Ross Wolf
727 lines
29 KiB
JSON
727 lines
29 KiB
JSON
{
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "39089b35d9aa4d3d8b9e595e74dc11548e4a0609e120ed58fc38941baca8cd5e",
|
|
"version": 2
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "b4ffc6e7d9017294f8d07909cee42f866d5764b1d8bd5d9ae018f7e2a15e600e",
|
|
"version": 2
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "f57a4c89c80964ccf26e8d78aca95f82e70958925cafa412a32399af9d7a2b20",
|
|
"version": 1
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "a07971ec80d45ced9da4aea88a0601b6a8f041afb86d39b627cfd420cd97227f",
|
|
"version": 2
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "0b1f0b1e073fe5119cc1b5c24a1c29d1e5fff4006cde69aa3dffae2e7cdd7fb8",
|
|
"version": 3
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"rule_name": "Malware - Detected - Elastic Endpoint",
|
|
"sha256": "60247a5e9bfd70eb9e86f0ce55895501cc14cb659a2c73f3c2a93b38cb6c4f52",
|
|
"version": 2
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "fb14a53c48d6663ac266c0636b3364f4f8c9ed9fff10e7e6ff37267406e43dde",
|
|
"version": 1
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "368b19e0dafeefeaa308320ca31b368f4b1ebcd55e3b73a4844f0523d34c365e",
|
|
"version": 2
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "cfa69218bdfdfdf32807bf699d622df0b11fba0dae582842fd5a410d15168864",
|
|
"version": 2
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "99a17ac0cd39f66214f8ec357b8287019dcce014b088380af6369a3823ff0a72",
|
|
"version": 2
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "516a989374daf3dff00c50cf25c5752bc6529f4654dfaeac14d468918a27a99b",
|
|
"version": 2
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "e44bf0572d1c16dc6c3afb5fd7099af64775de2e2bc02f5657de1ad9835a7302",
|
|
"version": 1
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "165e687f11971e3a90f512eae1f7cd66b809dbf41574e310042102cb893ce160",
|
|
"version": 3
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "54bcc73de76c78b3bd35e493bd4ac3d7758ea5c691f7d5503f36163a438a005f",
|
|
"version": 3
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "fc01b465045b17167db21385546bc1c3c6c6d00e2dcc077703ef41b87536c95b",
|
|
"version": 1
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "7fb46c159b57cf544b91a13e6e7632acb6001dd7fda33e1de92e1529e530aa72",
|
|
"version": 1
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "d688f99e0bb99ac74c6bde09e1e90726eee185b92fb0a119e163bd31f45905d7",
|
|
"version": 1
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "afdfda57d393812c5bac293dac5069a851209e7bb83fb528af21394881d2ba66",
|
|
"version": 1
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "cb9c569b6a9375c526c32bea068c3d8609f88fedab3fce24b89baf05c756d084",
|
|
"version": 1
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "71a7ab62d3d11c3dabd0eaa0ebcb656f5926e07601d6e35e4ccf73bccf4a5308",
|
|
"version": 1
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "bd894910fcaa18d7682c39203ab04b8efbf6bd36df137014b50a9cd6b2a8fe54",
|
|
"version": 2
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "be1434347fc362c5e025579b0fd1b7776d003c084fd58be2b916c6bce97d8d20",
|
|
"version": 1
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"rule_name": "Exploit - Detected - Elastic Endpoint",
|
|
"sha256": "7d7e9fdb6626ccb0dbb1fc1f1485b23901223f3af87c173a49372233037c6876",
|
|
"version": 2
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "124c52f61e77e57f3a90a5b533e814d477e78eb64a8bd951a5c67696a4e92155",
|
|
"version": 3
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"rule_name": "Net command via SYSTEM account",
|
|
"sha256": "eb00b6196dac7a17f5797b814c4a61737a00f4cbcfbe36f4068de27ba5c6d40b",
|
|
"version": 1
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"rule_name": "Exploit - Prevented - Elastic Endpoint",
|
|
"sha256": "d010930d010bb22e3d5090f8fdef2fa9ec625d6d8f5d19614a06a9cbc1ab7869",
|
|
"version": 2
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "d75866b9396e39d5b24a7075ad3da22bb731415543ba986f92f12bcaae41fc51",
|
|
"version": 2
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "ffbc06dd83e7a71513185c0793862b5a3535aab407969318726ecc8198a48827",
|
|
"version": 1
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "bbe27e711309f490218ea0cd982daa31562a888f92899334d667bd08c1884dae",
|
|
"version": 1
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "f37d188cbd09fa5e1c1203d77f22f30ae87f5a8874e420a9b911a29bbde0f32a",
|
|
"version": 1
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "442c2027c43d3542f008452f789257629c30b9b0bf46fdf4bf60a7ef9383d9b7",
|
|
"version": 3
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "ea60210c4757f8b73e87ea7d3b3c96fda5eb51f7b6e0011393bd3ef48a282238",
|
|
"version": 2
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"rule_name": "Telnet Port Activity",
|
|
"sha256": "561e4cc5f9ac4bd683de676c3ddc7b3cea3c9245b4b3d024976750052b7c9539",
|
|
"version": 2
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "26da1776418ca4f784295a501983859639d0edca40f266fceb98f18d5e5ae873",
|
|
"version": 2
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "61c10e5bfbf59f40256d91f5aed9bb63b95ddf1f3aa5e8fabb5a66e2ee4b11dc",
|
|
"version": 1
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "ace4e4dd54e8193f6f9864c3202907d0026d32ccef3ef0e07f48cc030cbf86c5",
|
|
"version": 1
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "0d2a9bb546e3d7efa14722afdb1a0d9465a6523dc186298a4ea53acae919b4d5",
|
|
"version": 3
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"rule_name": "Malware - Prevented - Elastic Endpoint",
|
|
"sha256": "9cb592e8da5f94d4c3676f09b065f521b2d30c2e9301a98517e756f7b2cbfbf8",
|
|
"version": 2
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "e8c3cb8f40b5f6ef0975a62443f9504c84842f669c26b91657506c5286c8ebd4",
|
|
"version": 1
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "1b7e41fe98f0e26118b8628a1325a59002b48b787d93ab96a2d158ecd004e368",
|
|
"version": 1
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "dd2f91dbccd0af4d0a576013c193844643e84a54aa6373fbce114dc1dfb25dc3",
|
|
"version": 2
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "c40b729895a99fd1f7a8514a420f2f0eabe57f408bed85a2cc86178acc9b9cef",
|
|
"version": 1
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endpoint",
|
|
"sha256": "2015029af5a5a0330f929920e99f93bd06e9d0a2f1ccf5b7b7c30c953f7ca340",
|
|
"version": 2
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "b3347c68deb04c69d524eaf1d092ca1cd26a18c32eb7d57a72b2d19f994a1a44",
|
|
"version": 2
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "e0e4ab88394545469f2d5eee21909298fb6d8b5c0e2fa4ef35331d1fd7ac9f23",
|
|
"version": 1
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "f33bc5f0b3e49b2e47b15376fd2a68d1de7d14204a05fe17a1551291f5603673",
|
|
"version": 1
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "50f4b863d2184bb0c86fa854e7f009ac21a0c0919deb80c41cbfc2c55ab264e2",
|
|
"version": 2
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "d85fea308f2fcf2b3a99f38acc2800b7c397a310deb5d2042ccb023d9e491c0f",
|
|
"version": 3
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "c564c6efa5f18c2c696f39d0c6befcfdf6a48220cb287746c98c89d38d9a9301",
|
|
"version": 1
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "ff6fd99b9f6141b59784df526e92405db1b15197adca3c16b13f8f193a3389e3",
|
|
"version": 1
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "04797144ac125fbff20df8d63db471c237f3ee6319f2e75b4607a0d3201d88c8",
|
|
"version": 1
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "75442e7eb596645909961fe13ee945137ef2c3ab5207f5aa6d7b204216ec335b",
|
|
"version": 1
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "aa7366d7de1e17ceb977e79a1bb88f56cf5451ddadc12d7e349d93a9f6ada328",
|
|
"version": 2
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "90375f3a66c917be3c0951978877e9886ba55a6c2a7378ec45547952bf391c28",
|
|
"version": 1
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "8803236e7bdb9aec8904a7bb13d47b3bd3c0ba7dc2cfff1c27439466d0170691",
|
|
"version": 3
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endpoint",
|
|
"sha256": "5c3fac8543701612b433b719a609135a1e95c4081bbbbdbdeb0203c18e0a7b77",
|
|
"version": 2
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "3bbb66c55707077ad2ef97fc1d95cff0527e95a49f83b84b82fc688e61017760",
|
|
"version": 2
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "2ded9ffeea250303a503fac66aaefca610fa0fc2f96cf6917b4676b41437c6fb",
|
|
"version": 1
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "eb6f8ca3e9a957d3573fc09527b54c4c316eaed783f5bad2d6057875e934d43d",
|
|
"version": 2
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "7e94855d83fa70497f23ac1ac0996234b462102bc82f06e6c442c6ac437075ed",
|
|
"version": 2
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "d2e4829910b24fb980060b8e3adb7ce138fe2de8b47193c5801bd6fb28d4a339",
|
|
"version": 2
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "b6f615b8c0851c51a8a2cd76d70f32c13d3ec6868a1435b3b99ad29e7b211c55",
|
|
"version": 1
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "7b9fdb9bb74d1bae58a5e0d2913992a48f694d895c651a879d1be6a215fb6822",
|
|
"version": 3
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "aca262dc656d8203cd46799960df4e1de99bfcc6660953e6ba10fe25145e9237",
|
|
"version": 1
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "c7e849caff0ec964d5ad2d1e7523abadba7a887846bbea3270bc900d3231da2e",
|
|
"version": 1
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "da3a7b5c5addf4b3e760a505232b8048c8a865d9fa8b5b09df1bc3f5da942956",
|
|
"version": 1
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "267fe9694bab5833b3a374a799162c4cd8ba8e25777232a023e22f53e27e9260",
|
|
"version": 3
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "164c2588d9a22e77c2830a79e0b5f72df6050ee724d4113a3bb75668faa6a8d7",
|
|
"version": 3
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "bbc8ce5e399e0d06157aff9e07a922bbf3d9428adb0e602274443225d27e13d3",
|
|
"version": 2
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "1a2b60f6f140c9da40b5a57790581a31d9d022d23d9ae4988cfe074241d98d4a",
|
|
"version": 1
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "a59eebb16d201dcb8ef6d461222854017ddeb42f13709fbd86cf664eb176443c",
|
|
"version": 2
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endpoint",
|
|
"sha256": "642078d517a828b397afeaf66b572336c03b072695a1be761941da5a0da82ab2",
|
|
"version": 2
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "70194d4c327e916fa7cbd73fd373d5282732e1604ed2f1f9e80e005746b2ebc7",
|
|
"version": 2
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "149e45da1494348a5a1ebb5802b048d5efa9d4fd5ff588f8ac0c32d416a1220c",
|
|
"version": 3
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"rule_name": "Process Injection - Detected - Elastic Endpoint",
|
|
"sha256": "ebc218c788a01666499b9ccd9126099fad2c1262f34d1fbf904cbc2ff179a2d0",
|
|
"version": 2
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "0be3f6a38c6fe9504aec5239d9dcf6962b2bde90eb07f5f6f1a682da2fbf8b52",
|
|
"version": 2
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "82a95329040bb9a03fc93ae26ead52d063732e01e55fc91a50ea51bd60febfb6",
|
|
"version": 3
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "0117b0bffd43900d7a93110cd44c4b786cb30d62832dd9a7594e1a95d00428e2",
|
|
"version": 2
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"rule_name": "Setuid Bit Set via chmod",
|
|
"sha256": "6fb4352bf42cc1842367ccfd3077c0ab58b47cc855253b70cdb5283e451067da",
|
|
"version": 1
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "aa661ef6bef1c2951cde1a90dab2dd8ea17e01838b9ee69872963950dd5f76a9",
|
|
"version": 3
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"rule_name": "Ransomware - Detected - Elastic Endpoint",
|
|
"sha256": "3ccc4f8e13efe9a61b5624bed9ce6407cbe1bb6919e36f1e375cdffebe54da7b",
|
|
"version": 2
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "c2df3568f4994b77e0b62a787cb3ff25a0c064ea75a849875344555e84da23c9",
|
|
"version": 2
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "12b16eb9930172fcbf4ddec9b03ce0dc2bf5effe5e132e7a338f9ef4d34aece7",
|
|
"version": 1
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "2c2c81f80ebe5fa568d94f6b44778a3617d2c98a60db66ff89b7734fe0f58227",
|
|
"version": 1
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "cc489289aea78cec83cf6baafd052523a12a5de52b7fd051de469de7aedb11e1",
|
|
"version": 1
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "992014dda37755b93706823224d6c773881d207f2e95bf28ae9c8b142a7ab08d",
|
|
"version": 1
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "3a99fc1237f79b736e78e2504a7f03a3c051127d56280d18e7942bc28458e0f8",
|
|
"version": 1
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"rule_name": "Process Injection - Prevented - Elastic Endpoint",
|
|
"sha256": "2c548340fbb54eff9e1b152ee566003019a76115e631d639787f29d932c707c0",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "c50856866464349948eb885d9d4b377a46b8a7470c6f32673c3d5e61ff0242b3",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "ac0023e83e5909cd445a89e0d4ab90bb7b6b30a351e62e88c166a7679a935777",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "1b36179b1f136fb76beaff305ce0c197b0f004809f7d87db6152af0b530279e9",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "adef27d5671cae0ca7e338d1831deb5be547ca7e2bcc3f5c325d51e378062b15",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
|
|
"sha256": "7ea5a0d0ea0780b698bc9007712ebc10b6cf49e8c5622c73700bda45ecba141a",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "40f6a7c2ade30ed37caf7db9f4f86b589bb220935a04d1bd9cacb4595999d0de",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "3e1bd6080789278af1262594434fb9df61bf980a196edef457066754ddb9b428",
|
|
"version": 1
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "2791ea7aab403f784e99b1a00253127bc01b533c071ae239de2d951df5744226",
|
|
"version": 1
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "670fee406466143d95c3d010a8f318d9551a33ceeb3b18edb862aa50517d153e",
|
|
"version": 1
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "0d5aa3558796ad1cfa586b0c0d1a99b2ba6d0cd6baeae3a1f31af0dd384a5859",
|
|
"version": 2
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "97f3907a36f237b97c3812f4574501cc28397821d814246ef551cab92809bf20",
|
|
"version": 2
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "fa702d3f843d3b28f1d7be714e638126bdf36a51086d6f46c0931dcdff59637a",
|
|
"version": 2
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "f41d31dc2d8ac8a4da2ea71dc3a2eda04b2195581612b5f40f5ed7d4b23c1939",
|
|
"version": 1
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "bfbecd958d7ac30b7a1ce42d1222a026e48e6d5b5b56580dc6063537a66e872b",
|
|
"version": 2
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "c8dde04e8b38da965110f057e8b7a7198cd6c1fdaf122919861a3bf44b715108",
|
|
"version": 3
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"rule_name": "Netcat Network Activity",
|
|
"sha256": "05e16bd1d644813e92367add6a0e06dd94e5d5bb13deee5ae76e2b4e1c5e6bf8",
|
|
"version": 2
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"rule_name": "Local Scheduled Task Commands",
|
|
"sha256": "c6cdd952bda0851019bfb4442e8f981491c254b0442fc875baf088eee4d1b4b6",
|
|
"version": 2
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "75b96e48cffe957398885c16d19668180a9c8a3f34393533298f1a57f73540ef",
|
|
"version": 2
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "ba2d648dd481c9efc13942569f8c5b1bac7f3110b10ab10e52d548b0501cddae",
|
|
"version": 1
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"rule_name": "Volume Shadow Copy Deletion via VssAdmin",
|
|
"sha256": "7ca6f8f1c070f5ece4dd1a4e11ce37658fb18141bdd7995482ab65cee2ede3bc",
|
|
"version": 2
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "f1713a791e10f0c22d6ef141ac00027fe0c25c74e5c170917c82039d82df95e4",
|
|
"version": 1
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "b3020cd50fdd4071cd24ba4864a6f71571c7be9dfbc04a05675fc5f82cd2b765",
|
|
"version": 1
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endpoint",
|
|
"sha256": "ff22df35f9c904de4bd9ea09ad6930326a56135cd21a69d9b159ffc80d1f1eb3",
|
|
"version": 2
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"rule_name": "Permission Theft - Detected - Elastic Endpoint",
|
|
"sha256": "14615d66138ce8a151124e86105e476cbc86391f48b9d623e5d89d3fedfd5244",
|
|
"version": 2
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "b576737d3673fc434f53908d325f1e19780acf43f29e5ca403d233a76e49157f",
|
|
"version": 1
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "2b1aea0e382da26a9095637412779ea07ba1c600085708fd8533cb908cb4246b",
|
|
"version": 3
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "5aa93865218f76c6c0e0a221e6525c3a25990e004dcd5a130abcb2693e799521",
|
|
"version": 3
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "043f27706d54abb341bc27bfe0e0ab28cb301040d67f45e454b69ed91c413acd",
|
|
"version": 2
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "2dd6d209fe4baeb9f4de665c48ae09886f0ebedac1f5348e8cd9670ad3cba231",
|
|
"version": 2
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endpoint",
|
|
"sha256": "4de5fba453fc6e77905f049de58e3d4e949c02b8a7c5664824d6de0fafa98aaf",
|
|
"version": 2
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "69c100cf7e526df7fe98c60f5dfdec39b5e283b70b8258a214d48f549136b3ee",
|
|
"version": 2
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "bb51f973a0c732418f775ff5034494ac78d917dbe268104196275c056c2c6eee",
|
|
"version": 2
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "3d0384a5dfcab595d6e37e51bb57c14999240e81e677c28a72980729d3843e5f",
|
|
"version": 1
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "1d1338c7e5a451124c5457b9f951ecb4fea2d25f66e1e0a42fd5bd42901fb5c4",
|
|
"version": 2
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "f7c0075c089b3dc58718cf914f458d603e8334259676255fa410666ed4838619",
|
|
"version": 2
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "2afadbc58b81aa3f157bc2a6e2336c2cdc01c4f7cf1b2e49ccda73115e1416e1",
|
|
"version": 2
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "208748780ef08f6f5518d19ddc02b27ca464e0a2283e3bd597d1adb209faedf6",
|
|
"version": 2
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "8b733d719fb36d87ffc7c4061b5745a309c9aa9f4486b916839612c5f2842d78",
|
|
"version": 1
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "2e069990afc7e2595fbb44fbf7409fa9689e06fe1bf4e38c5eb6b63b7e668278",
|
|
"version": 2
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endpoint",
|
|
"sha256": "00d2b15422187a2e7d8cb886d61b5af82e900690fce4d231b81a6c88e71329b2",
|
|
"version": 2
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "47c0662835bb960faa810a241cec8a0e3a5e16dea5c5b24a2391bc46a41ccbb7",
|
|
"version": 2
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "12c5ab3282cc98896c2fdc6019cacda579fde5f1c9b155ea12a5bf89308e6771",
|
|
"version": 1
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "ab00dfd7fb69715948b4b0b71cbd2aa4f01da00124717860ee62245023c94201",
|
|
"version": 2
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "b8febd6d9d552e61b554f6a3c60eda8224b8c7c6a270cdb5540b7bcb013eacf9",
|
|
"version": 1
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "ad3d7159bb5aef8d8658ab0c89416a2b0e94b8e775f4a65da241352f3a198508",
|
|
"version": 2
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"rule_name": "Ransomware - Prevented - Elastic Endpoint",
|
|
"sha256": "c9af59f7a05da04fffa3d96c38a40b342820cb3bee6c800ee9df883882d538ec",
|
|
"version": 2
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "f56dd354749071664740a90eaaa0b989322cd84d851b0b1488d1c9a6c6a18f7e",
|
|
"version": 3
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"rule_name": "Local Service Commands",
|
|
"sha256": "bf7942d8947c958f37d4e71bfe3ffbfa274316bae269c280383be9f9777314ba",
|
|
"version": 2
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "cc73cfef9c8a52df72988a68e4c672f5b2836557e5505eca35867724e53c1960",
|
|
"version": 3
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "20096fe4e38033d51625a5d76c64b63cb2b3aa9087cfd527013f99a9621a8a37",
|
|
"version": 1
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "25c739bb74073b6d0cf882b7f2771dfbb2dc85f27a64414f34f2544332c305ec",
|
|
"version": 2
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "4c6602cef669e1229027ac71756ae75547d9250e04b526e7d1706cf4cca6655d",
|
|
"version": 2
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "bebe50d02b82af53fc18f68f84e4e4e23ea720312aa2427254627f3fb82caa6b",
|
|
"version": 2
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"rule_name": "Network Connection via Regsvr",
|
|
"sha256": "1ea67c38378949c4946d6704ded6c3d6f1a0c7b890e45045b2e6a2264bc92fc5",
|
|
"version": 2
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "d3a22bf6b97ce616591989d43fca5248d4c14ee87c9c5dd572b3f3a7ac1120a1",
|
|
"version": 2
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"rule_name": "Encoding or Decoding Files via CertUtil",
|
|
"sha256": "811d196a3ef110b9651feedc5bd363205c4eb0317305f1b5aafd2884a7369967",
|
|
"version": 2
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "07aef064be12522287511146bf3cef378006cd6d6785bfe022972bee00ce2d1e",
|
|
"version": 2
|
|
}
|
|
} |