process",
|
|
"sha256": "33a5bc06b041d21ee0e460cbc4b7b9c57fe980dbd46fa3a12c5d52020e95c77c",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "cace3fbd477bee323205aad14d0009b1bec8088cee5451f028fb3ad00c221406",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"b64b183e-1a76-422d-9179-7b389513e74d": {
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "c81ac4b9460caa3eeca4379f6ccfc4b06e1ee9b8437a5b9c88d91bd1eb0f6860",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
|
|
"rule_name": "Potential Veeam Credential Access Command",
|
|
"sha256": "94d59eb9110fa3146a9b5d7d6c7581e612695b83558cc2f640745f6a2fe1c47b",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
|
|
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
|
|
"sha256": "eccf507bc8d95b170c3c8fe97c0d64f5c18cbd98f12ad13d52942d956fd7fd65",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "c20f4e4bdce4da9fa9fe698e2c3d65f314e60231c590b8b13be46557ca5f1234",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "4cddeb02ca83f5ec2218122735fb4489929a8613f1d7da7bab02a3d2a4a87cdc",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"b7c05aaf-78c2-4558-b069-87fa25973489": {
|
|
"rule_name": "Potential Buffer Overflow Attack Detected",
|
|
"sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3",
|
|
"type": "threshold",
|
|
"version": 4
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "d5413219e7e19880fd290c1a21c134fc35ace0ab27f8d072b6acb7e98b834264",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
|
|
"rule_name": "Linux System Information Discovery",
|
|
"sha256": "0e51d8fc1c57ef36f5bed2d775749f39995b2c2e89418ab876477ebc1ce64d85",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"b8386923-b02c-4b94-986a-d223d9b01f88": {
|
|
"rule_name": "PowerShell Invoke-NinjaCopy script",
|
|
"sha256": "28b59fd0c6722f930f8cfbb4a8df509937160da534828ca69ea127a074375dd0",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "5e9c3cd4768e1f8abff71d8323e0a0808368503ce204d18acc448b89e3539f73",
|
|
"type": "eql",
|
|
"version": 415
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "bcdd20128f5b5f6c161154d5df0b9bd8f96456e094845f30e33f1b159aad6694",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
|
|
"rule_name": "Kirbi File Creation",
|
|
"sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "e3c26b040bafc31479de3af9ed423b2dfc66a6eb7de0d5ab167a95fc721dcd00",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "a9f1e2ddc383742ca2bbfbe6317f1fa90b10282ac58eb8543572cd9e73d6aaf5",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
|
|
"rule_name": "Discovery of Domain Groups",
|
|
"sha256": "07f4c4c14408aba1ad815ce9007efc2666185fc6b55c84c54f1a916464ad628e",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
|
|
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
|
|
"sha256": "58aea1cb23aecb61ecd0ad28ac516172a01ae3e42abf8d9fbb4ef879b389ee77",
|
|
"type": "threshold",
|
|
"version": 6
|
|
},
|
|
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "e1354aee6d1923e8a2981bf59472687a27e3af9e89fa81c9d248a652d6f15fce",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "8f1bd62bb61bee7848a6e524691724c767adbe8165ee94cdb79c7f4613c4b05c",
|
|
"type": "eql",
|
|
"version": 115
|
|
},
|
|
"b9960fef-82c6-4816-befa-44745030e917": {
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "6c98718e177cba9e677d5be51571ab9cd59f1a48d6a9d7d1f9e6267b56b26095",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
|
|
"rule_name": "File Creation by Cups or Foomatic-rip Child",
|
|
"sha256": "143f526bd0e18167439d63966a6ac25d144d92012365d0997d69c839e51ef10b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "8d8e53fbf2a2f3163dfc630866851d9212df2d9741e38c81cf5846fa0e60250a",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
|
|
"rule_name": "AWS STS Role Chaining",
|
|
"sha256": "78203718bf9153ae050ec6e0c41b037e34f6916e09b6cfb0d771158a41500c71",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"ba81c182-4287-489d-af4d-8ae834b06040": {
|
|
"rule_name": "Kernel Driver Load by non-root User",
|
|
"sha256": "e0de96f75ba061b2b8ca296829122cc96979ecc709cb490783ce00afca66730b",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "090872d47d5a3f1428db18f1e48befbdfce5df0242cd30cca8a1535b18d528e4",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
|
|
"rule_name": "AWS SQS Queue Purge",
|
|
"sha256": "3052bde022fcfeb731451236c01c2fef4ac8d50ef65c6b7960980bfd656f3364",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "62048f40674f1c836b1909a4b3cfa1a751f1f90c361ac2dd2cb199f9df8af9bb",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "c649c0cdb3dcd615f29d03f6e087ad2e8872b1668bd0e2c0f589166c67be14fa",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "df1ec85e66e1f523a7a9ca59dc6f4d25ed12857d67138a2ff5bebeaed6d697bc",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
|
|
"rule_name": "Potential SYN-Based Port Scan Detected",
|
|
"sha256": "352b0d2453ef219a0e530c3488bdd1b9548690c7bc717e3b5fd20a03b2fa88ee",
|
|
"type": "threshold",
|
|
"version": 13
|
|
},
|
|
"bbd1a775-8267-41fa-9232-20e5582596ac": {
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "84fbe95bb11a8e9e6057af988a9f5d6db284b01dd57eaf46d6cb39d94276fc8b",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "519788e45f361c3cb6338fc81531cda4b6aa8e9179a53857eef300b9b554633e",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "342c778ee565abc4c34b4a3a8797de7055cda16677ee2bafffd4887b48d1aa0c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"bc0fc359-68db-421e-a435-348ced7a7f92": {
|
|
"rule_name": "Potential Privilege Escalation via Enlightenment",
|
|
"sha256": "d8bf7e5a63698244691000196ba249c7936eab2a4eab1772ca5476f3f5322e21",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"bc1eeacf-2972-434f-b782-3a532b100d67": {
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "7acb4cc8693f671522ac4141af3c6f946771d3534b18f6afef6140a69a1b8a52",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"rule_name": "Microsoft Entra ID Conditional Access Policy (CAP) Modified",
|
|
"sha256": "f9f9aa66fd58db8db02bf74b3880b4ac66d09b686d3989aef6c77c96aa50c7f5",
|
|
"type": "new_terms",
|
|
"version": 106
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"rule_name": "Potential Non-Standard Port SSH connection",
|
|
"sha256": "fef5b193575567d22e107ad6435f108f4b3a3f5c1748de6ef0619a8e82d03287",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
|
|
"rule_name": "File and Directory Permissions Modification",
|
|
"sha256": "1229abc2361eeaad582a81ee4da6660075a6f9350b3ed2da734f3651b6d383d5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "43fa018ec25c255dc71671253bbb478cd5f5a122e8e5baf6bf52194fa4b2555b",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
|
|
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
|
|
"sha256": "738bdc893bf3d562e861dbdf7a75427c263f7aaca05a2bb682d878ee38c60a5f",
|
|
"type": "query",
|
|
"version": 9
|
|
},
|
|
"bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": {
|
|
"rule_name": "Multiple Microsoft Entra ID Protection Alerts by User Principal",
|
|
"sha256": "0fbdb8e00dba1a4aceb7eb5c70df0824c3d964c15dbf1b26067578febc1ff849",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"bd18f4a3-c4c6-43b9-a1e4-b05e09998110": {
|
|
"rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab",
|
|
"sha256": "08781e94a44a8ebbdbc4ee7a6ba0987dcdc0ec2bf5916aaf83cde1b25a3a4114",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": {
|
|
"rule_name": "Spike in Privileged Command Execution by a User",
|
|
"sha256": "0abbb06b0ea223dd93d5fe72d4038b28733b82fe49397d0f3f46a331b0bd7adb",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"bd2c86a0-8b61-4457-ab38-96943984e889": {
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "c73a950433b021f91b81ca48b37b6ceb4a3c6059cff651352239c63ba488e9bd",
|
|
"type": "query",
|
|
"version": 217
|
|
},
|
|
"bd3d058d-5405-4cee-b890-337f09366ba2": {
|
|
"rule_name": "Potential Defense Evasion via CMSTP.exe",
|
|
"sha256": "ceeb8a74a863b5756a29ed6a9a6224998612c5ec72c4b20afaa84daa0dddbff1",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "86aa1bc737f26987d86809d8f763aff7982e416bef5dc2bbd44444cf72678bf3",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
|
|
"rule_name": "Potential Pspy Process Monitoring Detected",
|
|
"sha256": "fc9306778900b88f24435a61ea59478dd507efa9424d6b0c323513cceefd9cfc",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"bdcf646b-08d4-492c-870a-6c04e3700034": {
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "0c4d50e1a11641dcdf4abb79f3356a2149e4888d2c0c36e2d174a692299af0ec",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
|
|
"rule_name": "Execution via Windows Command Debugging Utility",
|
|
"sha256": "5f00835a9adee4dd9a68ab262fb2d6cd7b32fbbd1331cc6a295e623d98be5d8e",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
|
|
"rule_name": "Host Detected with Suspicious Windows Process(es)",
|
|
"sha256": "7583da02b3461f3c8c23ab008a83a819453635fa8a62df30def1136237e68078",
|
|
"type": "machine_learning",
|
|
"version": 110
|
|
},
|
|
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
|
|
"rule_name": "Unusual Remote File Directory",
|
|
"sha256": "06701c5b78ef2356abadfab4ca53924769a7a007843b2337e6d6cbf16eac8d76",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"be70614d-4295-473c-a953-582aef41c865": {
|
|
"rule_name": "Potential Data Exfiltration Through Curl",
|
|
"sha256": "31ebf7429c5ac254ebc96c3aacc840a37e1600d68aeb0a1162386fe4c962209b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "9528420d04a587758e5eaa1726f14ac0ca1f92c1f939f9ed2d5d86484aa588f7",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
|
"rule_name": "AWS RDS DB Instance Restored",
|
|
"sha256": "9eafea55bf73d9efa7281b8e04b71b2411d67ceaa0bd491ce8b7ff8716e4469e",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
|
|
"rule_name": "System Owner/User Discovery Linux",
|
|
"sha256": "d710a490ccacc1fadbdceaa8c0c2415722f542b2167371eddef396d13fd5cf1d",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"bfba5158-1fd6-4937-a205-77d96213b341": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
|
|
"sha256": "f07aa0be2f6927907b2a0cf3a08fffbd806adb3c5bfcc5b8d825a8b68a8e5cb0",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "40a67d2ab241cbd5ebfe99c7aa5d275edd57de9dfe029fe46a3b3fc90c202e26",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "3194a97a3ddcdf805d1dd80b9746243334be76e30e2727bac3465ff1ad50b75f",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "4953192d062873314b4f801999d784d7d345b2594beb605d599a5d09325a9805",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
|
|
"rule_name": "AWS IAM Login Profile Added for Root",
|
|
"sha256": "3b617425debc3763357899a4263aa9e971a933de176e492566d0fc6f1c69ba8b",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"c07f7898-5dc3-11f0-9f27-f661ea17fbcd": {
|
|
"rule_name": "Excessive Secret or Key Retrieval from Azure Key Vault",
|
|
"sha256": "2550fd2bc19a2895a1a4280704a7e8295d3071f7f660279906c890a15ebdca97",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
|
|
"rule_name": "Memory Dump File with Unusual Extension",
|
|
"sha256": "9c208b045f8d819107c56a6d07dfab00cbb11c4b5f50381febbaac9d1a06045b",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "c4fa342fec8bd2d9be3a0170fff08f1850375e0660f459377237bfb23cebe615",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
|
|
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
|
|
"sha256": "c9a7bbb04ccab7586337b2c5014a2d31e6d22110531e1a7be7ff4491245dcdc3",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
|
|
"rule_name": "Suspicious Renaming of ESXI index.html File",
|
|
"sha256": "7d9cc9a951cd23d851d94e65b88177c5dbecc7e760a584e7e9901538e4d48ba5",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"c1812764-0788-470f-8e74-eb4a14d47573": {
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "c0276f24b0266c561cc8997162b88cb356376f501ac2d4f463594a3cb9bede84",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"c18975f5-676c-4091-b626-81e8938aa2ee": {
|
|
"rule_name": "Potential RemoteMonologue Attack",
|
|
"sha256": "f6b213b207b6c6bec26cd71b03f0737f031091f4392cb2de1ada95d48a1ed594",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
|
|
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
|
|
"sha256": "1fb0a155b09c230d21da5f67b1371127da7b21d7f20eeedf34c8835ccbd6825d",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
|
|
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
|
|
"sha256": "11f1ee7c1ed035c393f665b1f4ab40986e184658f4fd2fc8e1013166fc35162e",
|
|
"type": "new_terms",
|
|
"version": 7
|
|
},
|
|
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
|
|
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
|
|
"sha256": "90f4cf252faaaac2dc8deed5c5717b0be78711928ecc299a039b6460196f7be4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
|
|
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
|
|
"sha256": "85e2710c5bac83b3134e7c2720609257a02d708edb281beb58dc59c73e2de482",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "171b64c3655d63c4c9bc56f78576500ad24e42302644e1e342e4c67cffc91e94",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"c28750fa-4092-11f0-aca6-f661ea17fbcd": {
|
|
"rule_name": "BloodHound Suite User-Agents Detected",
|
|
"sha256": "dcb1aa029f3628fdc348daa9e3574a8e482cb7f8645f5f085334c21ed9a070b0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"c292fa52-4115-408a-b897-e14f684b3cb7": {
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "415473fa35059a5d07964fed000f16360560c80dac0386baf8227972ac37c2f2",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
|
|
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
|
|
"sha256": "ade96b474e9768ab238966bce7bf5b5bd9756dccb3a1e36f53965027d4c4f781",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "6f3c1e9edde89e9c1fa7f4cec717c23b7fd08815ed56edde594db70cebd5207c",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "23db8b09fdb9f4b08efb4ad8bcdfde256153602b55b53b81a85fe1273b9664de",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
|
|
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
|
|
"sha256": "13e8f259d203e8ed841c1a188f203e99cf912e41cfbc69b898f8b47aba4851de",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"c37ffc64-da75-447e-ad1c-cbc64727b3b8": {
|
|
"rule_name": "Suspicious Usage of bpf_probe_write_user Helper",
|
|
"sha256": "dab0190c570c131c6ca6385702b3060ac5696fcc2544c5d8f28856dc37aaf176",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "57e4a08ffa96452406d4b8eb47338b427e8c0f19c4d9c4b6d555820452c0b984",
|
|
"type": "eql",
|
|
"version": 413
|
|
},
|
|
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "c353bf8d28c1c9cca5662d7a7a69e0a7229505982746bd0b0be3276fbda1444b",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "fdd1ad3da3e246ada1aaa83d67e8f2b8a887e5f1473d9de6e4a45910ca70e4ad",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "daac0bc012c68171ee7eecaca5a8245783c20db64d1f94bf65beaf3c89bd75fa",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
|
|
"rule_name": "Windows System Network Connections Discovery",
|
|
"sha256": "54953666f891c689614cbee244e6c837541a8003ef5b0ccd0c482029d4f2220a",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"c55badd3-3e61-4292-836f-56209dc8a601": {
|
|
"rule_name": "Attempted Private Key Access",
|
|
"sha256": "e707e3c1a46f94d7499ab0a59780aea166d33755a2683120a0dd1227eaf3df43",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
|
|
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
|
|
"sha256": "dd7c4d836b8b90c5b5107cc4889992f11f3c126896601722f08d18234919bd58",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"c5677997-f75b-4cda-b830-a75920514096": {
|
|
"rule_name": "Service Path Modification via sc.exe",
|
|
"sha256": "22e84ad2b75e336fb97f7a6c7a63140dd8f907a4d863e0569c43993bbe498833",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"c57f8579-e2a5-4804-847f-f2732edc5156": {
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "9cdc147e01b3c94e9180516599fa9b5117aacf7c4d90a60e3d6c65a8aca52d66",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "37a8cf43dbd537aa0901deeae2eaf9f766dfce63e61823daae640cd566c4dbb8",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "a53e65d2430e3ea2e00f15ea40f9a151c2ea30db22fa0dca97a1936c8b70f192",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "2c5071fe46db0c491dbbe580964a42198e0d9e80cf5e02cb790b52b95aa3346b",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "41d2711d82ae1036c71c33e1e80f65df27a0f498c1f2d93e5864e359920cc5a4",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "167111eaf58a3bbebd2719d2939ba47beb2bf57e4905de19dcb49e47b08bea57",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"c5fc788c-7576-4a02-b3d6-d2c016eb85a6": {
|
|
"rule_name": "Initramfs Unpacking via unmkinitramfs",
|
|
"sha256": "d66f7adad045a30b59d41f83cd1dbc730ee57dda7679e45d0bd97c387f6d09c2",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "305950cba100ed21b2be7795222a4af5d37fb8e2237f1b3fbcd6a111d76ce8c5",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
|
|
"rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
|
|
"sha256": "99b9962c6c09378b4025d49a579ee99cb8a9ae0277d461ac8296cc86e51c6e49",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
|
|
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
|
|
"sha256": "e626b7b443a5465097d8ff16e1c33ef3355689d803f4557bf453f3236e8ea5c3",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": {
|
|
"rule_name": "Mount Launched Inside a Container",
|
|
"sha256": "b70d58bc345d1ba70e535cce462ea2d31faebcca95549db3920b926825fa7255",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"c749e367-a069-4a73-b1f2-43a3798153ad": {
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "c52cfad33cb4e250d22ce58eae016d2063b67a5e56c310c77fd3d68bf7ca8b93",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "7aba5f4848c54d1dbdf9f339b258ef0b10e8f0ced4be14bbe8731c72fb21c2ae",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
|
|
"rule_name": "Egress Connection from Entrypoint in Container",
|
|
"sha256": "42e9722ac4d93da8058d7339bce5729e7be1f0640a409992772f8bd1d510da55",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"c766bc56-fdca-11ef-b194-f661ea17fbcd": {
|
|
"rule_name": "Azure Entra ID Rare App ID for Principal Authentication",
|
|
"sha256": "b069a357cbba00dca4972b1bc58f0c3da9a1a1687241404232ce4bf4d854b05e",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"c7894234-7814-44c2-92a9-f7d851ea246a": {
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "3048fb1cb33c9d61e64c57c88bc310c6f76330a531c1a04fc2cbf5fa9a962e53",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "c4d55835405fe3610511a901ceb9705081ef13881c425253b7a329e3aaa9c97d",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "f6c49793b59a31c7cfc0818e0322fc29ca3c4b4faff5f3179af11c94f57ddc41",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "e11202b80cd04fed8b343ef174236d78a6d5ea6fbbd37a73fb8a9ddc666d4548",
|
|
"type": "machine_learning",
|
|
"version": 108
|
|
},
|
|
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "ab323cd4136ecba4ec4deb2bbe62345240087bafcd8ef51b2651926b6c108c28",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "d78194c7ba5c886a096c1fff2430d0df77ae070b5e1b840daf996fb69e4039f1",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
|
|
"sha256": "014c152133b6e7926869d0bc180327c50123ae2840f113890084f4af3d820118",
|
|
"type": "eql",
|
|
"version": 116
|
|
},
|
|
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "4755df4d8fe4221cbf2e2a70a0429b0cdabd6b9d109872751e2563e95e594424",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "43124466259d6a488d240c7332f55565267d5fc744f9edd5f6f3ce4f3c7bb288",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
|
|
"rule_name": "Potential Linux Ransomware Note Creation Detected",
|
|
"sha256": "13805bcca18f4a2e75fc8d1d38ccbe1cca0b3561aa99259537433ec7d553982e",
|
|
"type": "eql",
|
|
"version": 14
|
|
},
|
|
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "d8df42b3b1ae015ff855bf033f6d9c5600ea1e6fc0a453067fd1db55845d46eb",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "9da89e6e1b0d7df821d52776490f501defca46b4bcdc1466528a3dae99b8cbfd",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
|
|
"rule_name": "Potential Masquerading as Communication Apps",
|
|
"sha256": "e121b0d971bf1150d175b424f345d7bb227f5ecc94ecf2b77c8090e60871fa76",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"c9847fe9-3bed-4e6b-b319-f9956d6dd02a": {
|
|
"rule_name": "Potential Remote Install via MsiExec",
|
|
"sha256": "3ea4b2750fc23762da8a0f57f1cbbb92a984c24550de5eacd33590b75b809f69",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "cc40f7557b619c20a993ef46dd7b17fa103e74bae9608ccdd499efb61aa5b88f",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"ca3bcacc-9285-4452-a742-5dae77538f61": {
|
|
"rule_name": "Polkit Version Discovery",
|
|
"sha256": "49bd20303da4e0e37be7ce36305b5f7213e7cf7335430f3e87560b634afd6d8a",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "ccfbf959be4505585582947fce59f69ddb1ed6121e3de0e762ac83d7148ab7cf",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
|
|
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
|
|
"sha256": "62c7199540ac150e45c1a00f4151cb763f421b6664f72d0d6c05eed2593e63b0",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"caaa8b78-367c-11f0-beb8-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID User Reported Suspicious Activity",
|
|
"sha256": "2b26266bf5ae68b193aa06b9346248c70882cafeb1197534177438fc861cf584",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cac91072-d165-11ec-a764-f661ea17fbce": {
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "335eadb36ce5a4cb271e7c8a40999aeca0de26e7a30743a2d1394eb622800736",
|
|
"type": "new_terms",
|
|
"version": 217
|
|
},
|
|
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "9a77d3bf78caa364a3501dc4041e9ba9e5c3d13e2b3b7aaa5eb6abdaaadfec14",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "c165e516becec15b1c1aa845d2f5d093956b2a7e28df7cb656de4b393ca6a50e",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "1d11314aa3de8e4ec889248829226cc47dcc245b1c1b32bd6d7b81f27312a317",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
|
|
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
|
|
"sha256": "68a4b258c94ca39d7665c16e96829e9165da996e5fd1fb17d5d8acfa3a7ed8e2",
|
|
"type": "esql",
|
|
"version": 307
|
|
},
|
|
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
|
|
"sha256": "cccf8163251c02a31b7641f4b2d35ec23a5878faccdeab0923ab6cc423dfcdaa",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "121726cd64a95f6fae236ff3668a6aa031ca24474771917197adeccf8a133e7a",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "925c8d54bd81af668dcd38ad3ea61b8e8d48f40b0db136c69e8ddb6d02698414",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "ad8b058fbd73eb0d1d35b377a0e40d51bff4555e31e6a3aae172ebaa6c924480",
|
|
"type": "query",
|
|
"version": 414
|
|
},
|
|
"cca64114-fb8b-11ef-86e2-f661ea17fbce": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Microsoft Entra ID Sign-In Brute Force Activity",
|
|
"sha256": "adba3399e9ec28832fa4a7be8c2d816863e3b08bd97563ece2c7754b1ae1de8e",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "6e739a1f4016e28fce4154f8593038c7ecf0675e1a1efc95f9e34a304b94a2cc",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "b6645891833507d3a76aa5e2dd6ad549783aab3cb22fe9214c7b38a4f6197620",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
|
|
"rule_name": "Downloaded URL Files",
|
|
"sha256": "4a47b2f5d23fc106e911c3431fc7d04910bf0abfb0acde9b0815898441f17516",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
|
|
"sha256": "ea5c43802417daa4603e8ddd5c129a8c63d3a5fc0bdf6ac8a481e2499dba26db",
|
|
"type": "eql",
|
|
"version": 416
|
|
},
|
|
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "fd20dd3278688d63cc6c90f2a764d862c712ec3c2bf755f14cd15a06830ed4af",
|
|
"type": "query",
|
|
"version": 414
|
|
},
|
|
"cde1bafa-9f01-4f43-a872-605b678968b0": {
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "db282c1b5260005aaac9a7be20f9fdf5dfd6193ead99215421700d509c677f57",
|
|
"type": "query",
|
|
"version": 217
|
|
},
|
|
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
|
|
"rule_name": "Shadow File Modification by Unusual Process",
|
|
"sha256": "2d2c354a658c5d2f11bf2d91b4d1958df8527c25d230a67c2fadd1a8b244dd20",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
|
|
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
|
|
"sha256": "4bbc73f19f416d5b74ee9c40f0227d8cc4bcc267f363487cbf60f50aefec9c26",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"ce4a32e5-32aa-47e6-80da-ced6d234387d": {
|
|
"rule_name": "GRUB Configuration File Creation",
|
|
"sha256": "96ab394af122054afbeed0bb0da3dafae275f400d453dd3e236196b1631abce5",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "09087f914a3c126533c0de3158f57d7751d164361f1f81db15d9b3876a3df847",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"ce73954b-a0a4-4f05-b67b-294c500dac77": {
|
|
"rule_name": "Kubernetes Service Account Secret Access",
|
|
"sha256": "f00bff3d84a72a37db67e931a526156360eedf9f6bb3b675cdc2cbcbbd832ad2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"cf307a5a-d503-44a4-8158-db196d99c9df": {
|
|
"rule_name": "Unusual Kill Signal",
|
|
"sha256": "3ec0dfa1a15b623af1646613da61d639e7869ac53640563588c43aa455c314a2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "358f978a2e6f3e446c7216cd749cba581f6d777dd924f3883764e299d4ff4945",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "79a815bfe76e67bc24d51ea9ef619e32bb4055c15b4846ebe777ed42e5c6f1d3",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"cf575427-0839-4c69-a9e6-99fde02606f3": {
|
|
"rule_name": "Unusual Discovery Activity by User",
|
|
"sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
|
|
"rule_name": "Trap Signals Execution",
|
|
"sha256": "7defa93d7040e45fe5da03500d982db95b907798ce54c489f4a50685ce1b4217",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "630b88a3364fbe8639133004b3bbe4f833208f2804012fa6a85120ad434c6d85",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
|
|
"rule_name": "Archive File with Unusual Extension",
|
|
"sha256": "b3379c22774ddf7b3ad4cd9061769227cc13b67a811eed8e01aef15ddbb008eb",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
|
|
"rule_name": "Namespace Manipulation Using Unshare",
|
|
"sha256": "bc4923f4b7907e501e61b47a83259d01214ba58b1c9d259ef9d21fe7f1d91d0f",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
|
|
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
|
|
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "2c64f99b095d83c721adcf4da78d8dbb39c650eff71ecaf8b311d50c750be7ae",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "d3a52256086f20e3515d09e0eecbd462fd3912d7b2d978f5e544bbab87146f22",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"d121f0a8-4875-11f0-bb2b-f661ea17fbcd": {
|
|
"rule_name": "Suspicious ADRS Token Request by Microsoft Auth Broker",
|
|
"sha256": "8179a4ad889fd08bac48d4a08ca1000778e61da70e3d8b4d57a798d2dac36dbc",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
|
|
"rule_name": "Expired or Revoked Driver Loaded",
|
|
"sha256": "11b8167c23291c967fa2a069f2063970f0d8fa874b642503e2b9ce0b1cbc7496",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"d197478e-39f0-4347-a22f-ba654718b148": {
|
|
"rule_name": "Compression DLL Loaded by Unusual Process",
|
|
"sha256": "e460aefe896a4ca7a07b897e1d955f90b2add567d2d43c3a435b632d77a34bc4",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d19a2399-f8e2-4b10-80d8-a561ce9d24d1": {
|
|
"rule_name": "System Binary Symlink to Suspicious Location",
|
|
"sha256": "028837ec68e3154452c9122c0fa7dc6b373b627d0f76023f661331b07a2b4207",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
|
|
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
|
|
"sha256": "1840ab7f88854100732ae36fafc2ed1b21edec5c873a90b4cbf7774e9bc86cc8",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "429422145532225bd65534fedd80e071ba1dafca49a047729750299bfe3d4af9",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"d2703b82-f92c-4489-a4a7-62aa29a62542": {
|
|
"rule_name": "Unusual Region Name for Windows Privileged Operations Detected",
|
|
"sha256": "4a27a3971ab4ac2abd8929f07178a8052f887401d8443d1e1f49f090638b2f20",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "4afd57a339d41912ae7ad833a7198061d9c2c8b8d84ef2755fe3994daabfa5c3",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "337b782d00948e278a7de8caa6d63586734531851be789d1189ac9b8e2a3ce00",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "d05c97e9b3814e844935fbf51f404612cc2804727f453e86be0991e9c4b75d89",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"d3551433-782f-4e22-bbea-c816af2d41c6": {
|
|
"rule_name": "WMI WBEMTEST Utility Execution",
|
|
"sha256": "51c7d5aa91a02787b7a35cb450939619d0c1ce259e63a6fb6071f939b1b10e98",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d3b6222f-537e-4b84-956a-3ebae2dcf811": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "Splunk External Alerts",
|
|
"sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
|
|
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
|
|
"sha256": "d390cfde7a98a3e21ba61d850694e7bef67c2b67e530d666f3bfa33f8965c37b",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "2527c4142d94796d2b6a29956710c8e839a75d3f11fd53b71390789e00214068",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"d488f026-7907-4f56-ad51-742feb3db01c": {
|
|
"rule_name": "AWS S3 Bucket Replicated to Another Account",
|
|
"sha256": "064253e65c01b23e75a16fd16708b2a3f9ecdd7da6ff9823f13d37e081416990",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "55dcaf216c136ee36ab1a0795a0eac62cc5934afc12bf9c3aa62d375c85478ae",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "f8132f6b4f1aa63e9d8e5d21d90394f93a1b56d7bf48aee2bb0c885b3549587b",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "6627f591ca6d6b6c00b13706a2d600da692be5dda59b7cc6c0e071c43106075d",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "0f5821323d386dee70029098f8d95f174c2b5cd85f465e9f17f90766c6facbe7",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
|
|
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
|
|
"sha256": "bc003783fe3506922f895e6105751e9ab1aa1d7154786e219f1ac901a765e8a5",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
|
|
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
|
|
"sha256": "313e75346c7d3349ecbb84c84b065b402bf8d3c9e57f50e701d744a28b05116b",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"d55abdfb-5384-402b-add4-6c401501b0c3": {
|
|
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
|
|
"sha256": "274dc56a6e1e3f97442ae5bfcd16d363d4283ea38f6abb9190081c4f7d31f8f2",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "7494f21c1a6239837a702192482b3b6e108643fa3a163d51904e903ef6c1a780",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "bb64864ae4182c5c20617d0c144142f701fef1633a31bec20e5d737717157f13",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "2a32aeadc451efbdde9e929bbcf28e8a11e5c007b9b33dd0b853ad20943cd907",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
|
|
"rule_name": "Unusual DPKG Execution",
|
|
"sha256": "bdb2722b4597c3a56b5312c3cb7ad1f281321aa8443aa2413578b8d6dc424442",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "c8ca9e0f7a8d6a667611e4ea04a1927f56648643a3220e1fcdd8f4f18205ae0d",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "8efda573b2a1bac665b991f72ec074f93082501d2f067f80ad8faf6f686205bf",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b",
|
|
"type": "eql",
|
|
"version": 118
|
|
},
|
|
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "0416051be984b76575942a41dba2e5038335b98534b59f159dd480f86e00d5b7",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "da6d7bf15db5db69aa929b79b5115b96859594a01abbce0973d1d41785cc4af2",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "0fa5e6c2ae95f0dfa6d132058644c70bac38f08a2148bf5eb9b6a26dd7ceaf09",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "c47e0bdc9026233414e6ebfab9c9f27bf71e8f984cc7ce4db16e0351170afc92",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"d74d6506-427a-4790-b170-0c2a6ddac799": {
|
|
"rule_name": "Suspicious Memory grep Activity",
|
|
"sha256": "692ebc78fd4d1dd739b1be2023750c2a11af071d87bcb2cf71aa74d6ebcbe5f8",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "f8b1d74f08a045a33b10594b57edfd3f20896d97c6a7c6d78e4ad772596b160a",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "e2662750dcf69fb38c837157322791850596f6f8bbffec445ee13e69118a2165",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
|
|
"rule_name": "Python Site or User Customize File Creation",
|
|
"sha256": "4b3a053c8caeca2a1bd34ac1c472b5a915029448a8d37e95ddec0e407343489a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "dbdfaddc8a09d1b2990a03398c6310dfe53f3d98450e012aafbefad9035e85ca",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "354592452a896e760a771da189694898283fef283e30b4cd3fc4d2c8f0deaf52",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "81ffd7a87b123f53ba5a055652cd67738c4cfda70d52d8a9ef566f06d240ce9d",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"d84a11c0-eb12-4e7d-8a0a-718e38351e29": {
|
|
"rule_name": "Potential Machine Account Relay Attack via SMB",
|
|
"sha256": "6f4aee34c8f0feb976f365d1cd5bdf3e176e9989cd95d28708daeab47a106a7b",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
|
|
"rule_name": "Untrusted Driver Loaded",
|
|
"sha256": "fefd28d4a5e4cbad93ef34c95fce341b58293c0d2c1b4ede0b99b541b64c82bb",
|
|
"type": "eql",
|
|
"version": 12
|
|
},
|
|
"d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": {
|
|
"rule_name": "Potential REMCOS Trojan Execution",
|
|
"sha256": "5edbe0cfcce77f5741297489ab7cd3d0b6fbc30eff4c47b9695617e90a279504",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "e3aa8dd0f5cf3941fcbd532ba48689e04c30276c78f3c8eb76b4a025c1f0ed4a",
|
|
"type": "query",
|
|
"version": 212
|
|
},
|
|
"d93e61db-82d6-4095-99aa-714988118064": {
|
|
"rule_name": "NTDS Dump via Wbadmin",
|
|
"sha256": "9e5b0489fe8d9d7ae6f525d392c077eeba531a182940f9c7e2e8647bb2dd4cec",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "9550d120744ff92d7f4104b60b380d0debc4c6bd9a3171d48966998a5dd48226",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"d9faf1ba-a216-4c29-b8e0-a05a9d14b027": {
|
|
"rule_name": "Sensitive Files Compression Inside A Container",
|
|
"sha256": "ff3ef0bc9e4097dcbb81416d6a097b0c47ca91fbc0a867eea9a2db2921b54374",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
|
|
"rule_name": "Suspicious Windows Command Shell Arguments",
|
|
"sha256": "aff7d38b73a0e95e989acef5b99c298a4ee9a1cb09ef6eb7a3eda510ac03edcd",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"da0d4bae-33ee-11f0-a59f-f661ea17fbcd": {
|
|
"rule_name": "Microsoft Entra ID Protection - Risk Detections",
|
|
"sha256": "9b9497a3de9a58ad095e62964a8a2805cd52f9730e7907d236978486f7068bd6",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "de90093e93bac48091417fa26435ce13733ef66d348b2ee5fcbe5c2ca5699a20",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
|
|
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
|
|
"sha256": "0ff9609987d9a6de247a349ff8e4b707f3c7580c7470faffdbac5d115c8e7307",
|
|
"type": "query",
|
|
"version": 8
|
|
},
|
|
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
|
|
"rule_name": "Suspicious Service was Installed in the System",
|
|
"sha256": "d87984a4fd5aa1c5d1ea8076be15a52f8f7a0464a3b2b3127ea8a86c9a1274bb",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
|
|
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
|
|
"sha256": "a870ddcacfd1e7bd5be05da72321e3e4bd47cc425834ebb71582d0504694ff7d",
|
|
"type": "new_terms",
|
|
"version": 110
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"rule_name": "Entra ID MFA Disabled for User",
|
|
"sha256": "d9319ceb9da40cec88c21a7d267fdb0cb63da883fbf7f093b124f8ccb2566f39",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
|
|
"rule_name": "Network-Level Authentication (NLA) Disabled",
|
|
"sha256": "e8a375d2c92b79dbedd319eb4d79fe9a66efc3263210f4b629ec811cb642db64",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "ed9f706184fc5034e51bb0a6bee7ee427e2f4a69479c5d6d7a813a3e26977c55",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "a78cb90c7f0afb001831e03cd16a5cb52e24282352980bd0daf83fa50fbc9119",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
|
|
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
|
|
"sha256": "3a8aed0a9da02da21bf139753eca6aee32b97dda70c20fe444dad24939555813",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
|
|
"rule_name": "Git Hook Command Execution",
|
|
"sha256": "65bbcb037340b4e176c19b00b45ad4bdbfc83122c4bde2cdf9eefa592ebc5d81",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
|
|
"type": "threat_match",
|
|
"version": 100
|
|
},
|
|
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
|
|
"rule_name": "Potential Hidden Process via Mount Hidepid",
|
|
"sha256": "5bddd708e899f914971ab1ad7a255485a1467e2c73db7ec326ce6d068dc1cffe",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"dc765fb2-0c99-4e57-8c11-dafdf1992b66": {
|
|
"rule_name": "Dracut Module Creation",
|
|
"sha256": "473813be6a8d584e832d277860d734cda4124b558e411ce15ddd838a61d75e3a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "568324dbf93bcb87f147152b79e01102b76bcd7b14fe051242a4ce8faa280f64",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "1deeb5c156dc053b7a9d4898334185233e3078a2d6669323b32bc24dd35eaeb1",
|
|
"type": "machine_learning",
|
|
"version": 211
|
|
},
|
|
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
|
|
"rule_name": "Suspicious Execution from INET Cache",
|
|
"sha256": "9d191d331a016f26d74e6a8ff918ea6da71312840a3f8c9a1bcad323ad7cfcd8",
|
|
"type": "eql",
|
|
"version": 209
|
|
},
|
|
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "ab7d16c803fc15c77dc6801a94c2476e64591720f62dd9bcc56d4896f4b14a6e",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"dd52d45a-4602-4195-9018-ebe0f219c273": {
|
|
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
|
|
"sha256": "5aa0d32e4a0ffbcae071156d362a0f7d6ed69d48c9d95323831ed679f841313f",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"dd983e79-22e8-44d1-9173-d57dba514cac": {
|
|
"rule_name": "Docker Socket Enumeration",
|
|
"sha256": "c45fe634f0d45fb6a0a55a3972b3d9f2bc7d2d5483a2b2a48cfd4523f61d4c0e",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "1216996a5132262ba297122d42364ea18a50edcf869b1069489c8a412c0adb3d",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
|
|
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
|
|
"sha256": "22beec2712ccc6324db5a12c0229a5dbf1dfa203f5f40cdc2b8252829c11635b",
|
|
"type": "esql",
|
|
"version": 6
|
|
},
|
|
"ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
|
|
"rule_name": "File Creation in /var/log via Suspicious Process",
|
|
"sha256": "de3213512466504ceeb6f647d621e99c20c97e611635b24da26b508e4494ee12",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"de67f85e-2d43-11f0-b8c9-f661ea17fbcc": {
|
|
"rule_name": "Multiple Microsoft 365 User Account Lockouts in Short Time Window",
|
|
"sha256": "ca98f8ea3fc4b67ca5e90368d8b612d8c39cac92eaca37990c521b7069a2f954",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "84d467b82d0972b0fd22be0fc6fa605093b59f4f5daddf51446d9c5ed62aac35",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "11e7bca2df8c406f051e6c3c38f1f9802ea408520f16bdb9539f14d99a45a324",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
|
|
"rule_name": "Query Registry using Built-in Tools",
|
|
"sha256": "c565926c3852c56892fb0501188df9bc15a1e1513cf40aad90ba10370499a8fd",
|
|
"type": "new_terms",
|
|
"version": 108
|
|
},
|
|
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
|
"rule_name": "First Time Seen Driver Loaded",
|
|
"sha256": "22276ed48570dff5dd0abb9dcb47a087657cc6232ec63597dc0e0b26c49c722e",
|
|
"type": "new_terms",
|
|
"version": 11
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "de5473b7189c06de5ae65d7300a87f99bc1f61cf9d84b7376eec6c9d45d247d8",
|
|
"type": "machine_learning",
|
|
"version": 209
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "4f0694f6915be4e12d3acfdab889d2380d498da6348900f67f5a38db30532aa6",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "42860eba59ef37c5a7714b7f8c654280f21c7f5845d723c05afbf8ccd169c065",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "4b95619d1fc7907067fd8e87ab4ba3d92d9b9febf9f8aa235c1cdb9dfeba3a0c",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
|
|
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
|
|
"sha256": "3425a710a5f13c4e30c9c4037a965992ccc0a30a688df68fece4052ac7458c30",
|
|
"type": "esql",
|
|
"version": 6
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
|
|
"rule_name": "Potential privilege escalation via CVE-2022-38028",
|
|
"sha256": "28291ea5acbadc2b2f130aa01a4f9e6aa7a20a78a50c745da103073bf77febd3",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"e00b8d49-632f-4dc6-94a5-76153a481915": {
|
|
"rule_name": "Delayed Execution via Ping",
|
|
"sha256": "226677e1709879f6b2147b84a49d59c0c57872bb5c235328d36a7ba37936b95c",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "42e48198f8b26b3e57b05ecc60bdf53e46ab08c58473d723d49db78f2fdd94e2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "e270e0e1700c99711e2486f32ab1bbb235361809584a1bcfcb581d435deed4d3",
|
|
"type": "eql",
|
|
"version": 212
|
|
},
|
|
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
|
|
"rule_name": "System Service Discovery through built-in Windows Utilities",
|
|
"sha256": "195810999d692a264487a0970e97da0f521ce8bc8d06f0090e57df435c5ad140",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "6895c9fbae5168b04623118fd5fc7fd437115a39af78dc23169e7b1ec667b959",
|
|
"type": "threshold",
|
|
"version": 415
|
|
},
|
|
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
|
|
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
|
|
"sha256": "9e03255feb69b64b7cbc7c7e77fae425459eb525081699a31b97c10b5d6b8fdd",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "800e1a1e0a33c02543c0bf4f625a00e9961aa734a5b7c1035089fd0ae500b42b",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "21e51c5933809c4bf21ab2a879c7027d6c01e1307debe33424cde70529d1c818",
|
|
"type": "query",
|
|
"version": 210
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "199d95361bbf6c018bb0e558d1b63018238e839471c8177bdc66e64a61100701",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "a1910897d15a203cddcec4d1a270510a38981a04a42079a0d911c1cc7536790b",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"e1db8899-97c1-4851-8993-3a3265353601": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
|
|
"sha256": "1865ab89709d91f25e6761fe52e410b8cf0fe12c7ab1a66b8cff245fe6fe65ca",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"e2258f48-ba75-4248-951b-7c885edf18c2": {
|
|
"rule_name": "Suspicious Mining Process Creation Event",
|
|
"sha256": "c54c6c40d874a0b789698f1093d0b8246319ec9d49cd23b1c65e5b661b7d8fa4",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
|
|
"rule_name": "Spike in Successful Logon Events from a Source IP",
|
|
"sha256": "797e8be045b28198233988299f917efbbbeab83acaef08795d0a7b3a8f56533f",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "030ebc3173772db7df46d78fb8e17ab8542bfbbb95507a0854746d3c1170b41e",
|
|
"type": "query",
|
|
"version": 320
|
|
},
|
|
"e28b8093-833b-4eda-b877-0873d134cf3c": {
|
|
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
|
|
"sha256": "801cfd83c26828c9f719d1ea90a53993c9d1dcfbd2a175139603607d7b04ae27",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
|
|
"rule_name": "Suspicious pbpaste High Volume Activity",
|
|
"sha256": "39bd466dd0e2510cef75410efa33adfc11e78fe35175353653b4d3b314783d1e",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "55a1881c70b22e2d80c9d0b37c8ec78fab97cdee6442c7362d75b9479ad0335a",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
|
|
"rule_name": "System Network Connections Discovery",
|
|
"sha256": "3dd4e90ad2b5fb72a18ee8a2d10591fc8e7b49e7ab4c2b854762cfc2fdf7c6d7",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "e74a4c87a553413bb19d44ccacdd456c854985a1e328bf286519ec5247e28877",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "c5dd1640be638638d42328b63e8b36a12443ad1dead6923ba13d075ad7d13001",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "1ec9e881d24cff075f684cd8fa0e526d97adbdeb15c05ac277f081cd676acc07",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"e302e6c3-448c-4243-8d9b-d41da70db582": {
|
|
"rule_name": "Potential Data Splitting Detected",
|
|
"sha256": "76faf80f5cdf07d496e0ea08d2b823ad6fbd14494b1d9e965089cf547430c57b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "280fe85dbda49421337ee3e0acbe259db72a41d7fe3a0824a6d5c47ab39ece79",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"e3bd85e9-7aff-46eb-b60e-20dfc9020d98": {
|
|
"rule_name": "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties",
|
|
"sha256": "d011d06d89477c177cb71e91bd2d73e91b3c5c4a3e7fe988dce024030d9cc410",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"e3c27562-709a-42bd-82f2-3ed926cced19": {
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "62b824699c2098388d66fdbbe0b8767b5bc602e55a375c10a712423a64f53a8c",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "6c528e2eaa2548c187927e68a1378a8ae0983ad6786b4c4ea83f5f2791f614ea",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "d0808046d0f021cc86ee33c736a3ec4929823a4b898788c98aea846d1d7326d1",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "13d4a3214a19301f3525b71a5b1c3765390e49352f1c76d05986a94a934a477f",
|
|
"type": "eql",
|
|
"version": 218
|
|
},
|
|
"e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "SentinelOne Threat External Alerts",
|
|
"sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
|
|
"rule_name": "First Time Seen NewCredentials Logon Process",
|
|
"sha256": "1427e75700829bf8f8c5f393c446556c02e5016d04293bca9c2112a6d88fc352",
|
|
"type": "new_terms",
|
|
"version": 110
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "0fe269bb97bcb2fd0169410d29766dd6d5f9d7c0cb45606460e173d3a8122c76",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "8f1176d071d6759c4a89f90193579fb940d5c2b767be018711f7752b1a1538c5",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"e4feea34-3b62-4c83-b77f-018fbef48c00": {
|
|
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
|
|
"sha256": "195e7f1886c5d2751b910842bf6240791cd9b1a9fe1d045d75dff4bdcba28cc0",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "33eb3aeb5b3dd4bea1245d0a515df9229d87de7f2c0ec19e04d60911f451099b",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"e516bf56-d51b-43e8-91ec-9e276331f433": {
|
|
"rule_name": "Network Activity to a Suspicious Top Level Domain",
|
|
"sha256": "80233c232a063297a6d2d98af570a6f67133069809ce4ac8b5bb2d49e1ff9b59",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "8d84f71e1bd9d53371b05b590f59d4d7625f35ddc50596b9e85358d04a9ea3d6",
|
|
"type": "query",
|
|
"version": 208
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "4b93021ac5d8686bc5f155be1e7258aedf5678b43ef0ad7b469db88b80e4e0a3",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "744d55b2624acf5063085463e8c93573a6bd166726891c49518a7e0f876c9506",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "b21e24b57dbe58161fb421ca64574bc8e25b38423b8b0522e7245c63e7482a0b",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "3f5eaac76da3b4b7c5d8d535d0176d7838894c7e60cf0c23bfc833dd1f9a07be",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"e7075e8d-a966-458e-a183-85cd331af255": {
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "04bf3e29bdae001d0d6e5252b2e7ffe48bf3768f072adbeb9f4a138613d1a911",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
|
|
"rule_name": "Potential Credential Access via Memory Dump File Creation",
|
|
"sha256": "22885ae14d09906f786705183a0dfa366fb542f4048dbe5e5b30dc12c0ac3e22",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "b115ce618bac0c40e2c9a0017d3c755ba486d73979b049d7abae7e6bfe172fd6",
|
|
"type": "eql",
|
|
"version": 210
|
|
},
|
|
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
|
|
"rule_name": "Suspicious WMI Event Subscription Created",
|
|
"sha256": "9c93aeec24059f67b5818ecca56f9e895e131405830338493251cb0e0658c8e3",
|
|
"type": "eql",
|
|
"version": 310
|
|
},
|
|
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
|
|
"rule_name": "Potential Windows Session Hijacking via CcmExec",
|
|
"sha256": "f0d0dfaf215a9c74db6e276efa561707f2c059d3035cf81463cbaac81b4827ca",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
|
|
"rule_name": "Unusual Process For MSSQL Service Accounts",
|
|
"sha256": "467937da7cc714e1f6a0386a8944592cc48e2285f954a8f9c601ff715c8c0209",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
|
|
"rule_name": "Unusual Execution via Microsoft Common Console File",
|
|
"sha256": "5fcd64c31ca352a24eb4c4f4c9621e1a36cf309181f8767686ccaae96169317b",
|
|
"type": "eql",
|
|
"version": 204
|
|
},
|
|
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
|
|
"rule_name": "Potential Linux Credential Dumping via Unshadow",
|
|
"sha256": "3aca2105c458bbfaa83be2b2cd7a431bd425af9aebd330e7f82d21b808f38310",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"e7cd5982-17c8-4959-874c-633acde7d426": {
|
|
"rule_name": "AWS EC2 Route Table Modified or Deleted",
|
|
"sha256": "06d2351adcbe53c22f6391cb5d9f67194f4a07a82458392a9cf41a83e60d136f",
|
|
"type": "new_terms",
|
|
"version": 210
|
|
},
|
|
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
|
|
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
|
|
"sha256": "0d70a846b5231fa5055bd8dab47d27adc7650f6ea92664b759685a8cff6e619c",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "2f9cf61e66c50847a30dfde7b4a3bbf289e90674920e25039f08a8953eb1eace",
|
|
"type": "eql",
|
|
"version": 217
|
|
},
|
|
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "8f41ce2cba95e21cdd0446de79cfee143daa1fac5ca9af0a52476dc70dda83e4",
|
|
"type": "eql",
|
|
"version": 313
|
|
},
|
|
"e882e934-2aaa-11f0-8272-f661ea17fbcc": {
|
|
"rule_name": "Suspicious Email Access by First-Party Application via Microsoft Graph",
|
|
"sha256": "86ff54b665e83cd9f3393f348b5867905d4f8c0479c8d2ba5c6a3f21800bbc3d",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
|
|
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
|
"sha256": "570f50040e4c5830eda8d9d4d63e5472233a96b0aac24dcd32a887779944a110",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
|
|
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
|
|
"sha256": "2003d958b29954da3cb96a7ad03e4c29122f3cdde583ac4052f5f20d5b1e8608",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"e8ea6f58-0040-11f0-a243-f661ea17fbcd": {
|
|
"rule_name": "AWS DynamoDB Table Exported to S3",
|
|
"sha256": "cbcdba95167e3fe5aedb626c9e00fcde6ef078a991ce7489ab9502dc94e23b81",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
|
|
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
|
|
"sha256": "688b7adb62529e2e7f39448703ae06efd7fae950091dbeaa3e22fc9da1539a01",
|
|
"type": "new_terms",
|
|
"version": 110
|
|
},
|
|
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
|
|
"rule_name": "Potential PowerShell Obfuscation via String Reordering",
|
|
"sha256": "40bf0892c2068fff5e2b61f79cb7b0eedd5aaaa6193bd39a6eb188ef6184aac3",
|
|
"type": "esql",
|
|
"version": 6
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "cd48b966ef0a6d90372a5d1bea8755963aa907f83d7e62adacbb43d77280b961",
|
|
"type": "threshold",
|
|
"version": 415
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "1d3ae981d88e6e54b6ca5ba74e9b97a58f4f9b3bea622a875c9d661eaf38148c",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
|
|
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
|
|
"sha256": "3972b1d0f6ef586df99e20db1f8a7b5f3e92843225a0ead8bdfb2bfda5096834",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "d0d79e029dbc2c30f3d6e94335597e07feda824c2751b442c658b9aa9867d635",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "ae65f0070012be05d928e6b1ac86c345635c083d43d2d847b0ce313aa91a6787",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
|
|
"rule_name": "Spike in Remote File Transfers",
|
|
"sha256": "975b13f7e3596d2d2ea7620626795e49aed292a53d358ee3efc1f7f1ef347e34",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "132acebd87cb9552387b84f1aa1baa19ee8d8774be9865a6ce9c28e9ec61ba9f",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
|
|
"rule_name": "Unusual Process Spawned by a Parent Process",
|
|
"sha256": "d05c4f87423f7e7375d862028b9f83a9a3ebb9175e51a3de0db0f4b8e983ecda",
|
|
"type": "machine_learning",
|
|
"version": 110
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "cc2ff222226e52b4e5328e06189bf9e8e8888b2ffce285254bfe1ad99938251a",
|
|
"type": "threshold",
|
|
"version": 212
|
|
},
|
|
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "64375b8122d8cb9d91710468df616731c22eafab3c95b0ae6238cd55db970ddc",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
|
|
"rule_name": "Suspicious APT Package Manager Network Connection",
|
|
"sha256": "e2246fc5b8f5e819e3366a7d1b3d07492cd0e6a8846be5e3fdb139003846d0bd",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"rule_name": "External Alerts",
|
|
"sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"eb44611f-62a8-4036-a5ef-587098be6c43": {
|
|
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
|
|
"sha256": "10eb0280947ec17c29778c035e83012e6e2f0fea9e7d7515426d242db9fbcf1f",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "f80f86cf2a5809c248da43094b092cfaa13c63c643f7d8938a671e86c19733b7",
|
|
"type": "query",
|
|
"version": 215
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"eb804972-ea34-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Behavior - Prevented - Elastic Defend",
|
|
"sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "b265b454a22bf77cc88a09e45fa1e0a3f11ccdbc2421df4937d87c5a74aef17d",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "15a0fd7044827c36f60417515284afb4f6fe23e1dbae54a45a6b44e8ae0887fd",
|
|
"type": "eql",
|
|
"version": 415
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "7b283786203dd991a1e97f88b0ebc561bb71945130014a6efc0a600d08ca2025",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "a142efdb2037310db7836d7d03a99bebf545ffb3f5260aeb9930d874603d6d63",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"ec604672-bed9-43e1-8871-cf591c052550": {
|
|
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
|
|
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
|
|
"rule_name": "Kubernetes Forbidden Creation Request",
|
|
"sha256": "f5caae0dcb60c6fa3450e3b0775008d7e50eac2bfde465d39cadd799713d67f0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "47d321d4095dbcd3435bf64cb2eeca7e133383120d64d07a8b414365e34fc33f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
|
|
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
|
|
"sha256": "19c54462625d0926bfc78eb159fa397eccacf62e7c1e6823e548b963f98138bd",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
|
|
"rule_name": "Executable File with Unusual Extension",
|
|
"sha256": "b9cbdb757c2d5778d0c1a517bd488966edd65b3f3716a9afe62b215d97b44f5d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "971f769297099b81d7fc56ea2e38d052e9c81425c9ce32fda302d872192b1e60",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
|
|
"rule_name": "Unusual Remote File Creation",
|
|
"sha256": "466ffa423d3ed011e463778a61dad07e429b2e4d4fc8a3652d0b4101fdd00d80",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "77ae410bc2b8512b311631c5a9434ffc76e9a20a8276c39040021f91c35f3177",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "7e0624287ad182ae9bacc67dc50b8c0dd7eefdfd4cd89c815901306e3312297b",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "3d33d63b18b70ecb260d4753743b10a2f38b083d5fd42f92e86d1a27f815795e",
|
|
"type": "query",
|
|
"version": 413
|
|
},
|
|
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "248af1fe0e07120481568edfaa652ca97c59f7155e4e42898736bf32eed87e29",
|
|
"type": "eql",
|
|
"version": 318
|
|
},
|
|
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
|
|
"rule_name": "Linux User Account Creation",
|
|
"sha256": "ab17d73fdeac0eee216bd6a8f44d3798106599de9e396a36415651e0a604d6bf",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
|
|
"rule_name": "Okta FastPass Phishing Detection",
|
|
"sha256": "79bcd3e51917161d1bbbb3d46ba9ae90ed7261430e0bddd58d172517d5348729",
|
|
"type": "query",
|
|
"version": 310
|
|
},
|
|
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "94421dbaf4b818996b818ce7add2fff5f19b3361bc746e84bf7b001c6f22a107",
|
|
"type": "eql",
|
|
"version": 214
|
|
},
|
|
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
|
|
"rule_name": "Shortcut File Written or Modified on Startup Folder",
|
|
"sha256": "ed57ac9eacaf051cab3aeae3f09c0a59fdfb7eb9ca18e4ceada98adc47ac6bc6",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"ee7726cc-babc-4885-988c-f915173ac0c0": {
|
|
"rule_name": "Suspicious Execution from a WebDav Share",
|
|
"sha256": "c5748ea3783ef8a9981c04d76db7206edabc9aeec804a0174f7827ef1b46c95b",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"eea82229-b002-470e-a9e1-00be38b14d32": {
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "ea81b8be42aac46fe858037a08802a107f542b90f33471e6fc3a43c0b3467395",
|
|
"type": "eql",
|
|
"version": 112
|
|
},
|
|
"eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": {
|
|
"rule_name": "Kubectl Apply Pod from URL",
|
|
"sha256": "959f8556d4fc27171f851b8259d79f4f0924b114b7d59d40709bd0f83d618343",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "237f63a54599cce9ddd6af3bcfbc0a8c48f530bd804f832c139397d1d23ced59",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
|
|
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
|
|
"sha256": "5f33c8c72e8303b4c5d6899cf47658001b89771e06282c3d2531c009dbe70e4e",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"ef395dff-be12-4a6e-8919-d87d627c2174": {
|
|
"rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
|
|
"sha256": "3eb0067ae0a07c28dec67e99d4024c5cf6ada674e7ea49c338a36185c450340d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
|
|
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
|
|
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "ace9db18b4a07550b5124ee75c0cca3828231ea1b3026a59683313dea39aff61",
|
|
"type": "eql",
|
|
"version": 216
|
|
},
|
|
"ef8cc01c-fc49-4954-a175-98569c646740": {
|
|
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
|
|
"sha256": "9667b0b7ffba66dae17bfc62970411ae6a4e086390057e42a8754c1474cbe60d",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "73689aac5e6dab00ff9d9e0b6cb0a4cf94ded423187205e46947d23a6b8fe7af",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "18b02d56b8977e6689317b231313b622102493a6d66bb8a7af4608c3ec84eaed",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "d92a66888822d35e66809a1c34f7e2a8a0429973e9e2ba1971c23ead1cfa2518",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
|
|
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
|
|
"sha256": "3cfffd4d242ffeb5421de910ed98187cfc586d3e708da24716ad4d4088fa0a15",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"f0bc081a-2346-4744-a6a4-81514817e888": {
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "019787d556f55ce6493342afbe8e41eb81d72df314e191a92a662c2a851ef8fc",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"f0cc239b-67fa-46fc-89d4-f861753a40f5": {
|
|
"rule_name": "Microsoft 365 or Entra ID Sign-in from a Suspicious Source",
|
|
"sha256": "1c82a2568d10fea4868e5657b9934f3be6431843d1a284c5dde1fff807ea002e",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"f0dbff4c-1aa7-4458-9ed5-ada472f64970": {
|
|
"rule_name": "dMSA Account Creation by an Unusual User",
|
|
"sha256": "51ee0ffcc257a17519e1f53b4296157b87cb7f1beb88e611f390ae8debbb37f9",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "c238de5d2b0c57efaa4780d8e7f5f95a05cf99a2ec8a5840a05e31456acd97c4",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
|
|
"rule_name": "Potential Remote Code Execution via Web Server",
|
|
"sha256": "21a4751c5c3e62d7e99a7122a5130866e4b9236b5712b28e95038fa0ecd0c8da",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"f18a474c-3632-427f-bcf5-363c994309ee": {
|
|
"rule_name": "Process Capability Set via setcap Utility",
|
|
"sha256": "09fc9a4996a45060d05871ce7050ad3bd7c0a44806087235ac1aa54aec1e8989",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
|
|
"rule_name": "Forwarded Google Workspace Security Alert",
|
|
"sha256": "6c195dfca2a28a28d01a307ee437b722bb378e2ea1c8e923cdf41304d729a75f",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"f2015527-7c46-4bb9-80db-051657ddfb69": {
|
|
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
|
|
"sha256": "d3de58ca35a9dc6d480cb9bef167e9065d10fd64c76dd25369636c977eb978bf",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"f243fe39-83a4-46f3-a3b6-707557a102df": {
|
|
"rule_name": "Service Path Modification",
|
|
"sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "96eccd66b8f60e06e7aabfbd9a3d372d3e994cc5b1de8d08ea6f3473c5872be8",
|
|
"type": "eql",
|
|
"version": 113
|
|
},
|
|
"f28e2be4-6eca-4349-bdd9-381573730c22": {
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "8aa85b989decbe98379b8fb81d4f5ee2ad2e470a22060ca2aa5fb7f6f262de56",
|
|
"type": "eql",
|
|
"version": 213
|
|
},
|
|
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Malicious File - Detected - Elastic Defend",
|
|
"sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
|
|
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
|
|
"sha256": "6ff7d13565c3fa8aaf9cead54500dbc3dd13e124a87f2b6c7eaf2d0d528cd55f",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "47389d060af838e9b3ab54a6aa1da8ef352339436cef82bf5ad8b528326c1857",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "4de3d5e198211653435573047cfbbcede3b079ce2d9b1e159ebc6c4a8e1bcda3",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "9f7b91ba7c0f602ffd9540c7732890de8fda14cadc83890543562a9092c669b3",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
|
|
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
|
|
"sha256": "e3d5d22bf6f0e1c8cdf350e9585236e6eb414438bc033c531501c84f9d4d3681",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
|
|
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
|
|
"sha256": "cc612f1f8949a5a302e700bfce9e41755c128540eb3c8ba1fd55732719b8c692",
|
|
"type": "query",
|
|
"version": 8
|
|
},
|
|
"f3475224-b179-4f78-8877-c2bd64c26b88": {
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "09e8a918c81fe0701b414046f7b2978cf6917f27d256594f18f20c0766f12651",
|
|
"type": "eql",
|
|
"version": 215
|
|
},
|
|
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "30bbcb2db2e6948e533d161b1e93e4097dc3f3e563b50843a3ac644e11961f66",
|
|
"type": "threshold",
|
|
"version": 107
|
|
},
|
|
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
|
|
"rule_name": "Suspicious Network Connection via systemd",
|
|
"sha256": "3e8642d7c442e979a3dd3529f660e9127090ad406fc5f68de5c0b51138cea04d",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
|
|
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
|
|
"sha256": "4935469fc2fc470b586e4d5f9667f0e749fdc27c59dd87f33de369314ff2c9c4",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
|
|
"rule_name": "Kill Command Execution",
|
|
"sha256": "f80398ec972742b94bcdaeaa5f360b15ed60a3178453f75e099fa359c543c7de",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
|
|
"rule_name": "Threat Intel URL Indicator Match",
|
|
"sha256": "155ff4eef509d2fc7fd1c2d2123e8343f5ccec6b90178d7647703aec30eacf8b",
|
|
"type": "threat_match",
|
|
"version": 9
|
|
},
|
|
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
|
|
"rule_name": "Remote Desktop File Opened from Suspicious Path",
|
|
"sha256": "26f9f4f5c8a08b36972822b6f7cb3ab8523673772d71d9c8284730bf427c7345",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"f41296b4-9975-44d6-9486-514c6f635b2d": {
|
|
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
|
|
"sha256": "b4e52267a34b087560dde6553b2ffca6d6e2d51e985dff098e79b8975b400da6",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "cba4b95ced426d90a06aeb6a7c29ed69852042fa8e4104dfcd4ba0c44c6ed44b",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"f48ecc44-7d02-437d-9562-b838d2c41987": {
|
|
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
|
|
"sha256": "600d74d6c0a73fde14d13868996c69e59247528ce68d34fc56405dbf549e548e",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "e0fc6c2d7d2f6ac2bd05c3ea842bbf880819515a3cd2b46090842150ba5186b5",
|
|
"type": "query",
|
|
"version": 217
|
|
},
|
|
"f4b857b3-faef-430d-b420-90be48647f00": {
|
|
"rule_name": "OpenSSL Password Hash Generation",
|
|
"sha256": "5dc0015c0091159526681dd3e4468397e0c0e8036599828cfba49c84139e380b",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
|
|
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
|
|
"sha256": "20f641858b068dde9a75476a566ea629fab3125934c93b48a3aacd5f5b076441",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
|
|
"rule_name": "DPKG Package Installed by Unusual Parent Process",
|
|
"sha256": "f49e89fff43a463738790b8d7a452104c9fff3a3dc854fd6e8c5101b2a31d687",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
|
|
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
|
|
"sha256": "0b056ed6169d3bf26d1cf6fb5fbb148ef24b0d644d1c8ec32ce479fb6c78e761",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"f541ca3a-5752-11f0-b44b-f661ea17fbcd": {
|
|
"rule_name": "TeamFiltration User-Agents Detected",
|
|
"sha256": "7eddbed7d8a7f591030cad197229a1bcb12198c0fcaf33227ce94c990f726c4d",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "63504b45de08ac60e947b5c14b035dac62d99c21b83c7a4b4ec514718274a3f8",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
|
|
"rule_name": "Deprecated - SSH Connection Established Inside A Running Container",
|
|
"sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
|
|
"rule_name": "Rare SMB Connection to the Internet",
|
|
"sha256": "85aa99a054bc951c424dbbd1370be140b58104a2af079671be01f409fce66d1d",
|
|
"type": "new_terms",
|
|
"version": 211
|
|
},
|
|
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
|
|
"rule_name": "WRITEDAC Access on Active Directory Object",
|
|
"sha256": "35631fdae636c785efe1e73f4d79126c72bd13989ea378c9dc433297c2ad42d0",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
|
|
"rule_name": "WMIC Remote Command",
|
|
"sha256": "2104b6abd124b33aa4ba66650b7c9c6981626f1d93a7a3a712a22891a8210b48",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
|
|
"rule_name": "Setcap setuid/setgid Capability Set",
|
|
"sha256": "8c951ec52e073e1b2590866bad6c7bf129b5174961cd166d614c1fd11c4e49b2",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
|
|
"rule_name": "Parent Process Detected with Suspicious Windows Process(es)",
|
|
"sha256": "892146af9028d4e03537dd1233b7a26ed1239787574f281d9204b25cab92ee63",
|
|
"type": "machine_learning",
|
|
"version": 110
|
|
},
|
|
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
|
|
"rule_name": "Masquerading Space After Filename",
|
|
"sha256": "eb76102194496988aa63e27726003e207d8b1ed307a6bd7bdbdb1686a77c0d8f",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
|
|
"rule_name": "Account or Group Discovery via Built-In Tools",
|
|
"sha256": "d79ff10bed1f9e416ffd6907d47f4d633eb13aa22fd5c13d77831b61c6f70f84",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "4d82c8b13cf75884cb608b21d63c3f9a10f67404536c5d28a993d0a8418ec11e",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
|
|
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
|
|
"sha256": "5ff52316c612a32b456c1d8cabd1f45f2752e52eb36c4c2d1950f4f50750c57f",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "4ffb25a4641ad9040be58848570f2509850ed15374327784d814848e21628a93",
|
|
"type": "eql",
|
|
"version": 314
|
|
},
|
|
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "55f87f6cb95594cde489f7fbc1c78ae461b53294d959a80b4daa38923b1fa95c",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
|
|
"min_stack_version": "8.18",
|
|
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
|
|
"sha256": "c0a00db3b763631ed603f36b60c52448f86de8074b5d4ccb41c65939b791d142",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
|
|
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
|
|
"sha256": "048b30521186afd04760fc0dfb8ca1957d7f5bdb6c98a7135a9707e201b4939c",
|
|
"type": "esql",
|
|
"version": 4
|
|
},
|
|
"f701be14-0a36-4e9a-a851-b3e20ae55f09": {
|
|
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
|
|
"sha256": "023f201f19f55fa32002748bd7a5baf47607e32cd8939b2a67821dce314dd210",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
|
|
"rule_name": "System Hosts File Access",
|
|
"sha256": "95d21e6f12f573fcfe1c7b40679200ac326659d5bec0e2e78d7729d1967afa05",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
|
|
"rule_name": "Microsoft Entra ID Service Principal Credentials Added by Rare User",
|
|
"sha256": "029d79b21a99fe77788692b50de1c496e820f6451b39dd167d55f278b02da705",
|
|
"type": "new_terms",
|
|
"version": 107
|
|
},
|
|
"f770ce79-05fd-4d74-9866-1c5d66c9b34b": {
|
|
"rule_name": "Potential Malicious PowerShell Based on Alert Correlation",
|
|
"sha256": "4ddf7e935836ae79df33c7406f3e6ca7225d0c4e4f77992dd7ce9913fc461000",
|
|
"type": "esql",
|
|
"version": 2
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "e47968c2ad6c9715933b5070efee224072cfe97109fb42eb192f5ae39c6f1526",
|
|
"type": "query",
|
|
"version": 211
|
|
},
|
|
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
|
|
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
|
|
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
|
|
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
|
|
"sha256": "b6ae0f3d5e5790671f6b90680f9d8c041cfbf0bac41d7f9a6281cb8638714fb9",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "c4ba59b94734be47cc6d314a83bc972398a47bbee058573371f2237cfc4076a6",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
|
|
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
|
|
"sha256": "530dc12ec6951b3fe8217423c749f32557d7553f52594fa965dbb2c940acf26c",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": {
|
|
"rule_name": "AWS CLI with Kali Linux Fingerprint Identified",
|
|
"sha256": "53fd7ae0a169533b30cd15ca8ba187d5832cd3b9a75c6703bebbe947c99ad5b8",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"f81ee52c-297e-46d9-9205-07e66931df26": {
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "8f20c4f77a4aba5735e7f0ee1ddc1df40a80401369e7fde49fec90409bb94ed4",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "944482376711795146b91fa8d586f565364c9cab3cf94481924fb5d7128846c4",
|
|
"type": "eql",
|
|
"version": 110
|
|
},
|
|
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
|
|
"rule_name": "Printer User (lp) Shell Execution",
|
|
"sha256": "73fa9d9578f6690ca855f81f5bb10c8a750b00eb518b225cccb185c75a693c2b",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "3d21669e611960932ce8953bc186daa36ad6fa5e5de719f84cc5ea2bbf58bdf6",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
|
|
"rule_name": "Malicious File - Prevented - Elastic Defend",
|
|
"sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
|
|
"rule_name": "Potential Active Directory Replication Account Backdoor",
|
|
"sha256": "5b6cad3de77f9ca3d818dc460897a2b0a6ec6cc342acdf3915e7c6952d5603fb",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"f909075d-afc7-42d7-b399-600b94352fd9": {
|
|
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
|
|
"sha256": "4cdb24a07ee208f032eb6af7f9b7479f039879b8d59682896a08b3a03db5875c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f94e898e-94f1-4545-8923-03e4b2866211": {
|
|
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
|
|
"sha256": "220ffd3b00b10fff5b9c9d3ea8cee1554fc9fa9e03cd8b6af5c2f5657604728b",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"rule_name": "Unusual Linux Network Configuration Discovery",
|
|
"sha256": "b1e4aa334a9c74399d4b35c0e73a331197fd44f3b8ef34669b8d6b23d87620cf",
|
|
"type": "machine_learning",
|
|
"version": 108
|
|
},
|
|
"f95972d3-c23b-463b-89a8-796b3f369b49": {
|
|
"rule_name": "Ingress Transfer via Windows BITS",
|
|
"sha256": "7ef402a44d7dbf5d88feec38221121de12a30dcf8ec090899d53b9cdf34a2242",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
|
|
"rule_name": "Browser Extension Install",
|
|
"sha256": "576be150607dc9afd8fedcd60b859916ff133c1200bc665c1b3be75c7b71afd8",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"f9753455-8d55-4ad8-b70a-e07b6f18deea": {
|
|
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
|
|
"sha256": "26098d2afb164e6f05a99cf24bd627301f808c5c1240693437cb14925bfab1c0",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "4562600098cbceaf4ad37a568c0c38c74ecec431ab04bd89d7def9e5dabf7211",
|
|
"type": "eql",
|
|
"version": 114
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "6e2937a3d1e9b3398d71d4bd594a454dcd061816ff73f7c83de5de94a21590d2",
|
|
"type": "query",
|
|
"version": 412
|
|
},
|
|
"f9abcddc-a05d-4345-a81d-000b79aa5525": {
|
|
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
|
|
"sha256": "fa648e659bffe932aa1fffefe9c560668d631de9217505b3e3a7df813857b011",
|
|
"type": "esql",
|
|
"version": 5
|
|
},
|
|
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "949ebfdb52e937926b2ae1392d29f7242d04e41581e73229ca952e910f0ab35e",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
|
|
"rule_name": "Potential External Linux SSH Brute Force Detected",
|
|
"sha256": "82f7557dd05858dbffcd65898151e73a4144f2e6c72ac7a9937d821dc6506450",
|
|
"type": "eql",
|
|
"version": 10
|
|
},
|
|
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
|
|
"rule_name": "Potential Reverse Shell via Suspicious Binary",
|
|
"sha256": "65b9fabf9c126d6ac2cf770a8ca62d25c797824ebcc440fd5ba7757a479883ec",
|
|
"type": "eql",
|
|
"version": 11
|
|
},
|
|
"fa488440-04cc-41d7-9279-539387bf2a17": {
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "0cd027bc2a6c875c929dcf7cc81896925357907008c382104fa069cdb024cb9a",
|
|
"type": "eql",
|
|
"version": 319
|
|
},
|
|
"fac52c69-2646-4e79-89c0-fd7653461010": {
|
|
"rule_name": "Potential Disabling of AppArmor",
|
|
"sha256": "03511149b8d32be09f3ed40d6d92af246fa9531fca276753eee8558e7056af03",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
|
|
"rule_name": "Potential Masquerading as System32 DLL",
|
|
"sha256": "43e8b63eb9570e74bea2bd40c0278bb6bd6689e146817245638379783aeb1e04",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "ccf026fc7183644829bbe566e34f7580033ac7c72f6f608881280dc1f70db8cf",
|
|
"type": "eql",
|
|
"version": 211
|
|
},
|
|
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
|
|
"rule_name": "High Number of Cloned GitHub Repos From PAT",
|
|
"sha256": "0b2014b51f05dc7bab6bf89177d97bfe529a2168a887e107d01282c03ab79482",
|
|
"type": "threshold",
|
|
"version": 207
|
|
},
|
|
"fb16f9ef-cb03-4234-adc2-44641f3b71ee": {
|
|
"rule_name": "Azure OpenAI Insecure Output Handling",
|
|
"sha256": "799952ea9ded7fa71e9d842e3a27b248bc6c4d49ac83aa56949ca1bd6d6447df",
|
|
"type": "esql",
|
|
"version": 3
|
|
},
|
|
"fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": {
|
|
"rule_name": "Unusual Group Name Accessed by a User",
|
|
"sha256": "9f2db22b9e734b5a889262f1f2f439535f666e0297237040c15e016852a51ff1",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"fbad57ec-4442-48db-a34f-5ee907b44a22": {
|
|
"rule_name": "Potential Fake CAPTCHA Phishing Attack",
|
|
"sha256": "8e3289b4539e63e0d4bbe85963ed47f490894e78c1b8e45d5b57da403063d53f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fbb10f1e-77cb-42f9-994e-5da17fc3fc15": {
|
|
"rule_name": "Unusual Source IP for Okta Privileged Operations Detected",
|
|
"sha256": "f1169e957a20125ed74336cc3fa63c1c0f4d95f9affb1dff7262a2ab43453162",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "6e157f9396080320a6c4274936418fb1cac090cf3e44e2e0941c23cf658e668f",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
|
|
"rule_name": "Process Started with Executable Stack",
|
|
"sha256": "1f4d2ebb8ad5c86faee9ef8bab795952baa6d520b4d4f15f39063ab84c86a639",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "5a82f8caac0fe4454c5282d9afcc90b60b161d0c3799c54bd699873bfc0a5905",
|
|
"type": "eql",
|
|
"version": 312
|
|
},
|
|
"fc909baa-fb34-4c46-9691-be276ef4234c": {
|
|
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
|
|
"sha256": "1f0336580e1b3100d187f58ab77effb5864edf252101ac786ad58ca7432b6fc7",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": {
|
|
"rule_name": "Proxy Execution via Console Window Host",
|
|
"sha256": "71c27f7195ec6a29dadac01c5679565bdbb368f049b138fb1a4ea088756ec63a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fcd2e4be-6ec4-482f-9222-6245367cd738": {
|
|
"rule_name": "Microsoft 365 OAuth Redirect to Device Registration for User Principal",
|
|
"sha256": "1d02af55b664c31f3cc24f4d2d7dd45c93c876b21c5782043ca1b237fbd4ff9e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": {
|
|
"rule_name": "Threat Intel Email Indicator Match",
|
|
"sha256": "cfa8a4fcc12561cec5bb571ef7f143d87543fe860577aa1f11b2b284b2e7ecb2",
|
|
"type": "threat_match",
|
|
"version": 2
|
|
},
|
|
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
|
|
"rule_name": "User or Group Creation/Modification",
|
|
"sha256": "393bcb9bc39457d123eb5b8a5a294d538034bbf9d541291d8c2a29b9b1412aab",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
|
|
"rule_name": "GitHub App Deleted",
|
|
"sha256": "0f605aa5517a6ddb5f3a5cd04b4b6e30a44d35fcb3b13f030655b6a428b252c8",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
|
|
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
|
|
"sha256": "b368cb9dfd9dc33e13ed6768fa62bbd5a8f73a522cd124a7bdc91cb8512f2e4c",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "d31dcef398fc63196c928a47cf1a242e1bc03e206145f2973e6f2717c0a47417",
|
|
"type": "eql",
|
|
"version": 316
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "382f88c563097d4a8091b774c5ae43d94baa29779ece49ef509c639e57494bbc",
|
|
"type": "eql",
|
|
"version": 315
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "2912289edd95c2285d9fb553d124ff5099b84cf5d8b179221b139ac534c65137",
|
|
"type": "new_terms",
|
|
"version": 423
|
|
},
|
|
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
|
|
"rule_name": "Image Loaded with Invalid Signature",
|
|
"sha256": "03745c7178dcf6374257634aeffef34bd5009ab9b52fbd8e2dd6d77b57ba1a47",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
|
|
"rule_name": "System Binary Moved or Copied",
|
|
"sha256": "4cafdc105f02e8f5f46077255b00cd343f0782c5810d170830958f5ccdd4fac1",
|
|
"type": "eql",
|
|
"version": 17
|
|
},
|
|
"fddff193-48a3-484d-8d35-90bb3d323a56": {
|
|
"rule_name": "PowerShell Kerberos Ticket Dump",
|
|
"sha256": "1a005d14b137cfd7034a5960d99103c7f2ef5ce215bb933dcfa5c8741e655484",
|
|
"type": "query",
|
|
"version": 110
|
|
},
|
|
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
|
|
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
|
|
"sha256": "e0d9cceaa382c6dee76d417d5b1c1f804a62349c4988af90f1e60a50339c4e22",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "90aa76c4f7daef4acec489e280a63032de791c9a2a5fe91e3474bb593165a881",
|
|
"type": "eql",
|
|
"version": 317
|
|
},
|
|
"fe8d6507-b543-4bbc-849f-dc0da6db29f6": {
|
|
"rule_name": "Spike in host-based traffic",
|
|
"sha256": "4fa29254fdfdc90f04cb22e0b5a84b3f62769dda8e36b0ebe462188b99fd92d4",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
},
|
|
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
|
|
"rule_name": "Potential Masquerading as Business App Installer",
|
|
"sha256": "3320b98061416b20df553034b2646b78bd829976cada58d78368d3de8d58d807",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
|
|
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
|
|
"sha256": "296701dc33e1684c4011dbf1ccfd9d85369255ae83c23295e720aa97b8e4136d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "0ff563e99da750acf3e694ad34679010f0fa64883c84a72877f2fcefe7b762c6",
|
|
"type": "eql",
|
|
"version": 311
|
|
},
|
|
"fef62ecf-0260-4b71-848b-a8624b304828": {
|
|
"rule_name": "Potential Process Name Stomping with Prctl",
|
|
"sha256": "899d1fba09b4b54578b7d0b3b9924dd9cdc57c0da03c5b7f666b712d50b598ae",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "b5131178d38397bc930bc5a900e33c256bbf4a95c3a2fc168f30b03bed4d26f9",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
|
|
"rule_name": "Potential DGA Activity",
|
|
"sha256": "f662722869546977900cdcf6f61af6921039cb77001c739166a0c0338860eae8",
|
|
"type": "machine_learning",
|
|
"version": 8
|
|
},
|
|
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
|
|
"rule_name": "Cron Job Created or Modified",
|
|
"sha256": "38d022c6ef387d3ba1b54182d1e6ea44ae8d5d27547c8dc70a740b90392eb84b",
|
|
"type": "eql",
|
|
"version": 17
|
|
},
|
|
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
|
|
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
|
|
"sha256": "07d9e674bd98c3887caebf9c24b25366899c3c3cad0ac4cdcc322c0765ecdbc5",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
|
|
"rule_name": "LSASS Process Access via Windows API",
|
|
"sha256": "0115c726d58333857e1c7e708f665e4bd30cf4e2c41bbd68c933cac28656ce95",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"ff46eb26-0684-4da3-9dd6-21032c9878e1": {
|
|
"rule_name": "Active Directory Discovery using AdExplorer",
|
|
"sha256": "5498c911565a0f24b7ec48e5e494dd62b58ee7efebfd30ae802acb1a12829893",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "4de818584a14719ee372d29a3d4d9e6cbbd31ba9e20ab6d702cd75ce35f29336",
|
|
"type": "query",
|
|
"version": 209
|
|
},
|
|
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
|
|
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
|
|
"sha256": "a48e20350f413cf45c9adacf6a299a1b22445bab666f464c05bc37755bb70959",
|
|
"type": "eql",
|
|
"version": 204
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "77a309ec983a7d24866bd6b5e90d5423ef1edf0411c0eb6a116b4cb33996448c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
|
|
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
|
|
"sha256": "7dee889e4307b772481635d2b67ec6dfbc300840bfed47d7b74ea140549cfc50",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"ffa676dc-09b0-11f0-94ba-b66272739ecb": {
|
|
"rule_name": "Unusual Network Connection to Suspicious Top Level Domain",
|
|
"sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
}
|
|
} |