github-actions[bot]
01334a28bd
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
6220 lines
228 KiB
JSON
6220 lines
228 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "6959ea68e624648c00260b8b0f15cd196d5b8c735a992496989e2dafdaae5661",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"00140285-b827-4aee-aa09-8113f58a08f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "44c9ed5ab020fb52fef50aa4102f30790986063269ed4d478521951bb0761c34",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "aaad99f21f683f4ddec166d675acad5ad1f1434f8a6ebf7e7881c303202dd848",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Suspended User Account Renewed",
|
|
"sha256": "48f368b533d66d07ad1f6877ed9293a9286f851e7bca168275c3cf14f081213d",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"0136b315-b566-482f-866c-1d8e2477ba16": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "800b46e07338fe2de6177e541487caae40e39dfecd6c44a09abea5ffc429e8e9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "7dff7627decd65e25f4571ca3ceefc9b8051395af121bf93c8b4234576ea3426",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "e494a8188f625906605b8bd31de9606107ac62aaac03ec711215e13a8f58502f",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Process Created with an Elevated Token",
|
|
"sha256": "d8bff373c399672486e591a49e3e602291a0aca6edf606a695337d65d8a37527",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"02a4576a-7480-4284-9327-548a806b5e48": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "359443e99fea9675583c8facf421e9120d5c293796b25476b746b99e36a91ec5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "9a4ea5449638ca4ec6bb30aa804c16499fa5462e18252aedfd7ae6bcbe77e325",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "9c753af8cfa4af8e249a5d5b351338c1541b3f7cdef2bd4ba97f693cab83a0b0",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"035889c4-2686-4583-a7df-67f89c292f2c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "b2460fd8630aefa491590afec411fe8666e1d9c5ef4cfc06cef286ec2dc76ee2",
|
|
"type": "threshold",
|
|
"version": 104
|
|
},
|
|
"03a514d9-500e-443e-b6a9-72718c548f6c": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Process Launched From Inside A Container",
|
|
"sha256": "5b76217d66ec964b05b0827afbddcfc7d56d7a79f6666ad52e528cae50feafa9",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0415f22a-2336-45fa-ba07-618a5942e22c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "2ede08f76e0b1af3b9b7af11c48e35da5b0265ad83e5f36e7876927f8b45f2d6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "97349b731232dfbfa6e09c4f021c22cd5afbda16de5f44d87b41be13538b6f7e",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "288b33ef30117913f0017bba83da1caa675d73c6c6c58088ce9f550fde43042c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "c65a4e89d85ae3891e7960338eb8ce36119ac9f7136e1d32121ea60fce9cc797",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "c980b36da9cc53a66053acac4f56e6833dc02b97b2f3a8d14c95e80ccf5c54ec",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "4000645be34a89baef62cbe8a335a9add136452515811364395ba9ed729fe920",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "e73ae3e63708c2aba83e87e5f8f91f159b00aa8141f016d04672654a8afaece9",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"0635c542-1b96-4335-9b47-126582d2c19a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "2dffdaf687eca0fe2848f4994fcf7f0fd01084c7c9d6089a4fded7e3b6f318ec",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"06568a02-af29-4f20-929c-f3af281e41aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Time Discovery",
|
|
"sha256": "65247c640605c631c87c6ef67590e5b0c845a46b159a6868731f6e19536c3a19",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "00f34fea806f0d0497e3853615f5b4db152ad174113e77d0e025476173ef1c11",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "b673cb928a168d285f4a78c864a556285d31236177a8adcf3b2953198726e8e9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"074464f9-f30d-4029-8c03-0ed237fffec7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "8ac22dba8be871be007d376cd62ca4dd755fe996dccae1834f6dd4019a8027e5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "e04a7526426f8fcd186e244bff40ca7b14e0d78faccfaaf15cacb23ad182a222",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "1c82ea9b65fada4ec684045bd8b3e5eaa0730b35b41ddef3dd151ff26a9d6be9",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "c76a846e81e4ca27b99ae0ec3d68b1ef5a95a2f5dea4f9d869e56dc52d73be9d",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"080bc66a-5d56-4d1f-8071-817671716db9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "3ecf457d45509f7228dfc3cd87c1451cc2b328b00e21d72216c76d17617cb3c6",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
|
|
"sha256": "0e444a68ff7b43c0da48f8a6465382099b95cc8a7f09b50e8756df7daee89233",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "b794ccca3f60f3f9dc0ad4837babc6d100e77072aef158eb6b153acf26d1aafa",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"092b068f-84ac-485d-8a55-7dd9e006715f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "05f8455824b3c6f5a29fde7c5fb9e14b5e92a05fbac03ce9c6a7d104d02f2181",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "8781f3f5c5a853baceb8aea9bafa5f05ee8a062c541b585129c33f5372c7b649",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "e9b638ed7f3e43e337695cbafa761a7fabd832f38a7fae09bea663e61f0492c3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "625e15fc2de85491b9506d68b1852e7faceace28909534416f3fe6df4b4e7506",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "00bc51b2475a281bc82637c0436c684cc292519dd3b042e7656c87381eba1bc9",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "8519b3c2272cabe8be1c58dd9477ec161c9431845b51cb63321ac93704e83e17",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "f7112b01e04e9d3ef5fc49be8a5b5a76376fe15dda7f19c79e1003ad227acbd1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Threat Intel Indicator Match",
|
|
"sha256": "ba224a6d2c59ed8072d4b28f8b86c7a161e511a747418aa937074171cd5a390c",
|
|
"type": "threat_match",
|
|
"version": 103
|
|
},
|
|
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
|
|
"sha256": "f42ea7acfc39b867f160d77cb67980e378220b0b29dbec1c46ba81a85b3ec497",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts Involving a User",
|
|
"sha256": "8d4c07265bf4bd3c24f522e31ba75c8a38f0b8d8b41064fcc50c4dcf0e4e168f",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "82a65b852cdb20f6cc1af4294168e6dee7907c89ec02e31c89b5d09f2f06095b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "04c744a73eed300a641fdae056d0e7d48edcf7279920e1d2572d6d75b5062436",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "52e4662dae5a3d57aebcef8d8c8ac99e9cb8a6d96ce0efecbc4e95e04cfeb435",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "98f03bbb565359358d97ccab8ca9d6461477931b6f0366e00a62a350ad85ec91",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "e9e1448015a161b254426d82b35d7cd0f1c50f825c2bfe80a4cc49b540c6e97f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RC Script Creation",
|
|
"sha256": "ff446b78eeb415bb1cddaf20b8b1bcda86ccc21cb9b77d3b9db8df2674132338",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "b51c3b4a3640f15fe935d10b2abefc1092ac197e483dd95e597947294ed638e2",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "74f12365b2611f746b6b950de77421e98186ecdce39d1c929d8c200d5aa36835",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "bd9678e07494bdcbadeae1f8a30a56bf687540192ff3411d19a45fd9b1a005fc",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "cabcfa0923767a42d630bc1550d41c1cfd0eec28064a1ff44817b3d538250a01",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
|
|
"sha256": "95f22e9c3c60779a47a66b47a9b7794b7b4a64b32145100f8e2648077cd834fe",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "43e6dd5a6655971d7941fec42fbd98ee9432b7a065fae76a8050dbbec30d33c1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "1138d533893e9778a2dbf9a263a450909515642c0bb6a613c61c11bbeee74ece",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "74de260d1311159923913cbc9f8af2632cbdfc1f1ddd903b2386ff18b3f69ecd",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "540f7bc299a922433a0640ff6c624404386ade4960d6db7c09ae8534ab9f23c1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"12051077-0124-4394-9522-8f4f4db1d674": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "c13c6181165d83fa92e854fbc44b44d4ab9d630486be78b48126da0e6b28acdd",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"128468bf-cab1-4637-99ea-fdf3780a4609": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "080277a4401d117858dd0163845a57e48a1672a00d2a5ca3da3423a7cbe799e0",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "9849f3733be1f4f160704b38909e60354493b106e233d0fb46bbad606d4cf8c8",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "0c29ed380ed39fc8a80d4f4fab1fe8785ddfcd617f0c34564bb083d38a585f26",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"12cbf709-69e8-4055-94f9-24314385c27e": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "5d921734039fe405b0c6592212c7e3019f5b13cd5364c1387b30211aebcd0f31",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "7d550e16a5e9a5ee59b288c4bc693f4e6703004a127827dc0e04fd4ca293ebe3",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "a0fe76c90fa839b3f2dffa93008fdea6743c40044698affccc0a90c56c860c7a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "99840ed108ac2a3a9821a83f6b161fa033a720640a130239b98236e0d8e87093",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "38a33e55971586872591f55b06eccbedb315e91e6aa460f4c407fa16106e34e4",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "cd3ff42d4d39f286f6ea43a9dc3e39036052e41de46a2361d7f2e03b904b56ff",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "2b983663df2e83acf552a0e23cf64c89b7d02608e47827e831a7f83301eb1157",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "a00465734be3cc8c51d1068bd7d2d6fd67cc0144a3f4b11d969411083176df00",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "90b7f6defe4977b45e05aa289bc82b0dd8a381c0e699c711715d6c350070ca92",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "84489342541549db9a81f650e682ff2311f77daf0f1af723aa3a23da31bd3131",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "cf03af67c80afdce88b0d90377426b870072a256c1c7df1a1beea891c3ebf5da",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "fb888e09a4a11bf779b938d5e4e78e13b508c4d7adc38edf65ee6bff1a1517e4",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"15dacaa0-5b90-466b-acab-63435a59701a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "36bb19a2a3d947e65a4f020c5343a8ca9e33aad4c743276a4b563f089945357e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "1ddd06726c54971391c661c9aea4eac602559a462ed0ecd122be0d5432a23e3c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"166727ab-6768-4e26-b80c-948b228ffc06": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Creation Time Changed",
|
|
"sha256": "e1414781608ffb071f20f2d6bc6a2bfb0b78f1a8090caf2079668f5f06048146",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"16904215-2c95-4ac8-bf5c-12354e047192": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "580eee276b8cd0635b5b2cc101ba4c27a33d479cf82024465043657d4ac3be67",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "70eedbc5d5dbec8299ff01adeab82bfdbbeeaa1ff181941777befec486ec1724",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"16a52c14-7883-47af-8745-9357803f0d4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "95c23ba0bd1ede74baf8c7422054ac967d0e416022cf05f638d457e0b48b7442",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "a0bcbe249b9ff9013531a804a41432ff98b61a30b5a2249c28f8b3c691f7c766",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "e1740f328635e9314cadc2eb52c767f0d293bbf1b95bda5a93bc40b62ccf0f54",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "4a9102d18894a8280bde68cc780b7c5e0a7a3a4fbdaa71b52b417ce85009ca75",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "6314693fc1aa0772a5bf5feda375c38c586fd261b5220b62fb53fc8c09ae07ac",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "c77d151fd7841b1b3c983c59fe82e450b6508c05b82dc438681abb6f12d6f006",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "873d5ac5bf227fe7cd005164804dbdb06312054689c1fa2d9bbf55929c9e5176",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "New Systemd Service Created by Previously Unknown Process",
|
|
"sha256": "a8cfdcf79d499deb089384f0825d0ba8d2de79a4e83826443aede78c9b2e02c4",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution - Short Program Name",
|
|
"sha256": "9e56b68ffda148b7c73db7e885d67adbc99f1a6b2b3b6f51ba38bf3a4f24b250",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "eac6bc2fe670f80df6a3d58547cf904d0b10bae622920b398b8d302d916ee805",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "3d6c368434d84250789f01be13befe3c23f9cc743c66e61b35c9eed89108bee5",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "8bd0f2c08153afa41209da5e3e3a0e42985509e3ae61fdcd53a73b13f29747b7",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Suspicious Network Tool Launched Inside A Container",
|
|
"sha256": "138fc9928e0063784034890ead283e41db6dff308fec75d5052e0291bb8e6f4f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "4578d2fa5303996ca9dae8665c8478e5f83d838b6e503934124775b995cf839c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "497aa6f2e84bc38a4173e213a42122fa075df41c196f18805aadac627289c3b8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "b30b1697915642b261e3b8eeebcd3c96042b1d3ce68999f69004a2acd6ce6329",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "91da5464a87cde5c98128299afb48b78bdc30e5229e3387a4f17e627c03b5787",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "c2470c215f226531bcb606f6add21e9e5be2dcdd0f5a4da0e2bb7a6b60a41da8",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "7b54549eefd5278686e1bd0576093fd42c6a619b7a498a200737efe7bcc93f41",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
|
|
"sha256": "2ddf9ef2990e3366f18711cb3a5e17582814c9129d328e8f05b05b7d83d7899b",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "0632f4ba371145aa2b15a3655f4ecaecea2aeca4b27e04e67b46fb0241594edd",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "1fd747dae1ba49d6dcc66af8535a65b79a2d9aa5d653b1ada5c3b405c9a2cd0a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "d60a2598b31e2c9c16a051b1cf76726ce5d8f024423f62da4ce30e959924ff97",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "81f6ddaf22cbda3bb32a7e2961398f45d8b7c13328896e18d685b4b20e362ff4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1d276579-3380-4095-ad38-e596a01bc64f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "7cec02343d3ff08b2ac5d6a0ce4e774251872a0afd63f7461cf274f3c0b6b381",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "8534a5760bfd1818cc44fb3d15cb7149d8b876996a0f11c0fc5b67c9167858b7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
|
|
"sha256": "be0625996c86fbc489251b18e1d30fbc86587aaa425e33d8b9ef66012c03e96d",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "af6be416399eeaee6a1ed847e2f3679ae55f3064707456c416d0d5a409f3bebc",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Suspicious Inter-Process Communication via Outlook",
|
|
"sha256": "7e884d638e3acf624a11f5d835703ccd5275f1a91995cb57eae140da2345d2ba",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "1d2807970de7b535d0e81f99579f83e1916b9f85a0e57f9f6c52a1c2cac5dfeb",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "3328d28b7049bd0768a8c49e258c4d07acf8100a03153adfeb091e534e234847",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "774126d5ff0196be341ea3c68dea7905f35eb1d6566b6ceb6bbc6bd4ce470691",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
|
|
"sha256": "efbbd30cf454c60552fb2c8dfacdde1299dc029790b6c5715545eb52b571fb66",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "1fc7b0add8970a20b77449cde5c11d27e8002c537b9cd59f4b2c61070247705f",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "4f370c54b264e4444908b37b43daecca5de834600903973c1d115048023d11b0",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "95bb907bc085874a3566cc325863a188bd1ac263ddbc008b39980f9e3ff2fd0c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "a0a9dc7ad8d0e844f8c93f4e26fb2a0c78ff0fc683245b9282dda37dac44bbf0",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "aa356d8e6beade4be0b288c419af9f728c5f6e1457c801d58af8d4a7f60ad392",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "1203a9aefca765c637dd8448ccab4f1ab77bde29afb5c50a859e5472893475a8",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access of Stored Browser Credentials",
|
|
"sha256": "4bb7713dffb12de0b080193c5fdc54c11e70fc8d155f546cc071ee1bd094133d",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "7029a40cc6cfb90aed1a6f1287ee968dc7e224cd7bb03d53a28a1b000eeb2e9d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
|
|
"sha256": "dbdb94a6c797a0d3dff0dcadb8888b2a6d6133a7b3e300c8e6f40583493ed779",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "ae6ad766f36f6d8d4d59778c75fcb93873a898a42af93c18c73073e96457b366",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "a56037b84903d61f8b7a24676a0c69ecb2d97e68cb08598e81c94929cd49514a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"22599847-5d13-48cb-8872-5796fee8692b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "a2070001c863fb56bf30b8b7cccbbf9193b4311815aad6e3572030988bc8dbb9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "0df73169299180ec98355a31f588e7c2bb643fb0caf65acc459ce7268ac513e4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "49ac3f550305bb465cbf74ff51ba9484fbbee0c9c08cbedc36ee0a7ecf23278e",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel module load via insmod",
|
|
"sha256": "6d02160bec7dd9d1651eab6d086f21ffdceb7c892337c53fa083e5efd93712a8",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "6cd32a489b66ded9921ade1bfb91ef333f806716187f36ca9bc7554b1a589019",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "4cad95b3cb6eb2f2107dab0dafaacb3393fb7f29826d6aa31c2fd134e5745e7e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "cabf8e1c5d440cc35f5149f32dd23cc6332af5f5ced9237a350d11f10a60084a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
|
"sha256": "02c92fe0915c5e01e58c0cc78e49040ba2ca9bbdf31adc826f9eada5dcc3e388",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"26edba02-6979-4bce-920a-70b080a7be81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "61c5ef7f4e05aa853ab39b31d813d371abe1daba1350e751167e8758bd66efb2",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "b1fe391f2303c93bb37c3c897a8f47d2e405bd9039dc3ddf007b4c0f84b3ab0b",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"272a6484-2663-46db-a532-ef734bf9a796": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "e44cf5df8dbb32d716d2a4362cb8385e493638cb71b141aa8aa3717205bc20bc",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2772264c-6fb9-4d9d-9014-b416eed21254": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "257a219daec6d7a24cca66b40f6c157bddae330fd08d398351d8f00d5b52e039",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "f02fe7e3a75d91628a954cc250178362f1c4b7faa1a39cd41a3a2104138ffc0b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "9c73b9c2b54cace47d3e2a3ef52215f855ab5f0db468115a949b43b64571e34d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "b38e8457cc6ea7684e8e680670c148197fdfed4d3d75b911bf2449c7b543e0fd",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "780024af7f5c78bfa1cb4ee260a6410e3c505dbbb7fea2124dab17bd3fd19a74",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "27305767d7089a0c2bead91f22c1603ce3948e10ed90397be8c2155689b3ed24",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"28738f9f-7427-4d23-bc69-756708b5f624": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious File Changes Activity Detected",
|
|
"sha256": "2c6c0ce22c3a6b4176de671838efd6ebb4f498264b371f1110cbd7c6b0f6d8e5",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Security Group Configuration Change Detection",
|
|
"sha256": "2e78a2648388f767255958ae85838c8ba40c1079aa7eb02edf60cdee127458cc",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"290aca65-e94d-403b-ba0f-62f320e63f51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "e49cfe25277c9b82ca1e8d14e244f899d1100f9f1ed19e3b687cbdb499512d08",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2917d495-59bd-4250-b395-c29409b76086": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "b46c4dcdf187fee2a85d41e8a56d5adbc45f21ecbbfcaf0c4993c0bdbe77226d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "ebc19e7445f08b3ab8a13977c62af6df4c78a4fc8f78a970a91908300c4203b8",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "178a7bac7a538fcdc72434c1e7d6d9c9f1698802fb94817047bbf1d0f39da540",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "f7cb9e4f92a13ef9246e6b2a163b71a5da25f361343619ab307e6815cc43761a",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Discovery via Grep",
|
|
"sha256": "323f8fd32358a9025b205a1b3142e2f51687e8756c0627f90cda04093b54cd5b",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "7b5e2e49d08254a21e616d0d7c012423cc85c6901102e74741e76c61b954e248",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "2afcb52f665f5f7654c4072688d0237a14783fdccd3072facde42a3d34927c21",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "f79c93da59940cae1bebd8d7154ea7bdd93fbc304d08dad323dbb1cb92fb83a7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "4511e456a9f50c683619f539d2453155418cf0fd0db8761cc7a133e6edec44e4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"2dd480be-1263-4d9c-8672-172928f6789a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "3b3ddba869e13927b934a13feee218fb9bad9fabb073b8b394da384cba92276f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2de10e77-c144-4e69-afb7-344e7127abd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "1d488ef91e96ded9a1b9dfddd9e26c6a2fdae410b8d33c28258f21f2c899bdf9",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "e3c83bd6a515673de30b182011cfa142953cfc3d33fa2dfd81321659121f68c1",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "8745b588d14eb55c481e38cf15207d2321402bca2b30f3d85a71a7d3c8fde456",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "3c3c556039031f84eae43e7dc89ed38149e37a1c65aa1ef16929a4a10c420ff8",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "846c561aa886bc0c006237aec72dd464697e504a852617c4245e047b9b8514c9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "3f82c82a2c8e77ccbe63f3cd01571f9eb976b90c2f691b676d62bb3ee3d82f32",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "0afbdaba7acf15c3327cb32ed68d2c343874a091c7227234d3a5679d97e08039",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "4a844fe4c14f73c2ed158be5b0f7c460d370964877850b58b1c05028802ae183",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "99c7a3702e081f50034ee2a6f485707a2bf0fde4033f331cbe03272cf951a811",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "6a20e7aaf678bc1dbad20cc522972860e3c0d7ce6a419809d5ad14dbf0d59b0f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "87515e6e3ccb1c2f7a19fcf70e79b03509d22901c630a765fc504ebbd3b5b663",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Timestomping using Touch Command",
|
|
"sha256": "2f8747bf5dc85d90061a0c86c73e2ca1af308d260c51968973ec53780498a04e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "10c613afa51415b16d20d908959aff6312558e02c66d990e5bed76cd9736396f",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "0ecd023337890a68318fe076b3b7d30c7a36d3cdea28c26494e94930ed77e8da",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "e6dd05ab48be0d806b524c682a43ae2d060785382d48522b0608c1344c442b3c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "b90fc815a3bd68bc08a8d7149141fc1583256783ba0197c4434a1fdc7258c4e6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "6ef41c449f78258c39b4bb1940c9e184e32ee4a1b272d2362a90a87fbf09bf91",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "6e1b6cf51240cf453c37dad7191ec4cdc1fb33672d8965a73e4a0bfd65b82ec0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "39cbf31a7c86af526f140195342c309abcfb0a6657e2cd33995a48af7f28dd2a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "d0126c4cd1a06294ebb2feaca58b8741fa6a4855a598fd810d162b92f92368f7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "f9f64c8c43dbc542a243f90cb1f8998195b05c0787494a7b83a18b9d7108a758",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Discovery via Find",
|
|
"sha256": "bf06a7a336fcb5e4529ebb7ae677770e7deacf8e0d38bb6baede1d97a264f30b",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "d0949b603c3913e7945e19e617f6d1788bad46c1317fb28bc362073ee6f2cb37",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Accepted Default Telnet Port Connection",
|
|
"sha256": "15e7fe1aab91be2d8c8cf7662336d7e3db7dc28dd6aee3d08f863c2039c555b9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "b5a9316d1ca4cd3931bdde21f87bd81576edf3bacc0cd5b76d00cde9c16948bf",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "49117c156432d51a3b42d0527724cd065934238093e1bd540c8ed040187cbffc",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "392cb3c47fecd3621ace510af1fcae7fadade8370632852e3428f690fccae275",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "e2d23c8d2e836c669931d99cb1c47b64b5b441262a0744cf7d4d9826e1f6c6eb",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"3688577a-d196-11ec-90b0-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "ac556a22f0203126ff2ad707b23646f38f4499e1bb384eb4449705b2dbea40c3",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "9cd1fabb072bbb552bf57d8707f7557100b20d09ffb67bc0ec4204cf039bbcdd",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "9d96d07aa52c6d6bdbdb1fdbf10e88f57bce34f4c16414ed6ed605da7916c137",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"37994bca-0611-4500-ab67-5588afe73b77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory High Risk Sign-in",
|
|
"sha256": "1817eadf9b1e8d7744fe1dabaa9ad4fc2548be336b168c43b152b519c035981a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "2013db420f2c10500719738b10d4ea2af48b9d5413a8c01882b5eb9d87376aa8",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"37f638ea-909d-4f94-9248-edd21e4a9906": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "44ba64644024dc54a25d00866226a3e9e7e7a52551f6ac637c18327258d611a3",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "5dc3d4b26fb6d7a5870f5b587f98ded53d043ff35b39a5d1a79e515e57488dff",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "014e9114233036b42f2d528848e5a4ec500d6dfd8321bafd6144fb0d573c8508",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Prompt for Credentials with OSASCRIPT",
|
|
"sha256": "0d1ee1272f55ea776d1fd4ebffed1b50c4ce82dc55d0b03ebf23e84727695003",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "97d1d34640ed067b24cd9c6aec92a3218d38a9e44e5e1c3858822b9f355e152e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "External User Added to Google Workspace Group",
|
|
"sha256": "1abb1b476e9ec2149ea299f2d472ed2b83a97a0ccc5fe211869928e7bd6447ce",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "52afd39f5c5af5e2d8ad2a3100837da61ec94eb0d36d6e8916e2a23a37b1ef4e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "e1dcefec6af145ae901faf505f9986afc7132c91a6f6a354481f1cc39083f09d",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "e137f7851ed47fcbbd83209b3a13bd45a16a48a068989b5d9022a1d5908b51b2",
|
|
"type": "threshold",
|
|
"version": 104
|
|
},
|
|
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Module Loaded by LSASS",
|
|
"sha256": "d67087cf02ed45f0d1c9d675e164b083a4d0b771197fc35ae07945e96fe73a58",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "bbcc9ecd7b10f4e3d3eeebb7532731a3be93c1cdc5be362edd4643a610990c99",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "ed7c759eb27766427a4ddb53b35f5c39aadeb89cbe40c95c3cfd0a943127616e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "c68b4300522aeae03fc3516d2d25931b932ecde33cb71de6e93d31c77490ef3d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "22086f0e2ce9875655d47be82a380eb6e0500c9063bfe9706136c418191e5d96",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "a2c7733553d732bc6ce68234daf7bb9707c289256ef2ca9f996dc7e62a0208fb",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "965033b4984695bbfb8153b24254c3c543d01af03d7c7f769004ade7dce02316",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "4ea1b047bb45f7cce1ed5f5b93feefcb9e86ab41b3125a936d3812a4e5c29c36",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "c03e7261c2a89b42f4d3ccc42ae8a74135225d733c13cc801c2fa1ab26323281",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"3e3d15c6-1509-479a-b125-21718372157e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "f968dbbe6833512c669f5fd67cdb59f4ae762253fc070f8adbbe41d0eceebabe",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "672953828261d4ac8b2ddf31a745e7851fdaec33af943b2fdf023c429cb6f78f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "14543076c7e4ad378491ac1d8b53dc270a163251ca0cfae7c1b40d4cf49d7a30",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "c2c2f1f18bd31515f4fbc65a849bdb58c56ead6aa70b4d4fb8aaee1449fdb474",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "eac32a4108db050129c6234b8b03ef41e888ffedde7571c022877c1796c3c574",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "bf56356a346a0da16ac9016af79b1a6f0eb5a362275acf07fa20e79e7ecb2556",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "1688156f3dd9d68553fbaa8eaa259b1efa19e91ed7d3b73c6a8f3d9db30539b0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"416697ae-e468-4093-a93d-59661fa619ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "165f98a858345927a3a807b86cbb704cbc5473ccd7d0afac46698fdd6d62f483",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "f5664f6d22aa17c0d8a19b1c354d5b527c55951fd8c2b1931b4adc9bd15ed203",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "ea479dc0b5ae37a63bb40f924465763e853cc501e161367c13cb9e9d650e7e1b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Interactive Exec Command Launched Against A Running Container",
|
|
"sha256": "67cd43a026aea8e6b4cface1ca2e0dd9aeaf4788c465ce03465e38a0591b3afb",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "20c32ae0449654c229d96f32b7577f83c6e1990b578aa631578de9a5d8c5d0c1",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"42eeee3d-947f-46d3-a14d-7036b962c266": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "331d4983cfe1f7e04d6f4301d9b745a70196e51245a64a0af2218b0723342dda",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "cdaceb5b80344a1b354c6bccd2f61beccb4bf0fa62b867fd1160e0ab898b85e6",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "56755b194b100eeda470eb0855c654fe20b327e1b99fdbecaa104209728e5b4b",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "5a5d4c3c1d036f652860ab42c84543cc91cdcdab19ba7da81cf4284d6d9dede8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "2fee9087c66ddc4dbc6c67906bb024b58dec2cba7498d7d9b3f697c19a858071",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "892bf5ebff22903ba929949a6fe05131b9cb4017ae9c75db456b46a54620296f",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "57da49505fa7a935e774a271cd364bf67750bc8021808efebe06fbdec618e335",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "ee11fb1944e7cc8f000dca73491c709d7bf9426c59a097b88c8cbad284dfb838",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "57d0984a0a22e025af5d4d25514c62f77ee50e2843623e6df024ac2d09bc19e4",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "c95054727729dfcf78146eb0d59d4f4861a78c4eae9eb75b70e5c79b55eda27c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "9764637bd2050ec69bc27cb45b392fedf6f08f83291b2729629df5ee138476f0",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "3f0ec77da4a1ee3ce1b5be00ecb5d48e9d3055dc19b8f9cc470ebe85f45c718b",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Persistence Through init.d Detected",
|
|
"sha256": "88b0889184451e966a3fce7e63e9b7f6aef01f49fba0811bda5510c0d72123b1",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Sensitive Files Compression Inside A Container",
|
|
"sha256": "0ed1aef2f58f89b242d3bbfeca439cc2f3cdcece95b7ea988db9c969aff2dcd3",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "d6a9bcfaddb37f31b3411499f1c2870454642246efb1bca00035e71122ae4794",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"47f76567-d58a-4fed-b32b-21f571e28910": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "685dd27478567e801e3987edc6b43fb24014a13a1c19ed558caf8e9472b62243",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "4955582887ac414ac1a4ffb930f0c5b70fee55137cb588f6c6cd9e0b39c43cbb",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"48b6edfc-079d-4907-b43c-baffa243270d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "50f93eda50306dffd46cb95258a961d4d65bf872bb137e6707db5c9ab5f8a544",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "ae22bea026824f7536330317bd166123a038b9fdc4d905d575e3990c5cbdf010",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "25f11627c5f96622ef4b290298d91f638424db136fb1d737f72849454fc52268",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"493834ca-f861-414c-8602-150d5505b777": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "c0189c96284facaab70cb39582539f6df586acf5eaa01b3c326823c643b90a68",
|
|
"type": "threshold",
|
|
"version": 100
|
|
},
|
|
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "f65ab660ff049917ef0d56928b4115a2675fd3a83ade36c9569b28cd3cf3397d",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "a355dca1d69bce534c6ee425e55553a3e99b7fb7671f5d83414ab67cd28a0bd0",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "415aab90dbe7f905c62073c0aa550090f429218aa6b8f2465ab705f404348b45",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "3e73af83ebc6ba0e95169421994d295e4e2e90923930d77a5d09ebaf50d7cdda",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Container Workload Protection",
|
|
"sha256": "ee1b1e38b351ac66d379cc039b187733e3cf3bdf2bd449cca2a3092b61a8e697",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "be29c8666e298e01c32c4103f4a480fe4c8b3cab6f2443a86e1168732e21b547",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "e28eff9f572f1453c514e5c6475c1727a5fc3fe89ce0e252867c8893a75e99ec",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "c42869c8bcce2f2ae75d8e6bd8e7e4898b1d7fe4f71201af04b85571fc4ab2c1",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "361e41723ea4953a48aff9241e87199571be4ba155a6f3af19cf38b5f0abab78",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "9b1de654404804cd58d14ebb8dbeb49ebbcd692caa7a6907e61d4253d0ba48a8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "1e654999bf784a5836e533041298733ec2a975ff5ccd748fbe8fb372ccd3a72c",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"4ec47004-b34a-42e6-8003-376a123ea447": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Spawned from MOTD Detected",
|
|
"sha256": "01d53d8c16b1304c51d6c05c9d879ee6bbf997ddfc631373f8a5a457f7a08405",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "49eddcc02c1f0615daf198e246edd82009c962e79774d4845fe44d4a1af4f524",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "b4db7f218b043bc3bc3077473ad4b5b78204704c1b4fada76a4d3f1db4273c29",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "b3b118ad1059195cca5ad6345c2480031da54ca94602e5e88c8446dbf90c793f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"4fe9d835-40e1-452d-8230-17c147cafad8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "a2b74cece703ec89b5917f9974968b6645b0b34d2796d1ad495332b43f60e148",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "8b053d044fcdf2dda7bc2c0ce924cfa03ac38542627e21fa7b3bdc3f4eacbd8d",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"514121ce-c7b6-474a-8237-68ff71672379": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "4b3ee12f6ed02b5f7a530627ebcf4a03977f654840b6fa6044a377809b7ce8f2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "7fe926c1696acefe5743902316b816b07b0c68f93be011e9c2402866b3466dac",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "867fcc950e3b4ed1e73e2b839031c596d23839dc313e44d602de75fadee6e3b4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "e7a27d3aee7df88116c49a7af4f9b3b557ed48c4a16e4b0b5937f67e41338e4f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"52376a86-ee86-4967-97ae-1a05f55816f0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "45d98ebd2f889a76448a6084317f103aedc0857d939d974f5356192c388071cc",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "906654c8d5c7082a8b13cb88e5cf252c890785c90a7e5b4a71f4dd53e0bcc0fd",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "43863eec75a65adda2517d686871e142cfe0cedd1a003b9e939a334b8fdb918e",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"530178da-92ea-43ce-94c2-8877a826783d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "1cfab13a7773458aaffb8d9fcd61858f1a828710428d6924a252cc3c3482dc2e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "fefddfd01d7302de37ec51bb9711efb2cd727258c44850856d33e53ec577e90a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "a33f7703c7150e2ab58f7c1af92f17d3358b8944ec15b284545340ea7c235bd6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "e9751700ecbc9f69adaa1249c8cb06e1d08f139c991bae34d0d3f9d2577a08e5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "e0b3e321b94dc2b0fb7caf747b0f6d00a9583f21eef8bfaaabd67c7b58cd4585",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"54a81f68-5f2a-421e-8eed-f888278bb712": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "bc298b950747ec81dd5f3f40e7c200358853da2625e71142422bf3f38a028b0e",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "9f30086102e19fa654b9d2f8b99a2e8b246cb2be51bb3cedc2fcf12ef5efaaac",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "b1f34d9a36127c5b57e5904fba53a388080ed0a3c8664b5578f07b827ef2b2a4",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "dd753506c5c77591675ea1df5f95d6c573e9b2a298cd59b769a13f725b2995c4",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "1e02c0447afc51b9aca5b0c8ee43e176f21c7581578c196bd240534b9110f1fc",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"565c2b44-7a21-4818-955f-8d4737967d2e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "8e069b6e4fd81db3c9aa54f00162e9ee563c0690394523e8291ad971d0ad0eb1",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"565d6ca5-75ba-4c82-9b13-add25353471c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "7c6f6d3d27c69cc14bb0176d0ff09097ef419db62c885f6de9f0142688774865",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "e8353127abf6464a09407f4c2493554e0898bb659b45d26fe17f191252a774ab",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "0252746bd5d10b5eb5723a78eba7f327e0045f0c9d2a0d53b212401d17ed249f",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "05408e6d3450b8f61459e1fce920890b470a6691c922ec593b102ec10303db95",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "e9490c3bf59b4ca766d6cfb1d1844fbf2dc71adcb09780c761b527ecff87b428",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "36b5cdc1f4072787f2a7ee1f75cf300934251e66bd85f8471752d14d63f3cbbc",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "b80e3d3f96eb109a7eb1e59d1e8dcd1983ec9781625f11b0f06f3d2723e516db",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "7192352dcc66a8fe178380c2f98fc855b62641c9b58116de6b07d03197d19ca3",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "9b1d7e37535173aeee05ca5cb9e4f3e0b62dca6fe20af82d49471d495c1e418f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "b11bda77407059cc54037e469693754321f43bae2e53010ad95944e9a774276a",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "b6c6ef5d4f5051f04e4d065c12cfc8f3e3b5844e39331f684957f69977283d37",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "30bf19aa3ae3dd45744c2d060758a3c8f40694917a6de2ff431a33baf49cfc65",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"5930658c-2107-4afc-91af-e0e55b7f7184": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "2967ee9d92e6919fd392653ca21163fd3cb0c2231fe79fa57a28134dcba36c9a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "ffb4cba38273c8d57793ed7c2315c1371ac18365da49330998fea73b6c347805",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux User Discovery Activity",
|
|
"sha256": "dd31b687b58346ce56f87bd367d0f79b779864ebf583e863be2f7d6d83bc242d",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "b30aa0fcd1b985a702d8d78016225fb7423af9e56df143b5dab8f74360c43ca6",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "71cf82dfff0f9a3d67f3f7d435cc9b41973b0451e59f1883e5ec5fd48aa86e55",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "342104d22c85b187e55bacccddf0aa710534299a221f5d13a06c4d6f289b6464",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "b2e3a06cf9d34d4d873dcc00217a5dbec87f0b8dc6571363fcd8775dea61cada",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "943e36887702a9a13257189b23f4a447985b055a0d7ca2e0f66251fbe40ca4dc",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "6ffd5479e903c8b3363f7b944493fc35ff2c85e45e1ca1be92e6a8e28084c1ba",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "FirstTime Seen Account Performing DCSync",
|
|
"sha256": "9ecbc1eb41046534ce321837c455b7555999fff7a7a2be569a18b13420e37d90",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "df37f1979c1a5ee441b9103aca366fb458476dd528b24f3cd605c74ea49fdbeb",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Defense Evasion via PRoot",
|
|
"sha256": "a7b42bcd041e43731c6262063dedd025f3307e9720a1ecb431d5e286359f2a15",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "ee8c0a778d51d9f173abafcd283ef5657952de1d18ab40f9b0cf0da7ccfd9ed7",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added to Privileged Group",
|
|
"sha256": "773f71af71834ffd02c21836b4d9857908bc26aca6b89f6aecc6e79486cac84a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "b387102ad5bdf1287c63b135b88b65717063d49d116ca2467d5d1516ba4e7f0b",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "350bde74cfc457a3e9af70c0fe42765f3555d42aa0069249fee22be0c213036d",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "fddf8b5aa357cb814351eccaf0ba4dd73141f7a95d2b6725f828a936510e701b",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "62eccd3bfd427a45c07d34d35290c0b6ce1409164c478ca3b394738a8f271613",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5e161522-2545-11ed-ac47-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "0e4f796c44b12756ec86c03bef7bca532a986bd70cbe34fda071162af183bb2e",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "ba93257d9d8315afb9ffeb6494361fd356d2d50eb9fb08d250f29446ffc49019",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"5e552599-ddec-4e14-bad1-28aa42404388": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "50aae074ddb8947d940c38965282b736fbff99f023d2a715cb22e2dca25e2f4d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "5637e2ee71403942ade1e207efd0fb68aad7ddb05c75fbbec08760e3d430476d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Service Principal Addition",
|
|
"sha256": "790a04ad7ff41fcd3757920bdaeedf2c17109f20ae4edce09b8dce36774e3b32",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "ebca4569bef15eab7d2b131134f2c0a4f17b6f29255255feaba207e377d2ba7a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "d44b8fd15f89636c82a9b2f12b69ddacb7f54d23325e57cb7d506ec57c1f280a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"61ac3638-40a3-44b2-855a-985636ca985e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "dd53321d717e3307f2c59284b8a30aa7f702b4590ce60b467a5a2cb6c95b664c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "65f399bf70c38dfce92e0bbc0b4e676429e70705e1008e716aec59948173fd7e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "a8cdcb042d15ba2ede5aa653817d69c667d716f86b09f0413ca06f8fabc09cc4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "630de8e1e83f9aa603a3c8d81348e5ef192162f7b552d96241063e4a01556e3e",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"63c05204-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
|
|
"sha256": "6d2337a15ccdd51f06b3a84154839bdc194c7036182e8687c647dbc2761a55c8",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"63c056a0-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Denied Service Account Request",
|
|
"sha256": "98e67a6d5fcc9a9226d3fc6cb0ab03c069462d38266890233f83a5f68e208133",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"63c057cc-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Anonymous Request Authorized",
|
|
"sha256": "bc9fd4446bc35467a272aa7150180eb90221bb5d1abea7ad48d04b982089e511",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "d885f39c3c86786f3d8111d23ab3188d5d697e7c18e3b93f6e9f5b470a4545df",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "1bc892877ab2a781c74918e3a74ad007e64dda74b8a8740547e16408986ac845",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "163022f4533c182c27180041866df9922c250865f14b7d261d7c8b44a30eb191",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"65f9bccd-510b-40df-8263-334f03174fed": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "7bdb29beee19d63add116b929b7806d41ae36881ef9d37390be3331c731bcf28",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "aa3a90493355e6e960301ed926a807576421146a83a0d1c0d1f4686da676d96f",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "6b420f70a71e6aa55744fdb6b29f14704d1020a60ca48e4607b3288b20affeba",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6641a5af-fb7e-487a-adc4-9e6503365318": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Termination of ESXI Process",
|
|
"sha256": "99b63d758a4ad501ecf41cb80c82fae992773af79a92546e9ea2561794e0c3ad",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "b278ad316df91b043b52c2733d1a7a52b28387c296ac7d735830aa6b2cd87c3a",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "493375483edbd760d44a9ceb4465b8f85790e3b897a6071b15871809c0b8ddb0",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "10a0942dd2fa026f7ea28ff8cd8dba339d13b6d1ebf0297b8b4f817fb7cf4882",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "a3ac47c22340da9ad191290e6a4940b5f6b8cf4ff47398583baf919d5338a13d",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "920fbba08c958b8664071c20d1ba637d146ed67edef7e8cf792e6b24155ab831",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "be4affa23789ae2a09fbd537820317eb2e39cdb1582e3fa38dc10d83f53e8aeb",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "89eb0d585dbafbd7f1ed391a4b5ba76bc2f8adffa69f5c6d9206537fd862d777",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "8b12bdfac3e2c8d60903a28c6f5e947acc37156bb4320bf4e8dfb3d837b3ddfc",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6839c821-011d-43bd-bd5b-acff00257226": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "6549f7a1a56c25d6a086a94608a5aa8741b126e52d9678f2935aa47d5b5d1012",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "b36b28a3d7c05bc571463614e266a0db27d51920ae9cafa0b2ab15e654b98a7a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Threat Detected by Okta ThreatInsight",
|
|
"sha256": "6b3365514534840a4ded646f7e1a3e0cb9eefa5c2f9a6442524d9cb7b4f1abe9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "e102f2d4c27072d55f55d4d1e8ad51f6e783bd9441a20972a74e4e345bffbbb1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "2c52d4ab28968599f73fc69986af4d6bb32fa1a7990400dedb69a00d27923991",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "6cb756966c3423213a3d0f7f0bf605055498cf08e376707dbdcff4c3cd3db323",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "9f1c352afefff0785a80acfbdf93d9bdb3aedaf7a02156a828d9d7c378852b19",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "698c9dfd7302bb7c5ee83b30df48ce2ee828b9ed6cdddefef59070ac9eb4f2b3",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "575b2694135e659209e5f19f431d4f58c4d5899ea21d75b311710378441070c7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
|
"sha256": "9b130fefd9b241c680978edec44b94d019871b416da22b2a2e2dc77f90e4b542",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "b6ac668cc6d5e2dce2615788c3f70ee23c8f8c4f5e3006c06b4e197b0174d651",
|
|
"type": "threat_match",
|
|
"version": 103
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "60ccc5a2eb4cfa19135bf07f907f7676b64d721d93720d04697790399c1b5c54",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "dfff9f796b3d2a8c41f0087a29f68d83619a9b812765fa26e3267f500cd4681d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "4eaa1e9e5916c6fba297908e6d63181dbee461c8f0c7ff712e53dc91aabacf65",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6aace640-e631-4870-ba8e-5fdda09325db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "96977edeacf48ebdef08e138bb2b3ba74e28469a463d60400db755d56c409426",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "0efabe3beb60e13d79bd2c91385a7c7bc3be3ce84639cde24bef27ba8b5f44ef",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "22ef56a16f21d022a7426745003d5a097a4762abc7b89536c3e08a284f1b3434",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Container Management Utility Run Inside A Container",
|
|
"sha256": "bdbd965e21ba2965ad48e197999c6fe1b215e676bfc42e840d9cb0e5c9b6a61f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "f06648d5939b34c59382a9f0bdd2b1fdebc4b7e3d9d03bc963f2e57439a37e37",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "204ae5f84b89f03f94fc102b211789a5849684383b039504973bcd7465abe995",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
|
|
"sha256": "d283bab19263dba4272bf50131da6d132b867dc3de50fff4901b005b7803d32d",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "1ff50208dd37e68835d22ff13a894b0308ce2b10d0f0eb18a1e83ecbbd1c8504",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "ff43f2469c9ad8d976e9faf0c5119cbe48f78a9634cb6fca841abd0f2715bd79",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "7ba99e8e02e3b9f4f5b8d0132c7c9b94e5115d2159aed3c8342abfa77f877ec9",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "b57198337fe983773672e9a5bbd508cdba50655dfd6243b60f7756080951f986",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "e9b7a40a40ba5a650aef7eb34cdd11ea51c137f8d9210ad81abcfe0a9be68a63",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "daef89c776f6dbbe4af324d1e25088b7050e7ea1d1e9ab4726f530b8a5b4a5a5",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "1cb2e0bbe8b50a91427b2502b8254331af4cb85323dde466d527f481121bd572",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "6c66a216661a81f1bfc027b73a7ae4649731b27cd07b71f6f6011927cdab3ffd",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "f207f21734cba24d01b258a68d79b7940fcf9d2a16cc3381c3a1a9eebab96ed8",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "2eefbc10b6fd4770b298539fd712506272927be2c8ad242b4950f24dc089b77a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "8fe97c8e3c716ef684f76afed14acf49f6df8fa635b11647f280c1e65322835b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"7164081a-3930-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
|
|
"sha256": "b64f9686d24491e87ac24ea4f8e2e8a5ea1719fe99fdc4d0393fb9503dc56ff9",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "4b932dbf738ee22e2a0140704ff28e47eec6a9db76f9fe97ef5e63bdf4d8fc6c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"71bccb61-e19b-452f-b104-79a60e546a95": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "2da3dc95cb5cd7361d9b48c1bb356e51a3f99909f9e3042caeb6d15c2995d2fd",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "da400de1acdad6bb9fde64e212c0518716dc2250c62e078a0f40fa41b8a6191e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "5ed8b9792817be8710679364f5e1af5fef0cf852e05c97076743efb4d24e3db2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "605f9a888e2693ecfd1f05ee530a9d7e986088669abf71629dcbcbbcd91c025d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "28cfe80cd89b9b8a480b9b14501184fdfbd94d05f1e00b3ab8781162c6cec8f0",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Environment Variable via Launchctl",
|
|
"sha256": "7169486084b5ac92d1763d2da6ca6fc5e5ca50fb3c374cd40c9f99a100296771",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"745b0119-0560-43ba-860a-7235dd8cee8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "2a0d7b4f4300b43619c65eeb099809b294559fcf8320c8057b62ba8322bedec1",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "89a38c151792f652c09ff8ef900c8520cc2b6a0b0a377d9a0025dba0e72db939",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "ac64583e7ae5ae0b7d30afcee64a1d3f5415d1e43351b8cd71d4d428704faf34",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"76152ca1-71d0-4003-9e37-0983e12832da": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "975acebfbfee11fe275fadbe5e279d2f027ceca46046b7a4d1564e298f1f58df",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"764c8437-a581-4537-8060-1fdb0e92c92d": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "9a9a9b859d5aa0b1260420d9cf0d17cf615400af097106fd35f5b1d6af863196",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "7ea37e2bc8f94aefecaaac63a56ce676dfef1e14b2d2c9aa712e9591643fd140",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "9d019640feccf23d7830a68debfa05f46666627c6634b65ee162a2cc46a97386",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "2b4230ef5db1708ed34326849e6d44a7ce2c1b35da7ab719b3d20a83ba9df9ea",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "664eca0571f86b61cbdc8d93b52cd435246e2d7f39cfbb4bdab36ab69d1bff7d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "13de7cb5aca2e3527a0556f97f725accb2f0213fab25c85d668c14dae3c89006",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "9fdd3e949f6f57f4a8d12ec8d48f72152b875a11cbe3a05febde5ea846c6b9a7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "a97f673b735d37b32973f00c9e6ea2608c0f8e7a451e7da2ed05a256eb20d451",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "915716860c1f135cec8ba36dd5ee26b28cde838556f277fe9bfcb874ab78f8e3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "a3cc84e17ebd0f9217243f6d5128ebb437ecb8d4e643a5ea8d1b3e3e40f343be",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "8462fc7075eec85afeedcc968615d2fe4f77ba5af9d7f58228b19506df08bd12",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "c90a096cbf363f1f42cf58b076b63e022b205e76679fb84b1ec6bd95a4db33d5",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "4a821739bad394ff55f52126893666865597943bc55ee5d2433a92ff700e8c4c",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Unsigned DLL Loaded by Svchost",
|
|
"sha256": "6a65b878631dc6dd3c163b3250d11bd4dd579ad3bcfd6eafcf6ba8a7769b450b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "4e3adeb6c003172b64e7a0159d691edd03b0b1732440043433a32593315ee0d2",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Exfiltration via Certreq",
|
|
"sha256": "59f186aeeb5402b8a588000fac3ca826173d383ce4452fe48a10bcfcbcce466b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "8999e67854c72fbe1314e02d3f92145afc1186decc109621557d5173f02b472d",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"rule_name": "File and Directory Discovery",
|
|
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "5d9e32b76b3fc4aff322c08ddefeff9458d1cadd65801aff7e2d5cb20767d021",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "fc464c8b6f5355e4cb2f7c4ff0c1616def0ec8627d242522e6cafe054d582078",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "861d78b1f8570fe76c030a625cc5f3bd4e24c3c7d80246a011a56e47beec8734",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Tampering of Bash Command-Line History",
|
|
"sha256": "4890ed7ae740bdeb75cb9ad063fdc380a37dd68e59c591aa9686bded5f79d1e1",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "e433cddd2695f67bea309beea9d1d29197cb7f724fd7e8b1fe04b09657cfb195",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "8c2b1166be63c7f784723d34b093b2f30d16309672ba093ad410b92655710736",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "45125852facbb0a351a766b9701c771b1891a42179771d35321d003de033b2d7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "ca5891778ddf0e1aba14b44ef381eb50da4fe08e279f3fd0aac2dbdc39a53c3d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "New Systemd Timer Created",
|
|
"sha256": "d2a899ca044dd0a3fa36d018fe651a740ab8420b095f9ac260da8e7b5cc5aa01",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "c87d9dbb412180d434f2f2770de509f6f4cf6ec12218bc4639fd728b1829a8a5",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "61983f7e0e2a5a6846f2e64148a468e508bffa658f0914904759ddedd3c8b1ce",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "7e7274031c383ee0301e17c41a14895cced4dc69a4a63f5a3c27d58ab41e9eb5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "b8ef0110a87d7c0e2b34a7e1b4364481affc0ff452c7b2b3e480725a8a3fa662",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "5fc7c71c51b4631d1dc4631bb13b9e92135cc98e2a9be2b242b2ed3705be47f8",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "8d82f3a7e21b97429ec21ccb70f9c839a3820baef9b6a4ac092766eb15ae3303",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "fd9f832afa3eb4db90466e05aa43684b05fbd8af82fa4d943022de552cdb9cc4",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "07596819d416bbd33bbe119cefed3ff436d51d684153d517c2e873d507a501f8",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "d65657b9b5a3d00e9e1c3b0f16846ad2bb9d412e3d61e26d4cef984635227705",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "5d3f6f0111eade36e60550698a809efaeb5b47f6eb8f7163ed84ab7f0423f89a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "a58ac406ffdbb979d7ecc93c7f72d88ed1cea543696268b6974b932277eace50",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "ba074512f68e7e07793832d289ff4f6b2effacf988b31b4952c1b4435bbda95a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "34e94c62ff1b62477b48e6628d9e56cdcb930f570740882c71e0c26dbaf751d7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "e7daedc0730b98d7817da23d57537ffd483d078f72e5a0dd4c6d284df9532eab",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"870aecc0-cea4-4110-af3f-e02e9b373655": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "129a4e1974a0392ab3bb57658105152788a1fb91d25315e845647a163ef2bde0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"871ea072-1b71-4def-b016-6278b505138d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "8b85c68db403f2c6c42e6248dd75b22ca1f85fcb74567d42dd285f32b77f2320",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "a6b7d0d6f00f908fa0b5b393e3a1699f387b37814334e411607abd77fc84b7fc",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"88671231-6626-4e1b-abb7-6e361a171fbb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "06a2870dd213505ab21cf79e77102f038a0ca424bb6609f239f62e97824509c9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"88817a33-60d3-411f-ba79-7c905d865b2a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "deac64fa51c5d56f7e7ed9b7cb8f3d8b50176fc40eb542df4cad863b4980d492",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "76bb261d59471e797c8164721fb0e1dd65c88cbe16fc1701f03628429f0a464a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "8a20330f83cbeb2b0cc8a7ab61e89a6086c130b4631b24f23204f722c36843ff",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "34c28799d02bc8a7cc28fdf8b9ad0bbc876421fa23b80633ad360a662a6dc298",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "fc3a465f743cb0857458763a131e3f071e053868719ce37fd9e7b9d993af9602",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Setuid / Setgid Bit Set via chmod",
|
|
"sha256": "6a80154c3a5116e568ba0afae93dac63bd5675af257d579e4e578a852d662260",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "9b21d3c583122fd5e42304defab494a4c461c949cbafffc09e05d647cb65db52",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "e612843f8f71a01687c6f3336181dc7b0c3ecab0c355105ec92ebafabaee95c5",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious JAVA Child Process",
|
|
"sha256": "d8854fc273717c92698bc56feb67d2ff72722db4497210cefe7a668fa62b567c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "1290693008facddeea11a73de3c2230b46a299dbfa58bf2beeeb4b36e6648576",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "a82de5edf4c4b3a31fb70a9734322f9e504df6054cc51e0284e342a05f1f711b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "d2fda40a22fb4d46eb3a36ed6cc7bc6304f6f30019afbff7fcd240859601b9e1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "be36f608696a60e995e56d51f29baa67f2cd8c36c86cec71f6f5ff21c6d89d3f",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "3e3a2e5da1dddf91f74f1118b93dd8df723426c05e669ab022213ceec42b0077",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "b6d6e42eef44c31996e2b05372f6e51d4e2387c066bff3a41f99c68daa33b8b2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "365dff69e83d18e0698a913577e00d9e8342b03e502853d5eda7de1dcf0bb907",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Password Guessing",
|
|
"sha256": "f7346b4e26a403ba3a69b3ae175a2be93473e2392068866da0f9f48c493f31c0",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"8d3d0794-c776-476b-8674-ee2e685f6470": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
|
|
"sha256": "6f5f5f50e6861e2bdfb7ac83f46aaefeb18a1aea7348870773de41a113dad106",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "7fada6427b53035898bdf3b184fb3ef165f1edb9ddbf989a36fa41b0c76e32f5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "4a094369167a5416694956facfb84594a711b8f4622441fe2d9376ce2c65fcb2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "3c1f4688843906589d65e9818a81ee523678523b5aa89db4bf3f760148663a03",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "336542a3a18e253dad64edcd99ce3832d6e75c600b42230f51abdbbe6edc85ab",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "c0b5b2139ac252a5f5a040125ce7feb6da78a6795c17930a7d53a36a9bb6d9e0",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "275c5faadc53a27fc71b03945db1a837d685dafdb1fbee833d33beaccb9fdb18",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "b262da319efb5746beecc8826686ae03f9cd47389e2eb85e480613fac84ceeae",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "9cd2945ebd1480cf2e3932c20be208d833c1ed1012856a7e451149420128edb0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "705b2cc98efd9b6fadc26af59015da9a1a3acde0f1f616ff90349e1c35dc9167",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "d37270d09912a1cb2b0c4c52be0e1d51afa32a73825cd6b42341ba2169f6b5fe",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "bc549429abb49bff270ee96edfd60f31c6ce3021ccaa7bc858f341d7010b79d7",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "32af7204aca9986374ab16a8bb33e0f0ea48fd49177e499a4e48995b48b7a799",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "39848deb08b0bfb42017f5b6b90924fa347c0671ba07aea43b2c91a2dbeb1c3c",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"92984446-aefb-4d5e-ad12-598042ca80ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "86121bd5791669d3f8208018a3198a0651d04886f770479edb38cc8b06d235bf",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "1e60cbeb1a3e3eddcdb21edb4ee9bbe48d9ffbfeacd965a0d0845c9afcffccfd",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"93075852-b0f5-4b8b-89c3-a226efae5726": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
|
|
"sha256": "92861af382d6329730ce7ad9aa3cbb84a53b6e758495e2295b0ee98f6d6423a2",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "f613c46321294e0f2f60d3c9ef954f4fa6e1074870bf27df228ecb690302d2c1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "e58cf48a9c31689fa3e0732f2c7e7876f4a98a82b7adb03e7380e22c0c820fba",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "70f74d16a6aa403ef6dc14f6860479cf5f78d9422e8fc59bb95814595f53083d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "9e84fcf2bf2c5d1a9f8eeceaf137aeff49b4de121b73f7b58bff3af8872214f1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "ef6d929dc2c2361a81de3f98368a4b583d1b79accfccf61f4bd2660192e320d0",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "bb2d9270d998a8605cc859cfc1f0ca065d191d05e65cc7666eaf4e8eb3dcd7f0",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "88896f17453bba0e23b7f8e02fc585146f8b203355ce61d79bd6c0075c0968ae",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "77dd368c2aed0e2785d027da58ff4372535a185aee3e815a57bd91c06835378e",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"9510add4-3392-11ed-bd01-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "5fd3d2b8c4d529473f1faf8da5346efc3e1c194556689eb7bba24604dfea18db",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "a3304cdf171424389d30faefd47da2bfb811d8270c893f78386b11189e9b83c2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "fe83b08773c5368d309129ccb5cb14003e86f1cacfec228694309197bb528d75",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"959a7353-1129-4aa7-9084-30746b256a70": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "fa665bce1bd5f32a457542562d74495a261571840f8e4ab39bbc2cc9cbf18826",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
|
|
"sha256": "2da65d0ac1457d8fb9672ea97848c2a25089f4e2bfa095b5360958453c724874",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "3328aa469f5849dada41eef57ca7e79395a39fef5efb4a21882d364ea07624fa",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "ae0253993e1eaf34f0186cf3d7d0f136791d0ca732c546fb7a21b737c650f6c7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"96d11d31-9a79-480f-8401-da28b194608f": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
|
|
"sha256": "7f19c812ec726b9e463ab8dc4c7e5a9b2dfc628d9256ba8067eb386388dbaa6c",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to Keychain Credentials Directories",
|
|
"sha256": "4171c6c32a44a16550e27dcaa141025405ae8d4526cb6c55da3272e456f64b35",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "3cf82aae4f12a277ec6fc63cbb4fcaea72b1c63c1dcfd7bc293722326a5c0b54",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"97314185-2568-4561-ae81-f3e480e5e695": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "df0c3ab6007ab01b0442eb8dcd1dc90c541d8fba362f7d3f9beea700be864ac6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "2ec81731e02ab3036cc336d2c5e1046904c2ba1f9f673a233714fc29eae824cb",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"979729e7-0c52-4c4c-b71e-88103304a79f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS SAML Activity",
|
|
"sha256": "fe597108c7e1690d7512be9915cec91345f5e7b851d22e98a4900ddb6a18ec81",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
|
|
"sha256": "0811930674642f59bce1c8d85be5f1106ddb3e90e70367605ba615587de66b7c",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "df3e7878e875d0ef5effdfec2f135a961c77930a6ffe994978d5e94e8965b65d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
|
|
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Renaming of ESXI Files",
|
|
"sha256": "e5297104530f970a1396965cd63d9494953d8414fdea397a9e0bbdc1827523e2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"97fc44d3-8dae-4019-ae83-298c3015600f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "c8b658b1a071b8fc106433d112fadf48f48bbb749ab7710f31b39bfa2115d425",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
|
|
"sha256": "882c315c4c0754810eea2b171e6b126b0895050aae8678538de2467cc0e195c1",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "a2466f68d1f31828719d60da8dbaac5f6e9fc5da8bcb2803a997f909d396024a",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "6471164015e40253d0c1c8e6c4cf9747913ca95c6bc387f9a648fb04097bc611",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "e4c1ba014526b109b89bf7e3d90aaf5b60008eba5c588834538f8180e8944811",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "9ab23922eb244147b8146766869d5af8629bcc869464c836e684ad7e387fafe8",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MacOS Installer Package Spawns Network Event",
|
|
"sha256": "0d85416b1141ac31576216bd704c568335b3510628674a1b523b798864c3b6b0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"9960432d-9b26-409f-972b-839a959e79e2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "670dde4ffab82f84878e03371ebeeb1549d86fd165a859a6c69e897ad2c01e80",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "f8cd329cd77dad81701611abf982000271f210ae5ed80384a02137090cafe4f2",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "cee77122bb31a59353a9f4b22737d0a05002244e0776613c49597c6198be5b0b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "8823580c0b9377d8e6e0322d1f6fd06b5591ea851c9ac9aa9969fdda0f2375ad",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "0edee81fdf8cb464c87acf7de5a35ccab56fee2b1eb386cf1ef63fa8e9f2d2f8",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "45e51ed8ec580126760672c1d7886d324d86b2f8a6f4e1a87f2b806d7361219c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "eb42f1728537d00d54292c74de5d786a567cfac2427a529cba1bde06f09a049d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "49841a36240c8471bbffa262cd743d965df3c094190a05d526fc7ab67a405852",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Logon followed by Scheduled Task Creation",
|
|
"sha256": "bf21a84716a434390b5db52758a95fd3d418bd777913683c47b053b0efef9ca7",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "868067cabc8a0be28a12dbfc75dfb2ce2a189cae802cdc55c6ed9ae7333b9222",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "172d2f04879c10e383d6f900e6bb2f9d49626e7a95d7f235e3183c36ab0e80ad",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "3d75099acf12cac197ecf9f52cec25bd2b21c0b150deede93b23e825b0b65fc8",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "3b7e09480afd4c8012bb987bfd98b3c9122b6b410d67b0a7e9493e47575af1ca",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "369134d9a4caf591a866c8b88bddee3e1d22a4b89ecb927ebeb0b20ba689b6d6",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "c93bb046d19b2673d83b462fcb258eaa7e7bcb6689d3ef4d21558bad0a63d351",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "19893bc21a16dbd3dc5d6c5e7d6378f5b936b8625bd33a1ea607df95a53e143b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "2b16363130628c3499ea0c544a69b708ba945db7321be177801f2713f35ee7b3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "4bb17ce04a0b54f7dea8aa6679836b5b8f3748ed408471a6fe1aa79312c7b519",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "ee7a670efc2b0e1959a07caec32358b0f64a99a955dea14625db16c4cf2ae32d",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "e4c1a0bf7dd6c58ea91fd55c73fcaa1ecf66aacd4f5e558565b78f100aa12f08",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "5cf6d06db229af673be388f69c507b9e4b53a847d47ce9f7fc72f715b6ee31a3",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "5f6bfe781b9aeb2c51c469922c8b2b52351efbe6ae28b355fd9995b61f4d35f4",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 204,
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "ceb79ecb6128a048c8cb3cf02df7d425d9e9febda584ca27d9b45b3bb3c157e2",
|
|
"type": "query",
|
|
"version": 105
|
|
}
|
|
},
|
|
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
|
|
"sha256": "1a84b95553424a6693b2791550af5d03fe59a79fe469d5f1f661e7ad67cedb90",
|
|
"type": "new_terms",
|
|
"version": 205
|
|
},
|
|
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was updated",
|
|
"sha256": "2cfda45048e8471208372b3cffd610238002b437d8fe1c50df724f183f467308",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "39331a05f09f2185ae8b0c59d5ccbfb69feabd51cd56e072a6f31e5411ba8db3",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "d60176113e8082f6c2621d07cb3776d4e641604dd9353f03ab440f19ee62728c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "4d9c285a64e5d48f5d56c73627512b1cf2fef4ad48ca8c5559bc9e7f5244c046",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "3202f6425bcd3370e2d52fdcc5393a1b395652cb20d37ae9885a2b20e08013e5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "4af46b51d7ea179d5e6ae9bf112f359fc2c47069fa5532f800f3a933306204cd",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "6eea295d8671e2068144b62de3cb85d6ff58e5e0bbffac1eef20f6875fa46f1d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
|
|
"min_stack_version": "8.7",
|
|
"rule_name": "My First Rule",
|
|
"sha256": "35074e5f08c9198dd631dcce1d0c399686563f2286461207a2ea71b194f859df",
|
|
"type": "threshold",
|
|
"version": 1
|
|
},
|
|
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "0ce306c8954c9e8f5f08497de7dc877d455e2526cfcd8ee25d7f5a1eeb5c6b9e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "32cedcd20b63b1285814e5814b01653f6cc6427b9feb4e7b813bac95f9101b25",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "4c7b59991fca9e2bb874d73b26702beea98e72c40bda59d83f8a795d18fdbcf9",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "235cb8727001bae92f4cbd807efe79b4e10fe0eef7fff4eda63c231fee43e598",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Mailbox Collection Script",
|
|
"sha256": "729feae3a566950ab8019a32e9f5e7cb0e0fed301c411c5142501168c0c64abe",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "ceadb1271017ef280aabca7d058a1a347de2eb376769356096710698d4b7298b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "eaec67974395526b30861028834bb4553c34bbbba4ebe30114ccc121e4a3a6cd",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"a52a9439-d52c-401c-be37-2785235c6547": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Netcat Listener Established Inside A Container",
|
|
"sha256": "0e969129d0e96a9d6b6b036d469dda6e086423a265767f7a2538eb013647d696",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"sha256": "fbfb4dc4e6e75f8a7294f503b7fe444e5fb79eb7cc0b7371acbd37934352f2f3",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "9128759fa2e3b1f321f9075878bd897dae7b713889986ef0fc81d87469d8f62f",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "32f30633093a69a2f6fb9a2e9e11c9c6bec8b28a8a24f17105341fe4a18c4267",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "8e12431693eb5a942e10237a00ad6ba1a5749974d729f0565dc03e38f95b8d99",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "01eeb561917736b663155fda041f3bf52282753d19424aa8f79fd2e26a540ef9",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler SPL File Created",
|
|
"sha256": "4519e1b0a131f527bfd923205c61c87592da52bde9a0b9af496f893f7b5eb940",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "5fa7ca6b50434e3d3e12556d879f6afb5ad272d323720e45aa853184e26c7914",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "36617ec8850ae04feba7b8e3f638dbd57f270919fc6fe0f7e8fd1ee32c922bb5",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "fca5d6db063f33419f452eb6aafee03ae9dd503fce594e4a95d73d86620c04ee",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "b2daab0a2fb7c6a49d316684b16b34bc48a433eb4288b640b70d8f7155f44852",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "e0a0685a98c341b8582fbcc5912581531287157c7c0060e17e9c2207a4258a8f",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "a6dd44b10e5c7f448ed3f9baf76f29c0fb3c9a9c24efa20eb09636623532714f",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "db21fad431416ec9441e3ecc36899ed7f07150934597bad7fea0821595ba12f1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "a4d7dce2e29fe7b02e7830250371c8111429f94a310ae4d93b1c7cabae14bec3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"aa895aea-b69c-4411-b110-8d7599634b30": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "48c7492979a445ea4f8bd98f35515c5f7de53face5ae9972943808641bb7575d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "27a5c3b30a6e218c403b3affee3bbe07de0225fe6ef40b91886e67cd8c6aee96",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "bcf37193b803502f5e47a1d8e0671f594ce04190cdc6584ecf21dc98d76cf49d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "48b7ed93493e8875a2c2ede6a3fd2044fe824f52866a3f31b744be58db822345",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "1d4ac527e77495e19a5d1fbf36e2a8ef924850e1c660f68fb67e352c2c08749d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "da2001616e1048063e4ecc6b27540d9d919abe9a5122b1e1eede9724a812f0db",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "434f66b15154b5fc46edebb23f06a6cdd5bdb969c2436d50b9566fe72c87f977",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "27c36f908231f3c0c27244127648e542bae699ca5bbdc818b7e144eaac9a807b",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "17446570b779206b8cae475969306c45b64cbe3a2b933fac52f4a5525d6023b2",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "b2c579a46d1fba111768d17f8a27fde4f00f508065c71caf3e7c5f578fe67fe1",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "34465804636f17f691ad337779ed0788d8ba33e6a9a55958bc31ae23c790b663",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential macOS SSH Brute Force Detected",
|
|
"sha256": "df6c7d1cb4f52b5fccbde7e700a27c9e8c7f404d580ed9b0470a62b90aad957e",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "60248497fd1daced2cb5646713792de68b3161c5d3793b42bd85ac0e4c6fb324",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "4fa999e2f00c53e0a1c79484bd2c7127bbbdc6b9e48a97a097824a4b25f8e766",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "1994f125fb87d27a74be9c4dde9edc895032d5d6fa9897d86f19e87d15ba6b82",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "85dca635fe09520b3ff86402c32da0b4d9da3090bb25159081aae8a3ee8d64f5",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "1df2ab2a653d16a52a82ad91d15f97aeed28529d01b5dcb1f6f370d49f392527",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "f268fe3a948e269e6ae40dd3eeaa549e0352160e6948b2b9e13208fb3e1e6191",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Transfer or Listener Established via Netcat",
|
|
"sha256": "6ce21eb4a25106ec68f181c623bf6c23db184c87f91db459833144fb79f4eaed",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "b0e96798a7a45e680ec5b3346e02ff0b7c85be5daffdaa81e618d169d7d5af9a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "16bdf378c631a5bc67c46eb5eeee152adfc662f073cc73307c98c91d71949064",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b0046934-486e-462f-9487-0d4cf9e429c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "d166013b261b74467ebee38865be0b81a1b072511ea74b4560ef8c0910aa8f07",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b00bcd89-000c-4425-b94c-716ef67762f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "7c237a00f6b0bd6345322502b9421a457adcd3dfec66e2ecddcb6f02c1390b6d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "99f13cfefc0aac135a5f88de5a7fd942edb6de9af03bf90a2d113891d9e701ea",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "65df60e0889afe79423296f3c8806b32a0e2809c4cf8c4d40bac64e472316baf",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b2951150-658f-4a60-832f-a00d1e6c6745": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "f9ce2b376d71fa22fe26823243794720d947aafa6bba580615d431c8cce57a99",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "0725c3c6d24dee6e5512b6843cfb2ebadd86bc7856429f1f33b3b99008cba6d0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "01193f7ed89fad98180b094c7146c46de3796d8745d46cbe6c449db4088ec7d2",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "83e947fc35dff830be5b5cd29417299fa279a14a026b0c1c7058c3ffd6ea53d1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "fa764e71cda05eb6143c178a63549a904e23cc42f9a9973ef40eb34c43dcf105",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"b4449455-f986-4b5a-82ed-e36b129331f7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "c430ef974906fc71fbd4a42a6350e5c5319aa46403ddf098562c5c74bd44e031",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b45ab1d2-712f-4f01-a751-df3826969807": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "ac030d5a556d8f95bf724fe2b9d048c88b03206120394193c95000b53c16d84d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "28b42be958d0bf8a397306dc7f0cb14cfdbe0f0eaccb5755c9de565c0880d356",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "92354672c1fe3a755d17eef49c0efd019232b082a59cc56d88731a2ee2cdc490",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "aedaa368fd725d5278502b6d511e62e5a1bbf96e126db36da08b3129a97aead3",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "880308f389f72cf7aa685439c096f0f36ad2470ac1db401751d081f2aeca783f",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b64b183e-1a76-422d-9179-7b389513e74d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "3901f48f76e370578fb6e859e02ecd8b2f2466dba437a6516ba406a6f2e7591c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "dec0e528ce72f07f7bf7bea01a9998937ee8f566408acb58fc234f02e7a2ca70",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "e80ff50996cd7da0cca7153e82a4a23ac280c4f59a61b07d8502cd37ea7573c6",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "232980a0baea2530b71daf1953c4957e214ab632c7911fbdbf3ff40ceda34c98",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b8386923-b02c-4b94-986a-d223d9b01f88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Invoke-NinjaCopy script",
|
|
"sha256": "794b4bf1861c88e54caa3b94505272582495dfe0ebd9f6dfab151f7799a26b83",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "1c3cfd6e70e03d9f721112f45395b73693dc939e2acab4b03a9fa8d286b91b75",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "6f4e5d8e7100430b720f9d75f74e240dcc1474460f6567531b8f636055889138",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "b9146ca7a8ae489fe08a62e90cffb9ad87527f6c26aa8baf96c17ccacbc0990f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "22dae901276ac8169daa63f07a6d610aadb6877bc6c432e80deea84a99766539",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
|
|
"sha256": "c0cab21b20611d9b1a263e9298c27e29fb538f6289afccfb13bb814958052974",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "42bf637587d3a8f91b83809d1d84296590538b74a70d6184fba7d1c8900ad6e4",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "1bbf4461fdf126c189e3b5f47739fe17e55b71d13f0d3cd1405114ec39de703e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b9960fef-82c6-4816-befa-44745030e917": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "82a96d5f82420d8607068f6c4d3d2a2e8ed3ad8e073c18c8d3cf038df47684a9",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "28f3dda84fe5d9628a2900149091b133ce911b7e2d8b1bec1cf45a9470580d0b",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "584a7e12af0417fdc6f0da462e0c303fee17e8db52b08e0404be3fc8fc57c14b",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "3b25861f68b1100642f9a3ed68c945e918ce6d65b653ee7d065ec2ab7378a294",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "3641d409b9d87793b22eedba3f45c34c83c7ce1e23a4f193be7ce0932d502f08",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "271d10e5de2e8992afac079441588c01bb4fea4985be37207a4f63cd14de73f3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bbd1a775-8267-41fa-9232-20e5582596ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "93d1b13957ac532ad6ab4712072ffdbed8a3d3107e6aec621b72742431d1c5af",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "f44458332d5b2a8144fd1ff683271a6e8b0fd33390d5406cd93943230f50d997",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "9332e726255150ff772a979737bbc1b3eaf0bd72447c471aa13ad44c6b82929f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bc1eeacf-2972-434f-b782-3a532b100d67": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "ad822fb37207c4736738cd0b68015ee7a93e153ba5f5396b0b17b22f72834288",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "7d464f589cef8e69158a8ecfcec8ad0e0eb6b9100e4e8a046bc9d7d8331e9e65",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Non-Standard Port SSH connection",
|
|
"sha256": "ef8d1e8236ba6dd2c821d9f2b49f9b7d3b4459a19442874457ff4d4ea6451b5f",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "c8ec2de9a15f80aae8f4403606fb0076e026ce39a90c23a0e6fb6ef2a52d4a5b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bd2c86a0-8b61-4457-ab38-96943984e889": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "aac89039eac0eb4275d4cef9ac3feccf158712f692af79d0a01d3199e97450e2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "815fc2bb90259f1b309040431e26fffd4189a0cba6ff5a2cc4647bbd6a6f51bf",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"bdcf646b-08d4-492c-870a-6c04e3700034": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "eb53ced03a788f015585b601920f6f4a160c560a1c8f42301116264368e9fac8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "2cb4d66c727d0c55f63b84fa581c3f4905fe59b68ae1b74485958db2fb151dce",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Snapshot Restored",
|
|
"sha256": "dc266c4bd0ab5ec7da7930d71dbddc2e5fd6140391287b6e5cf7737ff8c9fff5",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "5294332a5580dd96c49e17f6059f4b6360f0a11cc6e55161d70ebd376d4663f9",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "3a1954f8a404171626cb1568b08be97608f9a5b5e7e6d468a58d399fff0f615a",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "0eb06918abad405e01f9dd17b738297b8b83a53192d327ae7d421717d936eb54",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "8d36cb1bb98e55bb4e2ed2cf06aac2db1e1f3a86b9c99dcc91ac589074a780b1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Renaming of ESXI index.html File",
|
|
"sha256": "376ec9c21a69506e46eaca4d1d6ce321c2527f91b1463f41e3312e6b2a7886ab",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c1812764-0788-470f-8e74-eb4a14d47573": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "54cfb36ceee93e2ee85527b5272459f7146e59a5666f6a04718468b96bab5fa1",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "3528eee51387c5e883a3e1b3f06f73293fa3e882385a02b8b898e85b84ca69ee",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "8f8f08af2bed9cc6fcfa6e66fcbec7c3517d0685d5adf8acc7ae1999ce7a6f87",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"c292fa52-4115-408a-b897-e14f684b3cb7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "a067d1223811e423cab7856feddfffdaf3bb0f7c2ae96b5c63ba6932e47e9a2b",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "9541529a97512a00d4aaaf051cb98af4785b44ea77c37bc172856182e7a6c62e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "8c71d85fb8e7ca57ddb9f334300043978dd5976f7efc1d0ad06d561ea9cad9b9",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "5fceca86424fdaae099163a6efb0bf8414c86b58fa21b35ee5ff9789b641d7cd",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "3510e04cfcd716d998a26241461fc1ae03bdca9c148528df59246366583fd498",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "00879e95cee9672dd8b56d539f49ac2ce03052b142457203197359ebf551b518",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "2e8c22beb5d6a79a5c3ba541605eac07cafb11041e4149a32bc7e4b107e0971e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c57f8579-e2a5-4804-847f-f2732edc5156": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "00362b8b0e5afebfadf9a3e10f18c0f86595906e306bec895a1ff9a83b08c3ea",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "0af929bae69fd3bd2354ceaf72d5eac4022135b20527b1bb7b500f40f78a6e95",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "0b92d4288ea80639430bbe8ebea5a05852e4d4c20b4a150b21dbe6124ecae5cd",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "10b1fa603f93bbc327c787ce498ee63735059ba1381029eec82541bfcf3bd2fc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "cc1c0f24ab02d2609bde69c2b1080e17e22814e94ab370543c78c89f42dd6f83",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "f059a8f7ede213e8a714e9da098089e0348d0911cdcfe111f57eb42c02d8ef07",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "1d0822bc5138751b4aca2f3d5a1d15a45f01cfa51932a1752abe1390ffb0d550",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c749e367-a069-4a73-b1f2-43a3798153ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "ca0f503e8fae0469ced007730bbddcb8f7ccb18fbbf43730792333ca1a09aa73",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "82ecca8efc10bc1cc58ea10d5ac7df12452174a2eb96738f54e5d4c36bcf3854",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c7894234-7814-44c2-92a9-f7d851ea246a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "2bc2c24e7c38eb978b00d4664be358cb018e19e8fb5b2004dadeb91f30ecc435",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "490d52d841dfa80ed829303bdf0106213c05928b84203e29adca6b9ee93ffc98",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "1fc74b97acb32fa696b0ac3a36626bb985e83b000303ff04257dc0415df35bf4",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "155fbbd9e9a6fcdcfd7063782b2c39327eebe7107bd2206d1851dad6a271b0ea",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "9f61d52eb9c31372a1a7f26794b6d09209f131d931de2b09e0109c9b5a055148",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "562b4f9d9765441f6c5e5f3ee8a71bee6337eb83c368babfda186ce6dfc75aac",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "c762f5de1c0dc8d4fbefecbe5ec987d85ff703868558b4c2025a6491f8434e05",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "98f8c7e1267b9d78610ae46f11ed1ad036f56aee89b27b5d90cb2199403ede07",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "08f7dfa2f2caa4e537757679fc7820400d2a971cd8c606b0dd4b8c8a7f8c9e00",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "e4a406b128d8db8c468d7d74ccc8571efe7707e76e7b1053d9f6e29421b63656",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Ransomware Note Creation Detected",
|
|
"sha256": "5ff21d733b7ad9318ccaae806d8aa5a60f2b7351ec9964427cc6bb3121fef861",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "db395f8bb4f6026ef2835860c83420ac38c02b303bc9b84c796888e581a8ed7b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "2faab0acaa8f54bcbcb9f3e1abd009b9150aa26083f90981134d34e72a54f6fd",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "40292ab6b3b74c0736e9142d0a2f4da6595e481d679c644ebce45713e3cf04d3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "d3608aa64d0dd96d0b1a38306836f9ff19f6ed3b68cb7d959eb18eb762fd5149",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
|
|
"sha256": "ba2ec22973ff634b1e0777f4e4a35567894eba82c338568f2f79c3d9f7ee61b3",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cac91072-d165-11ec-a764-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "eb4cfcbf1c37f3a246bbfb9a10663e1be044a08c76ea2d2d2c043fb217597da9",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "c2c4cecb5067e1562eb9b4381cb2f02f94d8eb714461d1985ff84449ddb93285",
|
|
"type": "query",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "34e19b874f33327105443e1ceee3593b9bcb1b30eb30f5795bf9102bb91339c1",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "7e28654341af174f22d390087be90d6720cc8a4fb885ec887281664fc29459b3",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "1de41b7216811e97eefabc4398c95e7c63777b807c0ca1269da386bdda134bb5",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "3518355a90ee6354be595124e70b25d82c59ea2fbdd8bbbcc0d0e2a62512acdb",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "c7b9666823cde0bf8c11d476830a101b3d818212df8e19196081f2fb0a5db328",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "5337e6bd0ef0b80d43f66dc8830169905a634b3a04618654f641fdc33472b218",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "96d42c07c11ea1e66f37d0fe71463b4bc8ff9f7dba1c7aa62a2a77482af2d478",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "90db8e3fa447cd76698c3bfb3cf784c21813c2e0cd5b81f2a60b062f7cbba2fa",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "f62ce3d63c7514a1b1e3485043746bff4cbd29215e3532662de3da9a45385c48",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "bd9e2942ec336f2a3ebaf266d81377f6b15059e51d931aa31374b2b27e4d4f7c",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "cddca84af1ec5f91a0fc0a37bd4ca735cadcf7f69e45d5365ff4197ff6295b72",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
|
|
"sha256": "18737d6849af63f0300dab6e931af5464f8c15f68f31f5bf7bdbd6b3ccb1cdbf",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "b839129d515b067cff4aac735b1c9dc12f24f90fe301eb0b9fbc9bbbf4a4f19d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cde1bafa-9f01-4f43-a872-605b678968b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "35f57b5204a5cb8d1f5c75b185977e0fa9380dd92068cd36bbc13f81bf6d6a3c",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "f6ed95c4af1ee55bdc8982ef40782959b46dae171a95566413fa375664b14128",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "efd4dd156b54adadf3583f42ef14c6f31ec98f4d4e076afa2a06b529dcfa7e16",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "2422828361db58c9cb60d2f0b2d137390daca7d29b102789915ec3e3aa883430",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "aa0f009284a5c79c915497bc9f14cd9fca9c5f51bfff8ffada85190b9af2bc2a",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "53487d7bbed7b10964cc4dd976031721aae9bd6eb756c31e1407d56df83b23e2",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Namespace Manipulation Using Unshare",
|
|
"sha256": "25eb06e75d87fb6552175d1b0446835fd487f5435cfd3531780d1e99ba2947d7",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "30f6abe74cb6d7a40335376a972db84371efd6de616e496efa7f8dd0092ca97d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "bd2e3a82f0da57e8e2a0d4ac051b85e1ad618170acbdb28502d1608b37342505",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "bec3a6c54edbb4399a08dbf48657becd3a5a541541f120a61b1d1d4e9580d52b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "ac50b1cb9e9105c705e57765ee02986414c63a9274108c4c9d38a2d8cfbb2b2b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "57ccdf578b33355ca397a6bbc98d06eab152799c14ce67a04bc3dfadde2c65d4",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "a9eb42f20c02bcb8e8a5712956a7427413bcb4bd8f0fa5528e33c5473b727b68",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "afb5f9cac913c97f1997f648dda0fa03b73ab02240c2cbc459e6757d428e1d2c",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "58adba1c923a8ce76e1a1764dc5cac882ab8ea93f2778dcf32c9c397a3aae8be",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "f55b784285078033780f90e322ee607cd717bf5db25341e7e967a809e069de79",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "10352fa0155998bc2ce3e03cd867fc884f424ce6ea7d9516e4af460a6618b657",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "2fcc2d50400cb569889501d46152b475609c5a866e75d86051dda253511611ac",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "2466d70da50d4817a8dcbbb37d8d8f626f4101f672b3f29fac6eca0cf9cdb84e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "a734fea0dd23b59bccb99dbb39f55007140181853044b5bfacd32e882f62f49f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "121c180994db8c517ef59cde13b161cc4356313055a19b220dc4f6a1f200c62d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "aaeb2ec822a868aa988e71b0c918565b3f1902a8ccf0013e8caee3321b8caba1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "89e3c5186770e21fb9556161d059fcf423c8f330199da418b492128d29d2ff6a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "8be2eca1a2cfd29d9f4afbf690e508ff9560243c58aab7c3dbcbfc82b330622e",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "dbf20a1e2bc0d4cdedbccc5865bddda69aca58f70f18ee6ac68eeabd3379e3fd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "a3d590dc38bbc65cf96456ab35d560f410a3e627abe29ac9123b9d1081ce8ee6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "671b8a362619f5396cfce51df91caa357ab826ec2a9ab263c7189e530c6a1d05",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "f03f35ec4391254bd5a95e3213e02d739334563e9a20bd8f98055f0bd56f984f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "f53aa8f1a5b9e87d8a6b28487f9359beaea364e8c05cdb0c27042894e66905ba",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "be53fcaca6c95792ae6b79abe90def66eadec36b3c2b5f4ea4e1c40ced9af74c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "e0d97c1b1c32137b6a20954682acc691d3e3b8865b7232a8796d2220df76c2d9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "d667fdb7fbc6da319bdd447af12804d2a91a83d6e3165edc96ac687212c7050b",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "f795ea35f70c7ee41f46586159af9c713d96e6b0356ce45c1bd5e35dcf5b7e9f",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Untrusted Driver Loaded",
|
|
"sha256": "0e6a3468091213fc4b24f569137dfe4b36ff686dcfc4039f0d76f9064d224e11",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "8802bab60d9f5b6625969f2cfb50f18890ac8acb69afa76f94b6e875d0627cc7",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "1129519b0349a4fdb1c421cc1e7701a5d832f7c13eba0180a0e8203cf42a706f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "f493a7c7c4a4b1af3e58a0bf73ba21683518e0dbca1fccf9293de332cd9c4f39",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Service was Installed in the System",
|
|
"sha256": "4aba643a27cff767767bc8537f52cc7f4873abbc1e0054b2a05e9951ffd72aa9",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
|
|
"sha256": "52d3d4ee99a5670bf90ec1f03101a6ec56dbe49a5fb8cb55c8568321e5ef5b8f",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "b2bdedbd10d7b2fe14ac813a1e6edcc9034c9817db09d94531cf97ff29c60e1f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "2a9488888dfba25706e88644ba12a1989ba900ca40efcc7afc89f4dae002f978",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "b0491008a10432af0609a3d3046c5ba9697fe4ee6fe28c05d20735f663452a74",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
|
|
"type": "threat_match",
|
|
"version": 100
|
|
},
|
|
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Hidden Process via Mount Hidepid",
|
|
"sha256": "355554b93a69fe267fbcf4a738c0d344913e4e9b702ed77d8fb484d3fe71efd5",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "474db425cdf633c1f4985a1b2ea22ff85d5d13c734ba1f0e6c440ce25314f098",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "cf5a04001f7b060fc8737714fb0075af7edb4ff168dd11ebe372c9d7fac3ee7c",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "d392b3c187933693b150e92babfb26c749886256261457cb7c645ffa9b08c46a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"sha256": "0867f97763c256a862b66bef0550e3db57930476cf465d9369f254a18c11030f",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "eca02b96d656cb5bb1d7545ca44de5c6b565bc07f090c88b5e37336639414ae9",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "9c31ce6f0019d8e694291b4605b1e7075732965ec3d88dff554a1c8ba2bdc465",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "bebf88ea049bb1787295083c3e58e39a5eb2ca0ac0412da6c1c697a99aa4e531",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "First Time Seen Driver Loaded",
|
|
"sha256": "f1e86ef7b1636c8c216103a601b397fbdf2ea725f4906128fef589eb0e4ffadf",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "79fe6d30045c86d83790066989a32ac5398076fce0a8e8aec15e295305a82cbc",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "926e09c01d9a28535ee45c6b2e542a020fff0bc9b9b3876217cca6ac5d084ce3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "22879b612a4fc894529efe2c9849ae40609fe4de62c9bd40ca710575b0604540",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "1812535ee0bdc44f1edbc5e9801928f2712abc4984e8a97fc4f641b2b6c2ea7a",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "e01a11c3817ecedff0f82792adfb11d24bfa7f35d6bc7816c1f2f9b4ef54a428",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "601b09f07040a7a4aae2b737306da9624a2ac0a71eabee5f238ce4bd2a827679",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "3a793d4ae6798d822ab4cd898fd7543509208f045f21cd215ca013a566f62a6f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Service Discovery through built-in Windows Utilities",
|
|
"sha256": "8d2ecfe1a06b49dec17037874236110799d60bf27d15c6acc11dc0c148af2386",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "23bb5841739565c44acd0f0bd8f596eea3cd2a7450d383d72e0f5c73d983857c",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"min_stack_version": "7.16",
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "dd78a77f8220a57fac6347ca0f4ada237ce03b1bea7e8f46129e55b0cb9dc04f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "d315740dc3e4798b3116afcfb4560f332ee6cd0aaf6278c79ca52b677b4df6a0",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "97dc223646d13b5618e187e31a5c98c6a0ab584f26db51df1368528fce6313a6",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "b619d12e944f84c602676b8dc84f896243a241ed2fa041270904106ef2cf407d",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"e2258f48-ba75-4248-951b-7c885edf18c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Mining Process Creation Event",
|
|
"sha256": "62a8d6937e19a4d342cdec7a80efa1cc86548e034dac6757e4f6f1f7e7454bca",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Successful Logon Events from a Source IP",
|
|
"sha256": "c2b75cb0c0ca673aeb63e131eddae7a33662ffb123e31956482e93afec3c407b",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "66889b5f177bc1a9cb425581e81b726f1ac13863b2292852ac8592e52ad54bd5",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "77ec08f6d07b1f7906943747812e3b7ce673613340bc8f863608d4919c00abad",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "d738733eed527f0109849eb0b7782f897f09e8812e3aee6bc76ddf121528f663",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "5cb19c149c88dbbddae3ac8984c982080f7a1497bc535b486b754beeae5f8bec",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "9504e7235ae2d6d6979d6f79eefe68b450769fd53ae193de955fc717497211ea",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "7285956e917aa19f777ed3533d4da7fea80356ac420983e825ccd801b7524ef4",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e3c27562-709a-42bd-82f2-3ed926cced19": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "a9771e5258a05b42239862d74d1e68d1fa34033f16f3f9c26b4732476447b4c3",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "b47502c00c1c5a89a76099135cda46927a2bac199a32fa69c796440b73fd9db8",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "39805b9df727474ff34bbbeeaadf35066b16c8d1a707b274251ce33963614b42",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "871fd45bf95bc756c946e2c35455dc66507184603f07314a7b743abfd66e65c5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "6daa40545ae110d23965c10cdd3b97559c76c2a36f9fc79abe0e93316a8d36ed",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "93b7937727492cc72b68bf3b72232f58a29fdcb39cdb6bf548afc84d22da4d4c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "00a31db2026bf1f14d964a21a3186172f66698bf1a34e405a17617beffb31dc4",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "7f4d5eb6734f8c3c60ded7d24a7a3339afd5255c9fd1bf01acfe5972e671f89b",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "09fa2db0d72cb74b94efe31cca51f254ba12204433eabec1fd863a71a750f5d3",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "8881e4963ba8313ad806441ab35b10b080666906259266d9243987fed72beeea",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "3d4f9d875a7cbebe715e0f79db24130680e81ce3c95b2488e6804bac01b8ba8d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "d79bf4f3a31c9f68d62437e3fc948da164cba7efb2dc53ccb82e3e44b85d75c9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "87bb7b5c4fe360b86247d6faf9ba1cda8ea552134a18c4c1045c1b53fa2f63d0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"e7075e8d-a966-458e-a183-85cd331af255": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "e9f3a0e9f8c621c8cb1262e6e8b7406d36b2dbf66fed10d7e756d2720bb4b8ff",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "36c7e57a6c89bc2f9813dc1f85dd1650af535c967cf9d52e7cdc8c9d4990503e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Credential Dumping via Unshadow",
|
|
"sha256": "45aea427cbd9c2dec9d0264bdf29eb9d041cec78f028844c4d210c23dd9e12bd",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e7cd5982-17c8-4959-874c-633acde7d426": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route Table Modified or Deleted",
|
|
"sha256": "8755115362dbbcbb7295af5862d9fa7670b46667cccb181dc95dc4a012fcd609",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "5b842e03935bcd0bf01c18da831e252e82726d88efd8e99badfa0f741822426e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "c36166149f6382278bbc2f12e03af284a945d557c1a6ba7e8b84b66593d5aed3",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
|
"sha256": "bb8b3e1c372d97cbba8f15cf80b6971468bdd8fc5a8b234ec5330cd1d7dd0b98",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "ae574796583503daf7ee6688cbb92eba2472a7b294a56a091ec363cc4778cb13",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "d8c86640a7b69eda3b5bf7d31e3940366d4410341d1ed1628d859b1cbd30567a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "d8671600e447e5ffc604a3cf69e45e57ded897ab70666f50d5d45abf9cb8df85",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "9ae8dbc10946156ea62bdefc1cfbe386c468cb37489a480ce5d78399521f5585",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "f4753972bd7ed04f9ed23aaee4f55562c9579bc04e5068ab0ac000dce3afd4d6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "a1a85b477af4b8413725fcb62209b88208532d46617e873fcb8c645275d2ce1c",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "c5657166c9209a2de18b8ca9afdffb776f6a22625f050bdee7847ffa323ccc24",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "External Alerts",
|
|
"sha256": "31b878918fff8b8a2530233ffb091fc5e5d130ae1a25f1f3a186b146b965abc8",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "ac8d9b45feca5016f1cee9d440ea3f577ab97f6dbf43e1a47c67270c063d11ae",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "b8463074b9b5230234487910daa8b6d8c5bd3a2a70dc2b364f72244446d9d670",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "c24aebad20f1af7c7a32bb9a8ba2c9da565e9f65b4ad5ce917fdb437f9dd835f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "bce143d57e76c903821b58b863fbe225e2d25579a922a0de8898341448662147",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "8a9d1d29af81c63c40e4468ccb3eb6f4715cb3086c724c657c552c9ac7b82b5d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "fa9ab56f2ce00f10be9a6779f517efb2fd13525fef46aa06be38c3c56ae43d5b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ec604672-bed9-43e1-8871-cf591c052550": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "File Made Executable via Chmod Inside A Container",
|
|
"sha256": "30acb4620c9162647073d47d1de76009da4b87ff8afa60bfc815b714c307bd24",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "4d681383a39e51c0ebda801678fc42df905b3b46c407443db81029f0cf7e60c3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "398818eec9c82f37901b7eff3e56c7cfff9068f74f5eb3300b4fb3395d76fe18",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "949a29e953474fdd157968152b5f042ae8ae183a290987734bb6da5531768708",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "63aa1ef0d6d57f12c96fc6e75efbdab828dd316c6b2f0a6a0a42d2f267d96d38",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "6dc4ff7b0ca3ce5144945a41508e56d1514037be901492a1a07c1baad5e0cc53",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "3649a9e5f7f06ca5add24938496f6744502a46039427507b7476e0a0eefd433f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "ffff54efe92b0b34c640b799f5913f2e603eb1c16dc0ee6b149d1f2ef77ea848",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"eea82229-b002-470e-a9e1-00be38b14d32": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "7519e10f04979705d086ea59631e81722e1d34e67fda721159127bb5655d02f4",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "240e4885a29c84f4e094b95b83d14d2207406f69283bd92ea24c1a91b1f10cc7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
|
|
"sha256": "d5464847287f6bf63541e235d3dbaf765d067eb31f71d1ffd314a34df2215866",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "afebe75e87167450ec7bb066db9882b60e12c6c2edcb3dfdd1cb58f874b7ba77",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "e0388bd1b4ff680dd45ee91106d8a9f2dcb5ee113d0352e95bd770c8380154c3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "9d64431c94337938c4c704be535f27fe958c3c735a818e76235f962d68de3ba8",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "1702f9d302ca3492bc215a85a0ab94b7db183f3f162e2419ecf3119b1fe07848",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Remove File Quarantine Attribute",
|
|
"sha256": "d4eed78d57a556fbb670ded91a71216e15608586b2b5e504e42a1d438601a498",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f0bc081a-2346-4744-a6a4-81514817e888": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "1aac937a034e9aa7d16663a9672358b86762197d05247fbf54a3ed273dc682b3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "2422b876fdaf75df87f0a2db4f592320544510433ad37c7b813ad965d3426f74",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Code Execution via Web Server",
|
|
"sha256": "8b990562a1f44e29b7bdea5e80f5b5267cd544cdbceeb9e2701bbf05bdd871b7",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Forwarded Google Workspace Security Alert",
|
|
"sha256": "1a2ce130f9e8b773c7d97020fa3039a810ef71d16d18da31f8f66f7e75a99823",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "76871153b8f946b50a1428f2f0b6ae4bbb5e04bacb9ad6b3ac8010b4b58ff3bb",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f28e2be4-6eca-4349-bdd9-381573730c22": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "fae3022832bba52aa96f96a5820befcf308d0bc3fb40b143a1b3851fa7587f74",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "0e01e6fbda612f223222e52285fcf518b9ec05ff45be82a30bcc1d25de0c8a8c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "290ca87439a6c50b593ead7fd9bc4163c694e9c36cdf851ecf94205976c27db3",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "b651f1ca6d3ab216e2d8200b45fd47d9145ee157f7fb9721742ab5a2453b0b24",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
|
|
"sha256": "1c9f0eda512ddf61d6f14d57b1d9b43c1d536d18363af1701e9c65b85a11029a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f3475224-b179-4f78-8877-c2bd64c26b88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "1d65405e3a141efabf26956dc78098b7d9fe83781bc411edf9e363134ec8b786",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "16fad25f10dc1f87c6eb3b75be730b6858bd53d102f1b7170924c564f1c8e44f",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "fc59baca6154934a278cb36b8e28b8a350aded173cfc926c81ff3f3104eb78ff",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "ae126a233c50576be64001b5bd356bcc3f893da8117eb1998860f3032d9cd843",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "c93b6e0ec67483b519d5a0a62bea6c2c982fdc8c95ff8622a61947ded5e03501",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Connection Established Inside A Running Container",
|
|
"sha256": "0497d2f2186950f74dad518251820ffe9228c31a2ccb1b3c159404315f95bd73",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Masquerading Space After Filename",
|
|
"sha256": "a559ca7121903cf65479de35c9ed90846397108b147ba631b6ad9de1b8163b15",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "ff641e7598ebdc2a99babfc04143d9405837dc9ca1e9582033bccbc6b9ceba61",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "7de275e076290256a87e2b3ed3126155aff4a5209d89b16f1c4bbb4f0f3c0b8e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "4382882cbcfede8d1ceea24ec9f5c576a60b05120e318caa9b3473e209eb5980",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Service Principal Credentials Added",
|
|
"sha256": "5ce0477a42d9ef224de6a9ce9e33d0348397e764da6da42221c86966aa7e0ab4",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "6df2c964d4d87ff046075f9fe75f50531c2aa705fe95b48424d3c67e93c72d19",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
|
|
"sha256": "2179922e45f0a8d83c90093043df5f489b6ba133ed307beb56f9adc3ed75f0fe",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "0316437403ae4997016f987853162fd22b5e54b80dc6c9206836bca7ebea5289",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f81ee52c-297e-46d9-9205-07e66931df26": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "c90e4ef68669c1b33b27ea8d72d33a3696486d7a6e0c54761f9c1d62e68c90af",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "d509965ca676f0870176b71b54d8bd5592c0245870ffb87a3fcc08c12140ecc4",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "27a7751430d2ca999e785298013ef016d5292094e1c6a0f8f49597e703897be2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Configuration Discovery",
|
|
"sha256": "65a864cf0766e583509618ade7f897afb31cde49fb11e658f7d9dd60e5818a3f",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"f95972d3-c23b-463b-89a8-796b3f369b49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ingress Transfer via Windows BITS",
|
|
"sha256": "dec9ce2bb37f679b3e98e000f97e65c4a1f4583c02df2f8437d5762ba2e37bcc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "c67bc41d6b644a9cf786aba0b9386e5e335442b936ec855d6bdf0bcc65da7be4",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "f6bd7eceac3a9f5c358384b9eb45ceb6fe554256572255ed542f2f087252080d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "8ecabfec5fc07d2e9e561bdde54f8ffbf85206b9803ed197be6c60ad994de95a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential External Linux SSH Brute Force Detected",
|
|
"sha256": "22bdd0c7c19d5d6ff442fa9f2b144ee3b3f22946260682c600ca00aec709918e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fa488440-04cc-41d7-9279-539387bf2a17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "6d7e75ea4a3a50ab5c594642e4138706ea7f62b164107b88164b6e25446be22e",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "83991214d50a508240cb5807293a7b8e1f12e34a3c8023edd8fce38fc9136a78",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "fb31bb23b6bebb35b93af0a5cc1b9f83f20c53b4e4f7f342d2939cc702946376",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "605b3cad24235f69f0cb88b5dbfd0279ece71f71534ebb50478ff8334194dc96",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "9861db3b35101e0a676d54701eb283a724fd134bb6258b78947cf822c65f8e8f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "5e95e13136d2a40d4cac8736b2f8020f5f0f1c73ddff780a8516e4d2af8441d7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "cb9159a807c7bf419c813dc5aefd2f35b857b47c0afa8b562fa37c543da6d949",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "8fdd8c5eb699e517af1963888489037d4d822f772c30fc34c0a9b2758e276bf6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "9f121b7d63852994a3536d29acc723ba72ef9fab337f739de2cb7fbfaa799970",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "7ab43899684dc9dfdbd0d111723d74eae5ec0abc9b4ddd9c6e06896ed083af8b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
|
|
"sha256": "3195e2b37d0512e7794688c505f2fbe5a9af3e7c280b1053813ec6fd2d2161f6",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
|
|
"min_stack_version": "8.7",
|
|
"rule_name": "LSASS Process Access via Windows API",
|
|
"sha256": "a0010039a90050600c333ac139cd9156796b2946336ed574f328dd81d6555044",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "b2a97a4e796fd889d8a2767c60e251b137c8dd7025a5caf5a1099c25fc09e8c2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "8a645f8478dab790e42789002632db237ffb037d316bf71e2c36521149813d15",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
} |