brokensound77
1587 lines
64 KiB
JSON
1587 lines
64 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"rule_name": "Attempt to Modify Okta MFA Rule",
|
|
"sha256": "f9bd8e6caeae611103938c373e4396b7cbfc29189f96b3e4032efd7afcc143ee",
|
|
"version": 2
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "5f1f258d346ed8061345b2cdb728ab29e71335b3c401e9dc13235cdd8fba7ac0",
|
|
"version": 5
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "a22f964f608fc0699b9a917bfe4c5435b9eeec6de09ea8b09e1ab98030c9bde2",
|
|
"version": 5
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "3ad71ce2d24f4fbf0ff051c5f322c321173231d333c6313321c24b050cee99ee",
|
|
"version": 1
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "09938334fdaab62b2beac5369fbd1ab78ab4ed41a3764d6dae9274bf989fe101",
|
|
"version": 1
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "efe7bd02504d62b8781e6ffc70abc015bd4025c4b7fd67565e568841919b53e7",
|
|
"version": 4
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "03ac5cac28ca005e43bb065cac877fd834f2a5a1c4abe2d0e86b65dd9efbbcbd",
|
|
"version": 4
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "eb9d27881cdd82877f5c79e587676c4708362bb9c1f3cc33bf2ff3c372f58296",
|
|
"version": 5
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"rule_name": "Malware - Detected - Endpoint Security",
|
|
"sha256": "adcd895329cc4d1c41bc4bf8b75404c838823731713fa11f3d3b671dd24cc31d",
|
|
"version": 4
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "2c0ef448095688b59b12cdf6eaa8b1cf916845b1b9ca33e47412f87f855d493d",
|
|
"version": 3
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "4bb206b502300c86a4e61297e3adff88d2986792f3ab900a0db31d29b589713b",
|
|
"version": 5
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "279c5672f7a5cf27f5c97c7becfc549d34a4483c7b12fbf88949ec9ab8b4fd22",
|
|
"version": 1
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "6f6d7dc29596f09dcc690be249eb63dafb013bc2a63bea2cf59acb3fa25e957a",
|
|
"version": 1
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "31d9a8a7c66735189e7ff5948984f41e1041a7148f7d55b751aceff7ad660ef2",
|
|
"version": 5
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "eda1455bfca1e70643cf61c6349be1e9948d6711fd999e23683c739a5b5582aa",
|
|
"version": 5
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "084010714173a6e65ff9ed8e36e12adfb535c46ef0d395a8fe9a997082773340",
|
|
"version": 1
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
|
|
"sha256": "1d2aa3da7555b841e5ecbea83e7ee1a8c38bd9f604f69396dcedba77b2507a79",
|
|
"version": 1
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "a999fad6cc665af1661c4236b341868f37050cba2acee4f448e15c4b91dbd9f7",
|
|
"version": 5
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "954073af18b76a19b827b05ef6809fbb44f532554dc57d267ca86882d04d9302",
|
|
"version": 4
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "58162840d3e9478788b0da3fbfc63f6c9887ca97e9e9c2e02e83f833411d8309",
|
|
"version": 5
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "6173211181d2fd70cc93738f4621a3e27b4c8c3e01fd396d2f05a34d6eb6df6f",
|
|
"version": 1
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "27ccce4c59e522e175b0b0c36484ad0dc4c3960a8e1a98df4584d2ed14eea6f4",
|
|
"version": 5
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "6e920e9127286ed497dc48b7a5f289178452156489699e5cb40a3116683cf324",
|
|
"version": 1
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "6d28baddd53074b17e5fa12ac1c9ce3ce717a61967b0ecbe4bb45b8e52bdb1bc",
|
|
"version": 1
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "8c529f3afdc74b3c7974570fe13a06db483a06d61dbd054f23da483edf630d7e",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "e3bc57714f47a0836cc1c6b7290a3872c953fc3320da7c95d0a8cb6a9ed7f3d7",
|
|
"version": 3
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "522b54696d2442ac05611c60b30f7d3ff6979437525632c8ca29ba3244c7dc1e",
|
|
"version": 3
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "93b050224f92e0f3e5a043d6d2598a105fea78aebd8815f32e6932920731c7be",
|
|
"version": 3
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "b8604ca4da00ed753c2528b252b3a70dc27e923442b8d3cb9b6efe70b0733069",
|
|
"version": 3
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "9b5521dffd2429f28febd39b2e0c6854439e3020f4ea36dae83899321f987f80",
|
|
"version": 3
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "6e872b23e100ee779531cb816953fbf9c13e475e07b3ab4e52ecdef1e474e124",
|
|
"version": 3
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "2703485bd04f7b90892dd0a5fd2aafc77e2109c6c64340f47ece4b56a0f6d9fc",
|
|
"version": 1
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "ba1f3d9db01dd4ecac10bceae27c1686745f53fc59c9164cdda820d1ff955667",
|
|
"version": 2
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "4691d9fb494b9ab1413375f4832bb68e4541a7a96907ede652102beae9b927fe",
|
|
"version": 2
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "e3a50a2c723610d91e6d14813e2ffa6ccb9f6b14ebe1a293c4d08967a7d4b48c",
|
|
"version": 5
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "a0c3903438a1efe0c78f19773f9405b91c94f92239c59e63d1ec89073afb78cd",
|
|
"version": 4
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "f360fa061dda8c50993fc93f7fb9d1c3a7f070861b18c63cfffaeb7bab802d94",
|
|
"version": 1
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"rule_name": "Public IP Reconnaissance Activity",
|
|
"sha256": "2af259b77e0e35a0e12611ece6eb7a237abbf9bad58646ea04c5803dbe0a6020",
|
|
"version": 1
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "0adc0d3d12852872e3353b3be3bd0c586cef1dac4989a670954d3b9e8bcbefa9",
|
|
"version": 1
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "8c1cf9330ffc9fdaa53a49674a3974cd90262ff7de7c0fefee99cc413a7b3be4",
|
|
"version": 1
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "d189965d46796d21054d909dfdc3cc2c2edb949bbd9c53fc71e9ba9501dd22d3",
|
|
"version": 1
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "6e49f87f11fba067e6fea0b97078cf1e2d77aa0f6c259309ec67f9fecb867a7f",
|
|
"version": 1
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "78a5c11812e5b1a80a2060f55840a2c19bb4f16eaf7c12ebd427d977e1579e65",
|
|
"version": 1
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "1c6a98ed8c939c838cc1d87528f00eee1d6a188c9fd7c6adea39ffb08d1b737b",
|
|
"version": 1
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"rule_name": "Exploit - Detected - Endpoint Security",
|
|
"sha256": "83322d535ddc84dec40b7a90e9738726df2bd27ac3cdf96e7b9ebd967560bd25",
|
|
"version": 4
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "3c266f628d45aaa310e2dec51dc18b57f257afc1885ec11d033a4187e9d38226",
|
|
"version": 1
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "7683d8361cece064211fb0bd88ac61722cf50eba1f58cf0dba3b9fea5b5a57e9",
|
|
"version": 2
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "6b38e8be014568c7786001c5974a1ce463d8f7f3e436e5df0a8c969ebc27d823",
|
|
"version": 6
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "1dc4803392cfaa78b483660dc16fac6fcdc0c940d413949557cb912ee27ad979",
|
|
"version": 1
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "a8eaa99d010397c8e118b375183047db902df793867c7bd8311adfc1eeb959b0",
|
|
"version": 1
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "dc25f66a2cd09edd7f601b26b29c51d34acc2f7419b666689d7d9974a4a4b157",
|
|
"version": 1
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "f468d6672778eccf92ab3c49e47650a9ebbef4feb3bf5ef57fe854b0101f837c",
|
|
"version": 1
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"rule_name": "Net command via SYSTEM account",
|
|
"sha256": "d62c8c82699832f3ec4921bacd0ffaa294acf4faead1e04372fd3c8bc9fa7791",
|
|
"version": 4
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"rule_name": "Exploit - Prevented - Endpoint Security",
|
|
"sha256": "4a04fd5b4099a19a093d301762f68352221eca036db21c9b9b2e388dc5c56a9e",
|
|
"version": 4
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "29ec058f9603c19950c03bba6b7ab0bc8c8609966dc782f1481059b97f6d2564",
|
|
"version": 1
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "55ab3cdeae88e42d8404c28f598eb416fc7de78206a9b80e38ac98abbb5df237",
|
|
"version": 5
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "f63deca5ee1ae8456d4c7e880f55784e73ba5ea2c372e828f5fbd65df3a32c92",
|
|
"version": 4
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "5ad137862977f43fad9760347b3e8922e95874871ba0083be5ef1054135991ec",
|
|
"version": 1
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "fe2712b9622cf77291f067c1a80170ba996bea2724f1f2e2239a71c4e9a9d172",
|
|
"version": 1
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "93f733e8864d6a086ce2131e251f6e66158a635fcf588a8ef61ad1e286648863",
|
|
"version": 4
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "bedb1bf60788bffebbe4160f2f7f48d8d1fdcfcb050166cee7d9a7deb794da48",
|
|
"version": 1
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "7214989872be520d178e1e95d0cd953d0bd0ac664fd60f355ef17fe3b164b173",
|
|
"version": 1
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "e8a189f29d90e1a2bb295677cec25932884f2ef0d8cbaac015b8a4c02678fa3c",
|
|
"version": 4
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "cee072c874203cd0812746b405aa3d5d28dbe4fbd2cd49ab04cf29bcbd795e3e",
|
|
"version": 1
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "f96fc5c64e1a81100fda85de8bd4ff271547c059ab4c22cb8aa58f1643b32fe4",
|
|
"version": 1
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "fdb02360ced00662199045a09224c9ac6156660aef6f1bda85cf299a1113ec94",
|
|
"version": 5
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "1a000d838130068a0ecdeca43014a2ea356323058d0347944492a26b569a934a",
|
|
"version": 5
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "8b3fa242c860a30e14510d25a9809c34b50727a60d9903438e27ef547ba2edc0",
|
|
"version": 2
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"rule_name": "Telnet Port Activity",
|
|
"sha256": "62226b26b71cbc35a084cde046d1d5ba78a2be5e580d592549a23468aaf07f50",
|
|
"version": 4
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "1ac1f22b69204183b001f43052dc594d7e644045ab127d94e0abb985192c0d15",
|
|
"version": 5
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "be9a968918ecb1de60f64c0aa026e28eda3b6abf5832ab652eb32b7ab5b28073",
|
|
"version": 1
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "34930b0fc1fe02746abb468b9a279aedb61bc646104c54c72b06307f261aa59f",
|
|
"version": 2
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "da9d2dfce1dde913e81976b107b7d87f4d8deacc91269bb7ceee3375153a7f37",
|
|
"version": 2
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "def0708eb6e6a00bb2f17fb1fafee41d4e11f5e4385ca2ca08447724ff623f68",
|
|
"version": 4
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "0326cf943e8002b7250c2cac5ea432b445ec2d3392f4f0d128c7498af4cbcac6",
|
|
"version": 1
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "a054bdb16ea3b4206df475de2d32ad97ce6bb9a0f1ce60685fc9de355dac63a8",
|
|
"version": 2
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "1daabd68272b1075354622fb803a78db173eea976714950f2314ac51bfac266b",
|
|
"version": 4
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "5418780f11b869e1dee170ddaef24842c18adb0b1c84427261cff4400fcc5c63",
|
|
"version": 5
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"rule_name": "Malware - Prevented - Endpoint Security",
|
|
"sha256": "49bf69bac026013bdfd88dbb0ebbf5f2cf01d0bcc8dbdc00d760cc4c1ecf6daf",
|
|
"version": 4
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "3956449a0683db5b1401aa8c3a1230cd21ebc628f1b1e700d4913b13744b0aeb",
|
|
"version": 1
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "b1d42eb05bc2bb9c5ca66aab76709e4f3aa79e9293af35f760905331f4fe3d43",
|
|
"version": 3
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "58809561efd9fbbf3137f283d5db96b1ef0c2025772e1e1c292a8565bd62c8d6",
|
|
"version": 2
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "ebd654004bde86bb1dab153f917ac139895ca478b9262553cffb12b52b040ff0",
|
|
"version": 2
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "bff9c2058c32e5568671a4de897f191a1a5fad599b2982f5f5c543d6a2dcb5df",
|
|
"version": 3
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "75ab7209924df0f0f956fd6d1a9713461cbd51ae2b6e6ce2a1ff51eef35d7a82",
|
|
"version": 4
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "051a230879f4261f63624018cf932d319e6c4484457aa525a006d0d05facf1d3",
|
|
"version": 3
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"rule_name": "Permission Theft - Prevented - Endpoint Security",
|
|
"sha256": "de91fb70ece5386bf2fe4d065f50aa219516eff015f22534b5cd1b69064fe002",
|
|
"version": 4
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "67a356c25e202bc547e362a4fda70b93bfc37f0cf070b6f9874e1a81703685c7",
|
|
"version": 5
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "a0ced469a145609a24f3d0b37087aaa6923e859472645ef59120c0cb4e1ff168",
|
|
"version": 3
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "3a8ea88b97a4902eece57b688d6777d31a512d7598c733553b513a39906b83a0",
|
|
"version": 4
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "73d5438ece3f10febd908003635768a86eee7e140294b352f0b18b1aa7c5a01b",
|
|
"version": 1
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "c75227fe4928fdef60b18c6a7da28c56f73773a50ced7b35cb2ea29e654e2e98",
|
|
"version": 5
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "03e5525912390c97777265582854a101c5ec36a22ce7ac831b671bba2de39f4f",
|
|
"version": 1
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "b96be952934c2bcbbd1ed0d16452675fb017c9d2ea63823330ef96e99a3ce70d",
|
|
"version": 1
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"rule_name": "Windows Suspicious Script Object Execution",
|
|
"sha256": "cf8905f5bf0f2a7f38f283840d708231961dcc293a005f0f3469949f437c1d70",
|
|
"version": 1
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "53af759fc004066d5246fb1458a5ede7a6bf6ffeaf65edf7aa2a675fe33943b1",
|
|
"version": 1
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "af78d5bd0c65dfaeaebed1748d4394ef79cbd3ba10e52ccfdde2c11388622fb1",
|
|
"version": 2
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "974260b5ef9ddc2c76c33e68e87127ba7821f14955736d7c985458bd1b51a10e",
|
|
"version": 6
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "ef8e961af1c2c6c36321af0253da8a005674aa2c3a6ef52c8498d3d3af6f619d",
|
|
"version": 3
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "f1509a26320aeb35879f3ed33199d5608bc2f040ea884523217a08c5e5d74eea",
|
|
"version": 3
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "1262f7693276b5913f124eba96f84d2c81408e67dfd2bad1b96a2176f0506d62",
|
|
"version": 3
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "a393a7c5077458d582e38d756fc330ee2fa0649195e1be10791907706aca79ae",
|
|
"version": 1
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "53f61925ba39298ed65f48eef2a47cdfacd39d5bfbb319d1d88ce18745b2836b",
|
|
"version": 4
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "51884c16fbcf771946f67df5e8c78a0ce21f3989f0689a81baf4425e23d23ce7",
|
|
"version": 5
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "517f7d2386b522bb99be156a0b7ae7a344df063050798bd89ae8c70c4c90636f",
|
|
"version": 3
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "e688c4b2d004ab9ec5533ad288c2b35b0fa114b55c17ffe29cc1a4ab9f9ed917",
|
|
"version": 1
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "7d1754c5b2cbae32243e10d50d803ff077dfee6e1a871b68dff4935709c2c3fb",
|
|
"version": 5
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"rule_name": "Credential Dumping - Detected - Endpoint Security",
|
|
"sha256": "bdc750ae44da6954d429af1c78db084f915fe63db463a2e084107bd4b7725a73",
|
|
"version": 4
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "ffe5c9b71b0dd6f06a0f30f1aabfd3aa41a4970a66718b832865e08956cc2ddb",
|
|
"version": 5
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "cc04c68a382fb37bd26c5adb30a32d599bb5e1338a79d4c430ce5738b6a45d78",
|
|
"version": 1
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "72dd7588ffc9dfe3a34c7a7a7b6e433f5f2246e8334f6c5f29b40f8ba16037b0",
|
|
"version": 2
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"rule_name": "Unusual Linux System Owner or User Discovery Activity",
|
|
"sha256": "bcf941f7244ac82c4700aaa98b51326165d8c561e6be7ea725a0372ac568c9e6",
|
|
"version": 1
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "4231722b2c377f5fb4cb400e9418ad9b537ea08498dcfc356e3fa2dd8d79b86e",
|
|
"version": 1
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "5aedf26da80998a93c5e8ea4a6d3ca34eeb3e86d6159d22046df493a05f58733",
|
|
"version": 1
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "f8db95e26fe4f3919b26ddbfb6a048097a0a5a4de7e11b2a9486d3846da106c8",
|
|
"version": 4
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "25049239f8bae0bd5cf322904313fa7cb6bf41a44a2d618db6e11ec0db3e491f",
|
|
"version": 1
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "024639b28d5d5780224af7cc80d32766cf470e7edb7449a5ba3b92065286b3ed",
|
|
"version": 2
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "701bb83db4ee9988f602d8483da8fd2616afd8d5182f6caba81a678824382d69",
|
|
"version": 1
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "81cca8969edbf9334800c41f8a58e889da9e066798155b5058ebeab1b84cdaba",
|
|
"version": 1
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "6c2a5a4587e7180d2655cab2be0dfbbe26e16399b21bc1c4d0078a603e8744fa",
|
|
"version": 5
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "47dcac670430caeec4f2a3af82d5367c6a27dfa80aacfcc662e6dbbf9f3f3cb8",
|
|
"version": 5
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "f98344eaa71e80dba1f17dca8d33128da463ead2fe8025e320ad906456896ba9",
|
|
"version": 5
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "906c854f64f56a381c73270b7974d2ea0285d8fc16e9f6c6121e54cef5d0e402",
|
|
"version": 3
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"rule_name": "Attempt to Modify Okta Policy",
|
|
"sha256": "2b13a7bfc9ab1ce4408616930ddb7ebdb98077d050de77d6d09d57f97f473692",
|
|
"version": 2
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "bdc8c0d1e3d8096b5c54d5da7e222cd6f976125b50ed8ef2d700232adc3cf4e8",
|
|
"version": 2
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "78e971361dc0678ea353fb79b86589c8b4cb26185eabe28d1159a11b30ef7e11",
|
|
"version": 5
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"rule_name": "Threat Detected by Okta ThreatInsight",
|
|
"sha256": "6b7f276c62f4f7defb228e29ead53b282c0b46c4b991a6f95eff9e2c02f28185",
|
|
"version": 2
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "67deb2c01f432ef5cef4abbacad33ccfe77ca28c7c03fb2bd62f3fe467a2a2ee",
|
|
"version": 1
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "61785ca726bc291dfecd41e6316d7b133caafbf334af721971cdd67355695552",
|
|
"version": 2
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "c064c881d6f1609b35df3cdafdb95320bc3ace192c7ed1de7a7ed344f176578b",
|
|
"version": 4
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "4e5b8c7586736f83e5cb879408c4821fb2c72e9276a1143e49349133b1a7c59a",
|
|
"version": 2
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "74d68f9a6e585ad26b9200232e892b1d843aa6b141c91f2abf3def1aa7344bf1",
|
|
"version": 3
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "e65df18aefdd9bf967dcd78f887216a5c8a4a12fb34d344f64a2a8ddc17edb6f",
|
|
"version": 3
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"rule_name": "Process Potentially Masquerading as WerFault",
|
|
"sha256": "3f6823f24aa7d3c376af0f4b58a68210ddc1be1ce3d244454a4b2f375da0a397",
|
|
"version": 1
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "f614e11a3d1ef4e2469ee8f91993834f5eeeb7151f1a9f5fc5953c6931cb251b",
|
|
"version": 5
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "cf840e135ecaea5f8e140cf42780b329ec22d7a6623aa5899c30c8517c130a98",
|
|
"version": 5
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "14a10983bf46224ad28045be57e2d518a7cf3d43125b7e3f29e4c97cfe36146f",
|
|
"version": 2
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"rule_name": "AWS Config Service Tampering",
|
|
"sha256": "a3bdbd224ab0a123f86d4fa01299c2feb7a13d1a0419f9f9b08549447ec889c9",
|
|
"version": 2
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"rule_name": "Attempt to Reset MFA Factors for Okta User Account",
|
|
"sha256": "1b38f0fd69723da62fb95f3db4ed0bd0957ca81ca4cb4cd646595c7aa041a6fc",
|
|
"version": 2
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "41ba9fab688006b8830dcebf0b6fa3bd6d9c0795f5eff98b6146246e16669656",
|
|
"version": 4
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "fe1405fde4d6da1912b657718cc824ba375605b47642e27393d580cbde8b87e1",
|
|
"version": 3
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "ddc7ab73355be41f897b01ef0179d7f2e122f9e5e080842130db2d08cc80a7f7",
|
|
"version": 4
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "9d4ef1ac3a3675b6655e21474a16855134f2d5b8302e42950aae847ba537eea2",
|
|
"version": 1
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"rule_name": "Adversary Behavior - Detected - Endpoint Security",
|
|
"sha256": "60af511ccd3ed511fec254c879279d5090ca084efa9c11bc4fb01690450b7180",
|
|
"version": 4
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "f672108b81b8e824915fc077f2a2ff8aa2742c747520ad77422220b486168be3",
|
|
"version": 1
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "f4ac999620ed766ccfeb2fca9f79490e65d8c5de4a2372a69872c5474ca4d6b3",
|
|
"version": 2
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "80e882eea3c399356e7b5fabb453b957c42ca38493d65b1a33067a86ccb571bd",
|
|
"version": 1
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a6d1f9bf40eb2be0f1afb3fe2823ad6b3ad5fd2e9e8d3633ba63c09a5a7553cb",
|
|
"version": 5
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"rule_name": "Deletion of Bash Command Line History",
|
|
"sha256": "48766e4b23a04a163e73db18b29e2b272e5e1705f16054608a7b3076b7756ef6",
|
|
"version": 3
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "0211c0df546c9bbd15ae769ec10645e0ca3b4f6a11b1fbf8729f2772e30cd6e3",
|
|
"version": 1
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a1ea165e21ebdf28f31f66bc5e139b7a76b53de45146934ace719a45b982c5d8",
|
|
"version": 5
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "dd9d99cd6900e72df71b70782901c1bd17d3ea2e315b5ca80d3f1b7830746ee1",
|
|
"version": 1
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "a72ac53d78c6de2093b247a25fc6d8a7bee0cd5cc96490e8046640ae77081b30",
|
|
"version": 2
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"rule_name": "Process Injection - Detected - Endpoint Security",
|
|
"sha256": "126b716fe963842ff8406842f8a101953a04e7e9f167e578094712fa6b006b00",
|
|
"version": 4
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "53857055ca08f9fae8e76f245b875d0c1052aa68192b6eee82e5dddf24d645e8",
|
|
"version": 5
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "547d0b2193b1da1702c595df23682395b5b62a857822c677492ae96fb3ae804a",
|
|
"version": 2
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "405b47638ac6da7ea5fac975810240eb8e1af8a1f5c631161352f451fe52ba0d",
|
|
"version": 2
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "ba519701d197c99dbc5bd062369a427279fda93cbcfc55a50683926dffe4636c",
|
|
"version": 5
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "071525e0da043ae11036fb3009483b2ca19b758831b9b1d35125135bdf020e13",
|
|
"version": 5
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"rule_name": "Setuid Bit Set via chmod",
|
|
"sha256": "9b88b5a2161f5262ef6c91e1ac017ab60d7ab48f57dd4ef41e4196a16685a816",
|
|
"version": 4
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "829a3fc3b44b53556ab245cbd18dbe204f407c5e4f1eed4117ef6ce9a636efcc",
|
|
"version": 5
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "eeeb6d9b82313d638b9e2021ef811b3b6bdb38acaa9e993db7216855b8427f33",
|
|
"version": 1
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"rule_name": "Ransomware - Detected - Endpoint Security",
|
|
"sha256": "afa86e4d621fd2e511406e86b4ae9c07348c4471320a9ef65b26e0643c34e133",
|
|
"version": 4
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "7bbf8b21cbb86e24daf5c066d567a3deb5f0f417279379918c1e6b5d176baf2d",
|
|
"version": 1
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "d54dda99fd202de02e562c0a2e1e1d6c7db983129a86877ccc1052b4284b9e90",
|
|
"version": 1
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "5a2e01d58289f281749c117a835f976958732477825b70a6bcfc4752d0327947",
|
|
"version": 5
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"rule_name": "AWS RDS Cluster Deletion",
|
|
"sha256": "b865dc32c295ea3c9dccef5ef053e0ded05c053a48161df2289a70560744c888",
|
|
"version": 2
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "616985d34abde83a443deb7035258ff363c05fb77083ea2103a0083651cd4d37",
|
|
"version": 1
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "14e441e365c89e773c4835b1891c9b6202d58f8caf21bb3133550241f6df8bfb",
|
|
"version": 2
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "b288acb521629bc9ebf5f0510ac30a1d10543df3c2ccb568fa213bc2a4b34599",
|
|
"version": 3
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "679984488067c3386d68012ce558514f534f412c64560d6f5251ddb5c199e28d",
|
|
"version": 3
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "a79e4b9ab06f30eea5e33bfd2d9882e77234155f80f10aaeb6339bb4723fcd4e",
|
|
"version": 3
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "f2a7fe82ef52f06900c135f2934ddbd89006d53d2699dddf5a02beab14ce5be8",
|
|
"version": 4
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"rule_name": "AWS EC2 Flow Log Deletion",
|
|
"sha256": "029aa0e079e53acf76b87ad126e31b843845e3d60f9484327896ee0600fc0f73",
|
|
"version": 2
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "747be70c824774e29416044ec3f4474020851953ed98ecd89fba129cb9012a8f",
|
|
"version": 2
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"rule_name": "Compression of Keychain Credentials Directories",
|
|
"sha256": "4635d2ec8707ebc29552340a5362c0649406c13a1052e578fe2e485e41c1ac57",
|
|
"version": 1
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "6e56f98fe82ce7e51249f69484813f6218f8d7554338267d030e45f72dad4810",
|
|
"version": 1
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "6fd98d23d27ed4a588b57c8b47ef8a5dca7229a3f126fcced7123dc90abf1eb1",
|
|
"version": 1
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "ac2f2cd86ce416677f80f22d50079b1843e0b9f345192c361c9d004542a93af8",
|
|
"version": 4
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "6c242802a4d3630f2a6f598cf340080e1e3541f6f114c036720e381b864eaa98",
|
|
"version": 1
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "46d7ef0fca1d0206d9e1f7dcbe6902da46b4fef1296afa88ccff23682179ced2",
|
|
"version": 2
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"rule_name": "Process Injection - Prevented - Endpoint Security",
|
|
"sha256": "92c674029d3c058f18ec3fafbf91a3c2443023a6a18db9c3118cbf6d4138388d",
|
|
"version": 4
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "8ec7416fc13c3cdde052cb4ffa8d26b6b2ac42862a6aa8422c5b703e87918188",
|
|
"version": 2
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "b7a0d05c84c565ad1d095d6068c57dc1b5b01f0298957a919da1980bc510f047",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "b31831af6fec604a5aab2a0ed62e7b08a9e157c41d056b0e386bde1b9ed2ee21",
|
|
"version": 4
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "dffc77708e3d6fba2b5e28d6c89f30e8df0ecbc1b5641a7b015e72149d2f78b3",
|
|
"version": 4
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "12f4e3265e07c977ee3305177f1f12be5621a262e3568d9f72e57b9e38014197",
|
|
"version": 4
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "10abec4736c39269af08446d3c15a49a3dbc44eb4d3ce29f90d09e419376bba4",
|
|
"version": 4
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
|
|
"sha256": "621159d55407ee87e4aff6a835dffa6b8c1e06b524dadf20ae257683aaf54f37",
|
|
"version": 4
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "4c00763e30cada84029f4a421f33e471cebc7a78a27437742459de1a5d4205ea",
|
|
"version": 4
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "a6dc309477c0ec0cf00a523e874e327fd4a21d5562cb15eba27a8d5f9c6eb0b3",
|
|
"version": 3
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "004f6cedd68f8a3e36c0e678f27bcd2047fadc049f48bc4fb8a4a7367e7b9211",
|
|
"version": 1
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "bfc1a7d919075aade4e3501d0f773b7f2a87c57685ff8c0f274752a4889db677",
|
|
"version": 4
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "005bfadacd622ab3ec08b2c046255d82d5831a7ee4f00bbaccf4ddbfc3ac8686",
|
|
"version": 2
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "a1d56fb9474be1a4b1b5dcb5eedccb7c89f31ee815d775fa9838c28d7e0f60a7",
|
|
"version": 1
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "16920ecbba408db6fa4105b8ea1dd3ab4730d1b62c8000347ddf221be4df5c13",
|
|
"version": 1
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "74e38c3265c880ffbb6f193e8c740f1144400811d45b68e751c1b4fca01a8225",
|
|
"version": 4
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "8476d6b084c94e7d7b253063528aa0db568d7e00342501448f0c37f6d9307416",
|
|
"version": 1
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"version": 4
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "74c51426db3c534d8d7db0d289ab13c3af4c88760dc8e8ff366a455e39657c4e",
|
|
"version": 2
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "7e63195829965edbc6c27d91816412cda8d314bd04e4d5c2730d7a2e6f67d3ae",
|
|
"version": 5
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"rule_name": "Suspicious PrintSpooler SPL File Created",
|
|
"sha256": "ce67fcf560f3bc44bc8afac138a1d05d7529ee9f898e1da8188ac53c7762eb5c",
|
|
"version": 1
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "d57715db20b15cedb42eaccb50d1eb05db2c5d2bbd52cea6aefd5d196d110e78",
|
|
"version": 4
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "e5fd7c525f5724e259ab3727cb7f0d081648fb98ff3e8e641f8a92bf69b74f3b",
|
|
"version": 4
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "bb9cfa0970a07d45ee0ad4b679f13098b0ea7ad00b0ad1c5fee7bc5b5aed3f19",
|
|
"version": 4
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "07b49066452b995e690709a179733747cee194b8b7744a2bf25441099069f1da",
|
|
"version": 1
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "8e0b773de6395741187c17f254d0d3e6d9c33c2a8dc34067c5dd9689bd1d35f0",
|
|
"version": 1
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "b5058fc79430c9177df520158472c624379fa06004e37d670f63fa3659795281",
|
|
"version": 1
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "61030c4ed5783a5267a042417e8d7604e0b04eb36a6da6aaa8a630c10fcb0977",
|
|
"version": 2
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "7d10ab696ba07deb10e38ef1fe5092ea27e5333c5929d80a86e5e04f1ccdc253",
|
|
"version": 1
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "7e5ade67ad526efd2c4b9b0c7c2d3ccd21e69ea1c97313253e10657587a46204",
|
|
"version": 5
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "150fe84b822037d5654a5468dc2e3057fb1df90a7822cb632b53737cdd709bac",
|
|
"version": 1
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"rule_name": "Netcat Network Activity",
|
|
"sha256": "484787194ac835658ef3dc707a026b3a0f7c7fadb2fb57b29b8a156e7d213709",
|
|
"version": 5
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"rule_name": "Local Scheduled Task Commands",
|
|
"sha256": "287b40cfe49eb44710e1ea328cd189b3aa07e74c0ec3112d14be0363a4885d34",
|
|
"version": 5
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "f7ae1ed53d8f7949ac4eb5ddf819effa6b55f9cb859a0c66d13816ade0e2c6c2",
|
|
"version": 1
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "cd21f3a8ea8c40effa4b5e949339ff2887003ed5c7ea1731fc221e50e4d5d701",
|
|
"version": 5
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "44159cc2fe3ba1252b583e05834febc367f266e66f6cefb6dc5302eab620305f",
|
|
"version": 3
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "6c3d9fc5c0ea867f143ea48b8c802a43127c7c62b03e68270649f926fd10636f",
|
|
"version": 1
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"rule_name": "Attempt to Delete Okta Policy",
|
|
"sha256": "a44cc68d90849cfa6af1ebd8244a7e54b69c5296587d66e3e5b03e0dfed09eb7",
|
|
"version": 2
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"rule_name": "Volume Shadow Copy Deletion via VssAdmin",
|
|
"sha256": "13033cd627f0f9a86831dbf953919807a482349281a90cf5b5df94ce701154ff",
|
|
"version": 5
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "1a8437015412d5d957d9fc92ddd8babf4e65740b4062cb5c940d92bfc5902d9e",
|
|
"version": 1
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"rule_name": "Attempt to Deactivate Okta Policy",
|
|
"sha256": "53069a8b375432e7c5d72033d80f0cab138541ee5585a61bc6948320005fe9b0",
|
|
"version": 2
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"rule_name": "Administrator Privileges Assigned to Okta Group",
|
|
"sha256": "80b17cdd3d0857c866078aad9ae531e4b28269e32ccc3017a54b5e4265afa7bc",
|
|
"version": 2
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "86b511b0e0e45c157554e4e78f463045e0fc173a404a91a26e9a0a0478d2e8fd",
|
|
"version": 1
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "4086798c5555549c5ea0ffa2ca47aa6a9b0b147bced719401be931ba0fafdfbe",
|
|
"version": 4
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"rule_name": "Creation of Hidden Files and Directories",
|
|
"sha256": "cdf9e3986bd64fcb42a8dab1fb1efe2cfa4c9f21d61d9040d6f5c029fb9ffd57",
|
|
"version": 3
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "183bc920de288c25759da14909826873e441d5f97faf2b64f82ba501db10e2c8",
|
|
"version": 3
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "5c4ce8168ef1ecd41e25e9150be58267cff6315720ef7eeba94414c450e25323",
|
|
"version": 1
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "177a92a76ad4d22d3a48e3f0d06ce47142fecd86a01c55692f7fbdcde0eee5e9",
|
|
"version": 2
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "a7b243d3231e094d3ce39bdb56d32efce553195158969d781a8f1f899b8996c0",
|
|
"version": 2
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "bc4d7228992da82b9454e2415c12a20b8283df6d43ae9190e9c373fe4fb2ef9a",
|
|
"version": 1
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "4abc25fb7a3101834bd455c11c5e0ab9e231d504a43955c92c7ce53cddd0407e",
|
|
"version": 1
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "3e1c796dbbc11484030ecded8be8ef72d3d25e58ea8ff6ca9526241dad35ebbc",
|
|
"version": 1
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "8e94f612969a8dfe1fbb12cce0e38dfbbd077c1ff4dec40842cd316427718206",
|
|
"version": 1
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"rule_name": "Credential Manipulation - Detected - Endpoint Security",
|
|
"sha256": "3e27a7e7fda1be83a083f51ec320e2c49e41a3048660137a7d551e30b8c997c3",
|
|
"version": 4
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "240d341265966cf1b1bb947936f662d93b4c747adfa34cba0b95dfc644470b5b",
|
|
"version": 1
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "505c5b266419774eaf329af4f0f25e9009c93211214858e730bb637bb665f62c",
|
|
"version": 1
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "5db66dcfe74799e54b2b5ef01951e0574a72e5e498832e73d9657c1d6159f551",
|
|
"version": 1
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"rule_name": "Permission Theft - Detected - Endpoint Security",
|
|
"sha256": "7b185258dbbaa2a9837362d5bb5f7551cfdf689ccbd0119140c1155c581dd80c",
|
|
"version": 4
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "10a715c19fe5fd4d26ba651a6e8abf09bdd47ff6548b5ec3a19f7a7348cd2d67",
|
|
"version": 1
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "258662654d35047e6c083c504add264471ace501d23b2de2dec064787da2a0bf",
|
|
"version": 1
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "0d9f7b4502249bb186a8309f01658c0c5fb4544e4932c09d53a2848f031388fc",
|
|
"version": 4
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "ffe88afafce90b7655cde9e0e2ac48606946447ad2651aff3dea586ec8101fc5",
|
|
"version": 1
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "7d84660c7417ccc8a28c5eb0eadf50067ceac388e16a69cbc3c6b32391cc7f78",
|
|
"version": 5
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "fc9734ad191d97c69d6c2982b68741128c34feb931ba5711914698fad796064e",
|
|
"version": 1
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "3ce14cabaf3406faaeae1ca507b7d6613a96fa5f1c773192cd7280d7849549fb",
|
|
"version": 5
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "68c9f903236999653c3561153b05cb3569b2144445be4451d4c02630559d1b57",
|
|
"version": 5
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "fb96a84ff04f02abc39a7b57704e5f2c4b027fb9b15d6561bd5d367e40abcfc1",
|
|
"version": 5
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"rule_name": "Credential Manipulation - Prevented - Endpoint Security",
|
|
"sha256": "0734e9a063c5bbf35c5b4b73c95544f1399e648c12d6396698015de1d5d392ef",
|
|
"version": 4
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "9e2137223c6aa526dcc784ee7d6e74f1cb75d4aa50547430cbadaa6b617510a8",
|
|
"version": 4
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "49ed4db4edcbc1e642a8bf3a2b41c9ef8f073ba8df6d65fa5810b367098a1a3a",
|
|
"version": 1
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"rule_name": "Attempt to Deactivate Okta MFA Rule",
|
|
"sha256": "c9cd5d3b47f49d301599e07cecd5e6fa9c99406d7a72031b24e539a0fcbda0c9",
|
|
"version": 2
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "14b665fd8a4f4cf8354d1de879b354b6d364109df39bbbc9d6e7d72dbaca39c7",
|
|
"version": 2
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "e557e70f6716c1dc338e0cd930933f8a52bdf4b04a40400f8f5b3f02e7cda8ff",
|
|
"version": 5
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "1ccdd79a3d8c423d8fe97857e1ce97a9ecd7e846405f4572bcc911a90b720f2d",
|
|
"version": 1
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "bc00e1a16cb3ae247f1542e591c009d5178d4f317727286cdba81d9dcbfc0649",
|
|
"version": 4
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"rule_name": "Attempt to Deactivate MFA for Okta User Account",
|
|
"sha256": "28934ffa02c0820ed6bd025db0696bdfd6861f462c563119938ae998c2c9910b",
|
|
"version": 2
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "174dd9bcdb9c581abc57c1e303c30f9ff0beadea51ed0ac2b3b753db1e9c354d",
|
|
"version": 1
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "ab53f0fb3955a51235b78f098a4a2cbccfa4dfaa7921e0aeb304d67433739ac6",
|
|
"version": 4
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "2b039bc6c610f5ccf1189f27592fde0d4574d769a80621ab0b8e971478a05124",
|
|
"version": 5
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "ee161dc933e878f4bc4cf1268c27f492ba323af6f082fe0b89d7385c31ef1b4e",
|
|
"version": 4
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "e0e46e6ee2027def12fd17f22fae998afd8c4a85057349c80869c06bf44b3f01",
|
|
"version": 1
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "1a08981a11ed6445bb228a70a38e170a437e4e923b81572aefe85c02df7224e6",
|
|
"version": 1
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "8696f975bcbe6973c5856d38f114bde75ded99c10d889c579f32bd5150e42161",
|
|
"version": 2
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "45924655d7ef740d37376aa63dfef35fc64a04924c56bf0e0aa514f52db93abb",
|
|
"version": 1
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "4143ebb3f6acf4091baf1b4af57cb236a938afaf130755b0a1f17a713366f3a0",
|
|
"version": 5
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "d389ff3e1f93109a4c4170ebd5c88df59d01b3304914f0be3795f5cba7270cf4",
|
|
"version": 4
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "2d42506561edf6963bc17fd31f3680aa77e200d75f67f9d3a8aa8ae458ba7600",
|
|
"version": 4
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "0268da56689bf5a65ab32d4a84f3706e78215a9837ef53daecba06451f0a80c2",
|
|
"version": 2
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "dace321a6a479114af3807d72924a01831c93705b800972c2482d93f0dddd4d6",
|
|
"version": 1
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"rule_name": "Credential Dumping - Prevented - Endpoint Security",
|
|
"sha256": "ce8fd451c2c3bc3c5f9b35f212dc0b75348bb07d1c1c4c1559e575150874345f",
|
|
"version": 4
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "b975e339b0dfb9d77b35622952dc6da6588e472a33f529baa051ca526f1b73ec",
|
|
"version": 5
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "707a6d1770899a0eabedae7ba5976fcb00ea9abe77e0d9a7e712f66110d29f0a",
|
|
"version": 2
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "a2ab00848a53f5472cc4a8e84345f2f5aa31743276cd0d7946a84c8831e0f3fe",
|
|
"version": 1
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "9a4a3364bcc6397bf35b650ba5341d1ccae86604f16813fc76b8792779f9e16d",
|
|
"version": 4
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "12354ef075f45d594f81cd132ed6cd134dcd58e0e4181f55e2ca8fbab4ea1ca6",
|
|
"version": 1
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "f02dcad1d04b48858033cb12ed31bb32ef5a7b48ed1467d82e03ab5f0efef2d9",
|
|
"version": 1
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "341cfdb6003ebe2e04d21cabf87e4b10d70a4e08cb13c761d0a908c5a32b5b23",
|
|
"version": 5
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "406badade8dd1184dd48186e96b38c76aa21245fc91268f2cda174e8788709fe",
|
|
"version": 1
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "17253919b65d1ef71316f0a812c5f7e24cbbc8489d75244e2429fe1918a9442b",
|
|
"version": 1
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "1d631ac365a05f89623406f4a4dc74e11f26b8084bc01302085b900d043c1477",
|
|
"version": 1
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "3da5f35878e9e1f8d37bbe7fa365fbb0cdf39f615915d19ba5ba4b9c8c3fa46a",
|
|
"version": 2
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "a41f7d4da002a598a64a0c86a8a640bcc3fb38df115244ce462b8350efa17a50",
|
|
"version": 4
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "b29e2c5481bbf0bcbdca584b0f8cbfb2ef66865b4adeb807ab67ccaf1081c59d",
|
|
"version": 2
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "82c439d8b54fae7e4fea8b606896cb11f28fe99b8567f757aa85c776ee348d0a",
|
|
"version": 1
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "9e3d27e0979f5342e8fd16097e39577266b7e425b09a1640cb559a5d238aa444",
|
|
"version": 1
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "e2b5456b05bd48c5e103306f8683918caa50739d7e140cb8ea02664e6df2bb7b",
|
|
"version": 4
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"rule_name": "Ransomware - Prevented - Endpoint Security",
|
|
"sha256": "911ba16663efb30078217f771edbd6e7356f869662483fac274b09c8097580cb",
|
|
"version": 4
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"rule_name": "Attempt to Modify Okta Network Zone",
|
|
"sha256": "a7aefb6f311e2522c037c7cf7c985d875cf4cf1548763da17472712c607884ce",
|
|
"version": 2
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "a7285a40c6acdf3fd34f575e29f96bba2f2fe94ebd6f11ef3b8af5a3965af56a",
|
|
"version": 5
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "37f82e770ba51b533046e23fa84bb66667d31bb09c703f8869edd03e006369b0",
|
|
"version": 2
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"rule_name": "Local Service Commands",
|
|
"sha256": "9c4d15ad510c947f7d97a9a2b22bd390529dba0e7714cc8cabb135d40e857137",
|
|
"version": 5
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "1541f7574778de40ca750a65d4e563fb9acbeaa55b8cacb1bd355a7aff51a729",
|
|
"version": 1
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "855808686438b26aeb52986cff8a6a02a30473977e41eda0c0b96d63e50f1817",
|
|
"version": 1
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "2b52c2364068b5a8c6b19a9c5fc0f0d6bb6f157a8bae48c547b7e131bf868eab",
|
|
"version": 1
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "45d7084cf74d2d321d14df44af4f40e44a2b18f17015d8724371441352cebeec",
|
|
"version": 5
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "8e0be7cb15dcca220017e99ae2a6ae37f45b6c62427db572043644d06693d155",
|
|
"version": 2
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"rule_name": "External Alerts",
|
|
"sha256": "b7c6a3082304fb21fe016ceb17e61d5d0f74e9e8661feddd949c4ef71c9c3496",
|
|
"version": 2
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "83f8a5d1e38bd23f0ca7fc5a0d2c4a6ee93195c78004f73daa6b0b22eafe3d46",
|
|
"version": 4
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "967c2fa6de7e2a7c90d5a306d148d17e9f25f1b6b4b5b4fac0972ba4d42081c3",
|
|
"version": 1
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "1f190c70c5953421832c74b65afb7fac78f77f0205fd39d9b2323b6f635ee4ec",
|
|
"version": 1
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "f682272222a2a01580ad22f12647a2105b955a02c8fc18095e6ee5694bb565f2",
|
|
"version": 2
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "5d256600e1d7cae134431e91b56330dfc175bb638047f6994e9a2a296a0c592f",
|
|
"version": 1
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "5a7315dc64415bddab86cebfb4025059e77e5b0c8521d2c5acf629f979fd1722",
|
|
"version": 4
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "09614be604abb772733cf72e02be4c2926ce154181cf6bb3d25e32dedc17784f",
|
|
"version": 1
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "352b1601545802f131cdff065cc49e504bd34ca66903f88b0a3ecd4bcb5ccf09",
|
|
"version": 5
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "4682267a5b43063a5a764c11c5002c05ac6283319af305dbde776d34bdaa9b3c",
|
|
"version": 5
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "76ebd3d15a1f7f0586b19997e4117dc0199bdbb9a23885c0ca99d9f44b4184ca",
|
|
"version": 2
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"rule_name": "Unusual Linux System Network Configuration Discovery",
|
|
"sha256": "7afb429644c3e194451bd0341400e1bd62aa315f1d7477235795f0d8e060f8a7",
|
|
"version": 1
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "1a2eca78ad1369e31b9c8c61029566eece6fb2f13d3d75f8f45087ae7a4b8749",
|
|
"version": 2
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "e993f004f3c37a3c8bd34af6ce6f927acbb4cfddcee952c82bc4fbcff4fcba19",
|
|
"version": 5
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "0fa99bdfc5a8d35e87e189818ea2c5e5c00eb86d1d38da97825b1f764b1a7ba4",
|
|
"version": 2
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "1257e25246ddbca87151ebd7946fe48d40922d8e2b19335cea1c52051a501c00",
|
|
"version": 4
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"rule_name": "Encoding or Decoding Files via CertUtil",
|
|
"sha256": "2742600aa65e49b28e702e92d0a235b62ca28b3e2aedd57cb91f4cceacab2f9a",
|
|
"version": 5
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "dca024c5e3835fc08837e0e2723ea60adcb7f3c2ff30d73a9d71e1eae670dd2a",
|
|
"version": 5
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "59caa4af066b68c6503c20b45f672828cff2cb84ef46d6c465d021eea1461c87",
|
|
"version": 1
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "4a1ccf74830785ac2e0b35a7a6a82f8e02b28dd99991a2c7fb0ed14ba21874b7",
|
|
"version": 1
|
|
}
|
|
} |