github-actions[bot]
de2b97a492
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
7352 lines
269 KiB
JSON
7352 lines
269 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"00140285-b827-4aee-aa09-8113f58a08f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "d30c57775c5b17bd01a68c5752337e391ce2d7db5cb8aa6eccbc9a54c200c86c",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "8f7269ea080f0c8f9d2257a9ed2e32139f4c2c1cd0dbc9ebf61ee83987b10d83",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Suspended User Account Renewed",
|
|
"sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"0136b315-b566-482f-866c-1d8e2477ba16": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Network Scan Detected",
|
|
"sha256": "22c367ac24c7772c54e861eaef3c3cc0d8677b1dbecc70626f38c6ba482f1eb2",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "1fcc8d07520fa392cbd941dbaaac5fef1dc5dee48d5ab029ca64cc5409f7089a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Process Created with an Elevated Token",
|
|
"sha256": "6c3c1a1a62be741fbfd99c0d2a69725f05c69adb7d911d8241132facbd72dbe8",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"02a4576a-7480-4284-9327-548a806b5e48": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "789be8d5147c605bb71d3b8591d50e528487c9440450bf27e1711d36edb5b5c5",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "7a5170b3aaae9d499bfda31675011334d8bc6f2ce992414981042ce2563e0efe",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"035889c4-2686-4583-a7df-67f89c292f2c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "71c36a582a1af6f143c5b2316611eceae40fef43328be88831c24b2317e7ccae",
|
|
"type": "threshold",
|
|
"version": 106
|
|
},
|
|
"03a514d9-500e-443e-b6a9-72718c548f6c": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Process Launched From Inside A Container",
|
|
"sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"0415f22a-2336-45fa-ba07-618a5942e22c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "4cb2b6b77c91784f961b4347413643db618e2f27805ae42c5d6087ba7e5a9794",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
|
|
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "242d70865b8ccc44b23dc4c85ec781e9f6de7966acae6376216fe6157df81b72",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "dc6dc5d5b9bb5d8022327de5bbdc2e934503ba0e31ae2336672439cbcc22bf74",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "7f1bba1cf96766fe9d2d0d21e7e7d03114483ebf1d91a52bdc7a370c5751699b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "f31c9a7ea34568a5374ff1710793245daeb9aeb25b3a9a24e97f06a5888a0ca2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"0635c542-1b96-4335-9b47-126582d2c19a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "21369e608f88a1ea5dcd90d5365bba2e9a909fabf973ed66e37e9136f5f0699a",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"06568a02-af29-4f20-929c-f3af281e41aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Time Discovery",
|
|
"sha256": "8534280f701e221bc1312804c5bf3de446a2ef36dd62d6e9bc6e3bb765c9cf76",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
|
|
"sha256": "15afab23b7e9efd31d6586f78173366c7895bb1610bd6431cfc8cf2daf8dc063",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "ff88a573a0a319738afbfe4b609f25b741830e26d67d348a9b995e5a9d489dcb",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"074464f9-f30d-4029-8c03-0ed237fffec7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "f00b9c39c021a4f1b4bbb9b99497ddbe906de70e57582440fa6dc315977892e7",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GitHub Protected Branch Settings Changed",
|
|
"sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
|
|
"sha256": "5839a3666d7e0133ba8b7e42ac89b59b39e750d0b97a3b3583b69c13de90129a",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "a31f827db85593474e5766adaf71c535a3a5d7ce628347b6b7e606bdb261bd04",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"080bc66a-5d56-4d1f-8071-817671716db9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "9170960c7d48e8e84833ee33402dc9fc313e3f5fc219be8eebf6c3fef43b13d6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
|
|
"sha256": "c0576e652d149dba1c8803419d6a632c9e994ab1037dbd4d33c61e67e376b878",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "24161e1b97e4d175337171d4edb04ae53af62b618e97bfadae325175a6a804b9",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Removable Device",
|
|
"sha256": "8f68357de02e845b6234f38e1867817fe26ebc0f260faded9b8c6d2be88b2ae0",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"089db1af-740d-4d84-9a5b-babd6de143b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Account or Group Discovery",
|
|
"sha256": "9c4c3dc22f5ae081c7fce7c1cb6523dabdd5affb3e5b4ffce5fe00ec5dd65815",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"092b068f-84ac-485d-8a55-7dd9e006715f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "f6144e95dc8aa7800b86c6582df0d1251a9c27f1585675fa011b5ac9ebe844c2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "b47a3759b8145c73009358643478d070d44505235b1c16c6282bf2925986ffaa",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"09bc6c90-7501-494d-b015-5d988dc3f233": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
|
|
"sha256": "094055b11724accc14288884bea8d069e3e5c1c1d32159a9b78fc9d7808cdc3a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "e7526826870e2810425f96e236661c418fd0b78632279740ea92cfe0edc0de6c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
|
|
"sha256": "6292561dbd089951c5f89ea4611e1d54d55397b493aa93f8cdba5c3e5f7e09fa",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "0cdcc5efba4bbbddd11d3637a92be7d075bd2bbd3e8f44698ea7dde40dc77ea1",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"0b803267-74c5-444d-ae29-32b5db2d562a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shell via Wildcard Injection Detected",
|
|
"sha256": "cd1a313ebc7c4d9e532bb43100c4d5c06d27676750ffde616f9aec4fcb71d086",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Processes with Trailing Spaces",
|
|
"sha256": "e4ad46e5487eedd9a600516e6aaaef43bfdd74f9bab9254376a7ab03846dbdf1",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel IP Address Indicator Match",
|
|
"sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb",
|
|
"type": "threat_match",
|
|
"version": 3
|
|
},
|
|
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "5b50fcf0eaef2f2da52e18a413845a9342f1271d669f06c117524bd4afb7db27",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"min_stack_version": "8.5",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Threat Intel Indicator Match",
|
|
"sha256": "92b2fe11e138552116f69ae042966934b52ed36c6cfa6e03831de7f703c68bca",
|
|
"type": "threat_match",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Deprecated - Threat Intel Indicator Match",
|
|
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
|
|
"sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts Involving a User",
|
|
"sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "b526d1555e13cf130c9d0129928555065e1f976d20616cd8863f9e2f7c8720e6",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "b2d0f5656de26bb1163ed5edbb9bf90bde8a599b310b94c0eb3e629ddc0b93a3",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "704d15579a6028b995cfd93bc3a2d782e75c41c656cdcc7c5673f782b70396b5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 102,
|
|
"rule_name": "RC Script Creation",
|
|
"sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence Through Run Control Detected",
|
|
"sha256": "cd15e73bb94658d23cc9c074c1ace32b319514089fac6deb29e145d0179bb131",
|
|
"type": "new_terms",
|
|
"version": 106
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720",
|
|
"type": "threshold",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "11e0bf29e964bfa87c51e81ea74a1e1174e444b2585a44c67e5a7db58fd0391a",
|
|
"type": "threshold",
|
|
"version": 206
|
|
},
|
|
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "e840e03f40e5ac088e2f850f08c2b1286f607a659a430a7051e44d31213c7a22",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "264c4b78490cec9fae3de080bd655b5a1c53ff31c54b5704c76834b583f0516b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "7ae8452448297fae3af27315e9a0cd50e7419f0dec791237656f8859df113c3f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
|
|
"sha256": "6ed2244e093a1870d45df1482662e4f762ce4734090878e0a1d1a06e9675b775",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "faeaccab4b1a4766cc93a7b427cb7250df74ac218438d547281678e44d7a3cd9",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "f455fef003011587f2e1a56fce94b03276f7155952af5cd091a8eadf88a62e68",
|
|
"type": "query",
|
|
"version": 7
|
|
},
|
|
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "8614adabfa74ea56500abff063edfd0fab24a93e560df2fdfd68d3a60b78fa10",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"12051077-0124-4394-9522-8f4f4db1d674": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"128468bf-cab1-4637-99ea-fdf3780a4609": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Lsass Process Access",
|
|
"sha256": "76c9bb0e0674d8903c7f1429ef3267a939de6bd90838451429533396f7bfbbb8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "be2beac962529968b937bc8b019d5fd86147ea3a835ac837709352145e20bdfb",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"12cbf709-69e8-4055-94f9-24314385c27e": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "aced9ff9e762b1884af066530083db98a9ccfeb24195d8f89c6344ca22a77d00",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"12de29d4-bbb0-4eef-b687-857e8a163870": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
|
|
"sha256": "6a69ca21111665ced0b0cc269c53ac00d37ac29fccb5d3e5d04abe8e0de046d6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "fcf12be61708b748f14f6ae118e930f2c5ebf65992bc3df225f66c5dad6ed0b6",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "d49a0d61c82206a76e5ea5062c272c71b644034b559db7579c8be76bb8dc36d6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "54422260766b12b7477aec8acb27085b1eae0a36285553d26e5730bce422e7a9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"14dab405-5dd9-450c-8106-72951af2391f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Office Test Registry Persistence",
|
|
"sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "2b3001e30acc01d9f64cf5554b3ca2ea3e9bcb22df0ef756717434b46b95919d",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "afca97139ffb2af012ea212958cd4118f14e183943e7c030e5ac45d06a430450",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "17c01410a2573124cf140a518366b8a585209a201bfee33b5f7d855fa9b07e2c",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "65f575f302777f8e9f896d45ad7e2b53416d03fc3d711a6058f740c933b3e1c4",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"15dacaa0-5b90-466b-acab-63435a59701a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "d963ef7eb139996297e8b66dc040b9ed8dd898130265bc0f428c48f57690155d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"166727ab-6768-4e26-b80c-948b228ffc06": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Creation Time Changed",
|
|
"sha256": "a13ea0c57c34bf29a26117cd89ad3d1760dedb9b4fa54adcc0eee079fa605f83",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"16904215-2c95-4ac8-bf5c-12354e047192": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "0c96bfd65d7b122ff4af72519d72f2fc9837dcb1d9189a96e7c51301cf0ebcc5",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"16a52c14-7883-47af-8745-9357803f0d4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "436bc1aff82273c9504f7df46a2ce3c1653d4dd9864c1580f5ecb99a74c6e3cf",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "da818e423eb85083fbcbe6984e8f3a75595575cfe82ec3d62e8a531eb3627fad",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "New Systemd Service Created by Previously Unknown Process",
|
|
"sha256": "bd8754496ad2a53571780aab55b02d8dbe4aa20329da96a586b6f81cb7fecdf8",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Renamed Utility Executed with Short Program Name",
|
|
"sha256": "333e76901898def53aa58c45b53af5fa36c5089a44572e8677b626c99d9e9864",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
|
|
"sha256": "1169776f997d618e40607bc71cdd85c338f7c14f158c845f3ab3ab48922d23f4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
},
|
|
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Suspicious Network Tool Launched Inside A Container",
|
|
"sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "c9a9234db42533396f1a25a5036711a9363213918faa1187a99e65ae616c78b4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "bd9e8d97604e499b249740f537c152e6e886cd82a2d77ceda0bbd4ef99ac37b4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "68f0d73167458fd1589c365cfb07d8bdf9d49e3368435dd8ad08d5eda2d180a4",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
|
|
"sha256": "8b67ccd035342354a2698b9006811320c186cc7a6caebc0aaff26698e08a45bd",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "3113571e7885f573582d119f9e0905d33369509446e7a2729497380f27d3d077",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "38ff22d9612874236bb0fdc1ac65f9f649734272e2484b7058245985ecadd621",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1d276579-3380-4095-ad38-e596a01bc64f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "6e10cd53c6b8fef5635f3e97892648c45c1ef8219958c3ad9af076a08f6788b7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "b1a5f097c5ad6885bbd55d4375fd72cfc09507c502321b80aec6edfe33bc3a75",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
|
|
"sha256": "a8152d99c80a969cc7354a42c0e8265cfaec6d349d3e41e85f38049db45a1755",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "cbdda8fa4a7ee1ebd5708a3bcc4aaf50947d560339f8f8c45effe6f0e8309a64",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Suspicious Inter-Process Communication via Outlook",
|
|
"sha256": "7ac0061e940b4f3f683e9552b00466fbce21ca52e1c3a8b5e155fffed0764c4d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "2a864a262ee617027d2731c9da168a2d0d477cb915904829e10eb863ad881d85",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Discovery Capabilities",
|
|
"sha256": "3dccbfd612147d0714339a1a2d6ad16efe695f6d5d9ea764a595cec716beff1b",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of SettingContent-ms Files",
|
|
"sha256": "a57fdc00e51caf3e5c8c515a75a6b8e8bc79b4e2dbb0f9fb97bc36859dd60525",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
|
|
"sha256": "c337c7433541d6bf75e616d8dc86c568517d3347e447eebff25c5aa98637d74f",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Execution on WBEM Path",
|
|
"sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "f14eab4a7143c53fcd49fb00bb945fe9f86c0db1e63ad3b4fd1ceced47e484f1",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "e985eb9816fbebe3599feb87b715f34c43f15a76293dc8ebefa29e0d5b6a7e3f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "838a9d840a2c93100aa9faf4b4291f9c968db9e541f1cf59807bd041b0d88a94",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "f38629eb459ab9343b9f3748109d6c691baf729de86d85d83d10c0740baa869a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access of Stored Browser Credentials",
|
|
"sha256": "f8275d90cfe0ef660c6505002f3eb7a22afc1b4c189c9ba4e9f9dd4184dc1161",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"205b52c4-9c28-4af4-8979-935f3278d61a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Werfault ReflectDebugger Persistence",
|
|
"sha256": "6178ac16e7a1b92253a4eae0123a253627554a9bb2d28ac941328fb97f5250dc",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "1c23cc9b4544d51bbbd10ce33e915cb6276bf71aeedc24400651d0995cb17dcc",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"210d4430-b371-470e-b879-80b7182aa75e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mofcomp Activity",
|
|
"sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
|
|
"sha256": "ec8d63e382350e56393f2ddda05cf6e288ce88da4ee9c9d5976adaff99779885",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "c54e0fcc5ec27640dfa0db638f45805ad4749c78972fa33cc061cab3f04f13d8",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"22599847-5d13-48cb-8872-5796fee8692b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "ba55f907ef22d742e948ef03ed381c51077959c108f1166ec3e32bca889d77f0",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel module load via insmod",
|
|
"sha256": "716b6003b6a1bbcec145bd5ccdfc5283a40c843dc12fc82ff75fd26cc67b5b7c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "9567e972186b39d9f4d1a378dfb482b40eae9cc129ee8c83562223fb8f1a9a3a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"2605aa59-29ac-4662-afad-8d86257c7c91": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Suspicious DebugFS Root Device Access",
|
|
"sha256": "8bd9e051e381430287850aac140060e1c4eb55636e83ae0d010d241069f208cb",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "158c5a76f4a4ff8441aa5189db7ca3f8677a210f01a9023decd1732862ef8f46",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
|
"sha256": "3beffde62280896b2aa6df7e414ebeb74f72233abfefcc99493b20c3c02d6aed",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"26edba02-6979-4bce-920a-70b080a7be81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "6034810ddf957379536be3d43d1d1f5868b60b212e1e0224b1347552764b3240",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"27071ea3-e806-4697-8abc-e22c92aa4293": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Archive Compression Capabilities",
|
|
"sha256": "2173b0cc2bec6028b91c5b9a051908ca9d6ea87cae8c881a23622b6239e85eee",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"272a6484-2663-46db-a532-ef734bf9a796": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2772264c-6fb9-4d9d-9014-b416eed21254": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "ed68bcf2e292ec89f9e8f578e9e4847812fd4177fa242725286c16db53ff03e0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "4e81da588d72ce375e5c9d046ebc2d09776070111a26ad970d2a12b048741c4d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "8ba669048ae42b7afd8f153bbae5a1b181f3d070db1241c38c847c1fe4dae0e1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "2cd4ef3408eed788d9622c7de25f23314bbe10bbc4d7cfeb94d651618911ad94",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"28738f9f-7427-4d23-bc69-756708b5f624": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious File Changes Activity Detected",
|
|
"sha256": "6d8b1a876a2e1ce2967be858e2e4cfecd82d84c47b08d8e33c72e22725073eb2",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"28d39238-0c01-420a-b77a-24e5a7378663": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudo Command Enumeration Detected",
|
|
"sha256": "ea5c6d696a82dd4d7d63fb04dd726e8b1fb33ac4622151663d19d31ef7a99a67",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Security Group Configuration Change Detection",
|
|
"sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"290aca65-e94d-403b-ba0f-62f320e63f51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "47309853f13ad591cfcbb60814b5c1a7c731abfc3f5349fbb5e9acb25b347134",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2917d495-59bd-4250-b395-c29409b76086": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "e1d3e0942816bd8564b7abde73127790f145ce3332346d041fbc1e0421600524",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux SSH X11 Forwarding",
|
|
"sha256": "8e67f5c7d845b4018e1be6a13d83ea84ba3cf8d5aa448dec49e7e3672158a0fc",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"2a692072-d78d-42f3-a48a-775677d79c4e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Code Execution via Postgresql",
|
|
"sha256": "2f246e33c5b5318512de95d017377941e955a43a607619340a1ee900353ca612",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "ac1d0b24c8b4fdd50c135a7ecd4193f9584cb7fdc8d82531c70122b5826e9a5c",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Discovery via Grep",
|
|
"sha256": "8193724c74f8c3bda981c1ea69c1775177c530e3a5d30e2387577bd4abaa66f2",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "9aeae912e062be1da7e7f26a9a5cb726d945ce4bba3c5b040a131c5636920a59",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "5d23ecdc51a103c5863a93a34aea633e2691b91c8dbeb2a3551c652bfc691f8f",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "86de8c98200d07e566af71b1fa99113d43b1493e4faf47609359a69d1f0138b4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08",
|
|
"type": "eql",
|
|
"version": 105
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "e66fa90d3d617373ae52b10b1487f5d53b35fea7e11bf4371ccaf37fe0782482",
|
|
"type": "new_terms",
|
|
"version": 205
|
|
},
|
|
"2dd480be-1263-4d9c-8672-172928f6789a": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 207,
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37",
|
|
"type": "eql",
|
|
"version": 208
|
|
},
|
|
"2de10e77-c144-4e69-afb7-344e7127abd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "6bbeaa26cdd427d0a628c899b4f643da7efd6be92918fc554a679d294bf1e136",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "7c1c93dc3cbb29566f0cea895464bfbda60a453682f8184de11de21ca49597b1",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "00fd95465bfe881a5dfb2b30e171b6d3addca0be3abcb66e67427c52a8e540fe",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "58530124be115763c6110e3c32f34e5fc8c70fa063e74e97252e3dcccc45a1f0",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"2e311539-cd88-4a85-a301-04f38795007c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Accessing Outlook Data Files",
|
|
"sha256": "143b6346fd2ca02b863de7457499fe60da116e99bc385dce6d07aa870d1e2054",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "09e550845fb86206a91ec5d634e2a5427e344a491c0c76e59a66b6f4a4d4f99e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "c682c5d7a2d90176791ea60cfc2d52a941a2c145e96c42c88a6802013e6d594e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "ec46e116c1fd77711b1cc1c49189cb9495b50a6d18e577cd1d5214de5233c641",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "2a77643c47329e2c910e5c86d8c3b2f0cf2b93527ad5bc129d7e614c07ba6369",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "2164ee6d1c3cd39e214f6c965e6cbd0a1dd158e51dd0d883fe83d6915d5f4621",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "414eb4b19b8f79b0c86119bc090d5a342e45837af770df8d3365d3ab81bf5036",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Timestomping using Touch Command",
|
|
"sha256": "9375d07c27d373fae95ace527be0d4a8117abd263b43adfb31536459bda562a9",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "394278b77c3a54380ee197c9763706f2e530452d5b564a4c0d6b14137d57f87e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "c52ce2472b85ca6486fe8ffef36ba98c35db8cd02a58a3e00cbdfbe6448fa7e7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "f989ae55a6fdc1e9c9a11c92fd231aa626b1bb662b0a119d8f5cae8d3c0f3577",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "f389c3e2a3f8696ba905bbf5f2e7cd9d651bba9bc241a8a4d1b2b38ae984e5a7",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "bfcb1a92ded4fab88e6d4e463b78405b82e80e00b2b0e1260ba1ff8164ac01dd",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "ESXI Discovery via Find",
|
|
"sha256": "9d95402d5a02b1571ef1d3e5ad966c19fd3cbeff7b5fa58198ac9151e1923ba0",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "9a87c68d2c67e9d7c764bd3e0b48bc4c59f6ef3559661cf0ac814f61ec9bbab6",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"342f834b-21a6-41bf-878c-87d116eba3ee": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container",
|
|
"sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GitHub Repository Deleted",
|
|
"sha256": "82225047c1559d8bba7c15944953088395802e8a1ad8fd0552714eee65b22635",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Accepted Default Telnet Port Connection",
|
|
"sha256": "6fde829b7083578ace3bcf3cb7d8c73a7cc94241c0a398fbc0d6b2ccf1f46505",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "190febf9658cb01dd1a472ea2d24563052fffcf60417fbc65be5593e38ad92f5",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "83831c2c3a4be02d59440da6f570b9d7e7064ecf5fa6df5565f36e68b68cd2ce",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "eb0fbd449489cc0545518f8343446262c27a6955ff5c0843713e629582eb112d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"3688577a-d196-11ec-90b0-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "b4e738c5be1bba9711b183dd54a22a8c10aec54e4a5310352cc7ac4ad24b9af1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "2684dc4258fdff2568772c371afcba2729e543adeac05d5e8fbad36f45417fec",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3728c08d-9b70-456b-b6b8-007c7d246128": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Suspicious File Edit",
|
|
"sha256": "46076a578186ec461ee06fdb94def49ec0f94300cea3bd8364ebfc75895b65ae",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"37994bca-0611-4500-ab67-5588afe73b77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory High Risk Sign-in",
|
|
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"37f638ea-909d-4f94-9248-edd21e4a9906": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "e43423649f4196e3471200c4baac5b465e0a667b3d1dbe95b7870b76ecd1410b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "c532585e329cfc2a78418e835c1c40593c75045ae9725cbc39486ac6a9236bde",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Prompt for Credentials with OSASCRIPT",
|
|
"sha256": "04689f3ff304d7f32e7686e38a520a66df28fb8ee9d2e13149768a9667183188",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "External User Added to Google Workspace Group",
|
|
"sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Downloaded Shortcut Files",
|
|
"sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "6f54ba0ae7f973881e6d519845715c8888960f217bdaffbbbcabf2ccd305c49f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "fd0213ea9905c71a65f94da36a92164a378cd8232856a0ac441ae9f7d49fb108",
|
|
"type": "threshold",
|
|
"version": 106
|
|
},
|
|
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Module Loaded by LSASS",
|
|
"sha256": "5daa50c7701a3bf0e4c82229b8fb7696df740f0bf74dd874a9283b541715f970",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "f452215a79041dee079474e59d224d2fb4c3c03ed44830b5e5d36e4d1ab89007",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "43bc73a5cbc5ccf4e81390755489787a2abc83ecabb1d94666471e4082fdd0a3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "cd3c9afd05e54eb93da83e2d90065582aaad08ee77a94fae48f952f89c46e626",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Log Clear Capabilities",
|
|
"sha256": "26c1661135e8af69b7d550fd193137f635de465260e8fd9c383708024444180c",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
|
|
"sha256": "4d57fbe0eec06316d1ee5f24cf1f0a48bff5ed1d8f8bf4c944d57a25fc9c875e",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"3e3d15c6-1509-479a-b125-21718372157e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "1a46d0e2338b7c09dad075c99009e807ddc32b686924dbd5102dde8cc4736bde",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "34be040a61351672e5b29280ad568cf664732a1ab9ae5ac0b32bdb72b49f10f1",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb",
|
|
"type": "eql",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "7cb2b7500b86c37fa3f51926431b8f44f6c119d48cf37e143cfa176f9facadb8",
|
|
"type": "eql",
|
|
"version": 207
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "d864c81705b90eda8f509178fdd93a918d5d23bf207160ac4eef1159233974e1",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Protocol Tunneling via Chisel Client",
|
|
"sha256": "337011e93c02efa090b9a19745d82c3d58fd18bee555ff69edaff5e9ff1466b7",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "b3aad2bca92e5e1acd788cfd14d9606aa4b803a48bf303ad37e210739fec9d24",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Discovery via Built-In Applications",
|
|
"sha256": "f0fbc9841d89528d4653aecdb898606cdec1a669cbf73110c4cc05ec417c4ad2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "5bb822cc67b9581124c21c5f4abb213946ce935b1c3f3ca248d1c2fcd9ce54e6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Modprobe File Event",
|
|
"sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"416697ae-e468-4093-a93d-59661fa619ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "adeea0cfa04ee8759f832217f19f0ce3d6952e72c717c271909ab099034c8659",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "8ddd47175f4b4ad6fa50a8ffba06037d5e67ddc829c8b6b6c09ec633b9aa2690",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Interactive Exec Command Launched Against A Running Container",
|
|
"sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"42eeee3d-947f-46d3-a14d-7036b962c266": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "ede0c21a7bcb75d8f44e0d0a869533c261bd3c91323dd5eef691534aefb54675",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux User Added to Privileged Group",
|
|
"sha256": "a48dc7ec63791f8c62b58bfbca37d6765b39621454d2720ac839e13758d02adb",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "c1524c8e450507403654a2f7bbdc7609ef590afe3fb8de408270d3c012559b54",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Masquerading as VLC DLL",
|
|
"sha256": "d3d1985a8512a777f4738794f03380c077f3c84594acd1aefdf22211a59bfba8",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "3338f91573d9f2de9fec741a8de8feac5f2b0486ab6c185b94f5f37b938c89fc",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "223843bf80e272f189bee419979e4fcda5a2022bcf2c5c1f15706307e1f98fb1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "841e18ac7c1e4cc6d98cdc33d34094f042f009d80854bb649f2de577141ba843",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "a8e0ecc0284175dcd1f57756fc03477d87d4fecfee80397c01f1490f52ed9b66",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "99fb4c9799becbcb9eaf99a6b9a8c21d74415d2a27790c5e52798590df285c07",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "3df00646c1daf36bfe94ebc4e75150121576981877aeb3d5d6c17fc11bb6fb2b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Persistence Through init.d Detected",
|
|
"sha256": "ec686d5f69b96d1fefa61938439b2be36a7d62b6ec9a5277294454b9d21f090c",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Sensitive Files Compression Inside A Container",
|
|
"sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "5c400174c733b48a59cb568595f1b992705473fc85698c48a5006a770c99ddb6",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"47f76567-d58a-4fed-b32b-21f571e28910": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "a59f49a0c0dd5d025e9c45e099c22c750b446326578357bac6d938f54780c991",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "bbe5ae3b8a285ccb4c26e9a210d268966a5996803f54073b159507458f48ee7b",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"48819484-9826-4083-9eba-1da74cd0eaf2": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
|
|
"sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell",
|
|
"sha256": "f29f06799ee7b6289d2ba8ffcd4908551efa144016a33e8eaa47b94f2370da97",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"48b6edfc-079d-4907-b43c-baffa243270d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "1ffc6db4a92f04db97e68bfd6a7d7ce6b90f4b4ca3accb51924be0ed5ebbcd9e",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "31b89667c022bf5310c60d364fc7c26136c4e66d8287d9bd7923dc18b558b647",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "124568f19d6974b48f94c4143a09f425889761f827bdf17b97618850fbf315ae",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"493834ca-f861-414c-8602-150d5505b777": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Backdoor User Account Creation",
|
|
"sha256": "eb9cf2a2df73743755d82c3d776ba2ffd7f17ef1773d32e3def0fb2fd6c50988",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
|
|
"sha256": "b29c0c0615f8cdfe01647648349a42a142712d082bff8d986549ed7b4956c0d7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Discovery Using Built-in Tools",
|
|
"sha256": "0f03ec3cf254ddaf2fb897452085888fda783e6d3394923b04505ac968500d17",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "4fbdf3bd4ba58ab5558059d13784148c40f700fc0726f9df2b88d02dcd301625",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
|
|
"sha256": "8a3258a1db6d86b53f94205b24cc30b455508da7981acdcec7d44df34131b612",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Cross Site Scripting (XSS)",
|
|
"sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell via Suspicious Parent Process",
|
|
"sha256": "92665fcb5d7f54bd4531c913e33b9cd692aa92cf5ee65941d69c6c2a0aa5c260",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "d7c419a09a28e530daed1534d397eb968d8b4695f1798649928228865fe7f1bd",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Container Workload Protection",
|
|
"sha256": "7dc1df259f2559b82c60fd64135e3a8b31538897e166eb5e423a3487b860e4d7",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "ProxyChains Activity",
|
|
"sha256": "afdf629d5be941e88364f49c8fdd9ad2f02b342950996749d59123c3e24ba71e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "dccb06c47c184196bb7064a9ac9d5eaf589159eb7776ac44300650a960c9445c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "c39e8202c6aa104cacdbd7f152f22e19bf2a5e6da299ab44464663d93c2175e1",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel Load or Unload via Kexec Detected",
|
|
"sha256": "06f6564ca643c6532abb1cdaa5f7b63ff7967e301d6d4c7fb188471da4c03140",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "2150ef27f2f7aa9e92efd14249439bdf38da42604f587b12651f9360dbe5512e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "2f90c20e27fe53e8d19581d66c3700d0e607aeca622f713dffbee083470bdbf7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "757d9270f22b3d376359ff570598911b4adcd81a9ca69970386248e414f5ba13",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"4ec47004-b34a-42e6-8003-376a123ea447": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Spawned from MOTD Detected",
|
|
"sha256": "d6507cd42eb759b19bc5d612350f5fee646f38be4fe487ebc7121f70ac057de9",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "93581d9de1f2ecba9d10b0b90fc4802c633fdc525cef6b539c20da833098dbfc",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "3b2f5bb731e55d25192b6e44e2f8e2453784591f0b9be178867e26489f73a694",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"4fe9d835-40e1-452d-8230-17c147cafad8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "d133f690998687a3f65041994c005ecd901bab7ac5c3504f34a8f2ca04cadbf5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"51176ed2-2d90-49f2-9f3d-17196428b169": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows System Information Discovery",
|
|
"sha256": "97b96679737e68fddbc04eaf2cdb22e954524acf822f15557c9d8e5de258496c",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hidden Files and Directories via Hidden Flag",
|
|
"sha256": "77af208d8070c7123775d9c7708d351a1d4ae579a13d0190e489642b5810f639",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "b62558c73fd30587a1edeb6e1a36b61cf60b19070b994e570a3f4bd023f546cd",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"514121ce-c7b6-474a-8237-68ff71672379": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "f944e30753df250f1d624c4c46ee0f5a60767d7d8ebc3d60af90ca77daab281d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
|
|
"sha256": "c3228a5cb84c6e646834e1f6a578e0b7c642d97082d1faf6cb28e94b94553d66",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"52376a86-ee86-4967-97ae-1a05f55816f0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "6290c2857ed36cf95047595761ef26fcbd7d025b31e56eb92016113c70d70c5a",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "ed4bedce5bbc1788f21c4a7cf33af783dbfc0a12fcc6a88df03c97257eed9e7a",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"530178da-92ea-43ce-94c2-8877a826783d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "378735996cb788f18b470bb893059276f28497684fbee14dc8952ad9914f76da",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
|
|
"sha256": "7602af82bdc7fc4962b73c42451d8500e779a3338601f49ea49ea9398fa49613",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "0b1c1a7d64bb481a68482e3f0954ce0e55df7b26264d3e358b230b5670c80094",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"53dedd83-1be7-430f-8026-363256395c8b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Binary Content Copy via Cmd.exe",
|
|
"sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "470d8e6c5c1dfd3564bd5f3b59d7853db9137942de25c38e4281b2d16df70ede",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"54a81f68-5f2a-421e-8eed-f888278bb712": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "7abb75759648c733f8e4b39c60bd36ccf8b431e1fd27097e698724bc33d34e4b",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "ad743cadda3e3dee154c726922e4f4e1ff0a7b26c8c350d7084d477e65e4a1ef",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "bb2c6c314a9f328d7f500d24c4a54ed4f6aca50ffe834082341a97d3659c9902",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "9dac69f62fd68c1763945debf1417db0fdb9384fc3200ddb80fad443bd7ed6fa",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "602c658a04190e27d27abced9d3265d8025a5a5173c8381cdaf432a69eef80ff",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"565c2b44-7a21-4818-955f-8d4737967d2e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "5c52523f38fbd7d58ecbaae23c282b59df7964d107d8378355c7232d2c20abbd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"565d6ca5-75ba-4c82-9b13-add25353471c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "b9bee3578c8c5581f2c86ddb1bcb84c7929ed4d44a302adae4ec5a7ff74ed6a0",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "443cf0180678565fae6aab3fde53464a3fc6f6161ae2be250b2f29d08e3b1071",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of an Unsigned Service",
|
|
"sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "57330331ceebc76d136b11b9a4aad37660028ce464cffd529f0023ad0a5399b2",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "dd1d2bea2a77074d95a5cb954bac84a5931dfa69391613cb54de8fd114d134cd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "c0d675ffa38a191db718cef276121a40567626d3b4c0fea4dd9edd038d2d216d",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Staged in Root Folder of Recycle Bin",
|
|
"sha256": "a7e0bdbc40a12b3b58f7280e709f99363b6d9362d4c0c91bcd926dddeeb4f466",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "2d5a85f9eb6c5a5b43149530f52a4cdbf41fb37009ec5f4ea1d572b4a127ba99",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "52fb0f6d5a15c031eb4ebdbb0bf86a16bd94e0aa3d3d4b9c9adb3a7019c79cc8",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "98a47d996a6d80939cb7222d643873b69ba45d90457a2cc0724ea08c3a889bbd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "f0754341d4737d98a3c079a807fdf62a876b2b9e37eddce760a538f8e135a3fb",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "1bba6c4e3e7130c507b6c959c9bf912171eb7a1f1cdcb69a6cf8bfd62e4ebdae",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"5919988c-29e1-4908-83aa-1f087a838f63": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File or Directory Deletion Command",
|
|
"sha256": "f9ebc148c3faecff5518d839295aa1dbefa51d7ba038dc12a382d2c27dff3458",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5930658c-2107-4afc-91af-e0e55b7f7184": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux User Discovery Activity",
|
|
"sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "8438243430e0b6983e01c039dfab3f7c01111a8f9939c207ef853108907a977a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell via Java",
|
|
"sha256": "64625792213f211d0d8a873101fb7b1569da37e5179bd5f201b2c1f3101de821",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "0f1d99638bad179a4fc6aa5eded3dd7c702cca3bb64d3391795079f2ec31258f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "b13fb00b87c825ce3f05d65295a6b1a47fec6d46d5fe22058d8b8b164a678d0b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "2b30d95ee6d6e8bd0ff888cc6609d826560591c7ef3681b5ff74f49f7cc3c888",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SUID/SGUID Enumeration Detected",
|
|
"sha256": "1e8068d0ce5b93ac8598cc1cc3ce47385a0c99bb43ce15b27a514542fe4adb39",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5b18eef4-842c-4b47-970f-f08d24004bde": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious which Enumeration",
|
|
"sha256": "918d3ee72f0aba9e0a382045c846e04f7dc5e1f942954c077aa639794e809917",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Masquerading as Browser Process",
|
|
"sha256": "2869df554ce679e32f42029716b74524aa21ea7af2872e5a42c55de5ceb7835c",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "6a00941904d85936d537193bcc28a4a4550b2df62bebd6ec46deb6e7479b87da",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "FirstTime Seen Account Performing DCSync",
|
|
"sha256": "3a1daa97831ddf8f5bfcf84698ec8b3deff467d7f1b8770467a760ef355c1a5b",
|
|
"type": "new_terms",
|
|
"version": 6
|
|
},
|
|
"5c895b4f-9133-4e68-9e23-59902175355c": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Meterpreter Reverse Shell",
|
|
"sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Defense Evasion via PRoot",
|
|
"sha256": "361a074bbb3fe56ec08c1430d5b5afc021f8502cb133c1066dd514bdacb37f06",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "e4796e4f5ba9178180960e592aae8dc79ef969e7b951f2c2fd73dae57d29406f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added to Privileged Group",
|
|
"sha256": "3d850464bad4437221f6f350a9c2e8a26592a38e76229d1756195368d05aab2c",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "5ce8477d708b49d1d38136f4638bc5596e3190949b3e561ff84d56566ca96f61",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "336c261b171bb4cfc280ac1c4170fc07388cd5b96c4674694bdc7108ccaf7b18",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "865a5c61d5bdf21e24120d3b8eb35f82a23286c618fc795dce353491987d04fa",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "7c02503c215c5f50cc47a690a3caf0da786994efdfcfd87afa318aacea1154b2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"5e161522-2545-11ed-ac47-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"5e552599-ddec-4e14-bad1-28aa42404388": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Service Principal Addition",
|
|
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "fd5996be6b2f46fc713908920b4d06537ad841086cb3b09c6c3e163cab734e9a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"61ac3638-40a3-44b2-855a-985636ca985e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "a5b4ed432583abe86a630527b3026ee3a58f9813bb11868c628754ff414a3c7f",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "71e064cd3cf1b8dec498d3e054d70ef2121113be1ed24c7e7df6af3b4324f27e",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "c34b60cbe2278701b99e658f035d05af7f68558251b332622334022f982c367c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "4878a18822a0f4ab3c6536a39b0055899b9fa296cc1629aa3d8a99d767235d30",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
|
|
"sha256": "77726aab9988d9e9be93a479e9eddf63e8d156e072e00526fc0df153555e4d58",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"63c05204-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
|
|
"sha256": "50e22b963b23fb875f4790d08f86ff42ef3c0647bb9ea73d6230249f92d02ec3",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"63c056a0-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Denied Service Account Request",
|
|
"sha256": "0d948643de064e41761d52de2aea9c64ef42324b59c2d35ab8ccd34d42d83d7c",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"63c057cc-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Anonymous Request Authorized",
|
|
"sha256": "7d2f16e497a23db9bcca2a28f3bc86267549a56ba9b988342b1973abd885d7e7",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "f383ad8f33cab31ab158968663de5ed3d540de9a4d8d0fa4a578e19a35ed061c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "9f94576d0bdd988636ba37fb9ff9911924d47880457e60f8a281664394a503bd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Recently Compiled Executable",
|
|
"sha256": "60780f0b220f4de4cccb01815d9585964f3d68bd515b23972bc9b881a36a70ea",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"65f9bccd-510b-40df-8263-334f03174fed": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "a392535f193c9bb4f607ca018da754d0d2fe756881ddd68726caccca6568ce2a",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "40c37dec53eaaed25df091561d4f9e4a2c8417d1dc82cf070db4fe72793510d1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6641a5af-fb7e-487a-adc4-9e6503365318": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Termination of ESXI Process",
|
|
"sha256": "0711743a3e6d25d5ac8089b3f5e996420a92bc7890f358cb4e23c6d88ba9a615",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "b3eaab822d17ebdb4ba051295077d3b54352fe5c633183047aaa1169ff1732d5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
|
|
"sha256": "5011350beae3fbee34961ee280dce76139c391e32caf77391b710c0998735d95",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "5c79e5fd80163228473cfe5b3b9f61d769a063b5c1372c30928ab2ac59cf0525",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"66c058f3-99f4-4d18-952b-43348f2577a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux Secret Dumping via GDB",
|
|
"sha256": "69b91af7c13fbc10668c950da9d070e9350d6f40ae5115d828703884de988e06",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "f1cea9ea6da3199934e1644e4efa06da30f02a8e11d48724001e6152a64ad6ce",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "9546181bdfa5b6f04cab84f0ff7afdbbb59ef9ddeaf7ec7bd070a1808324473d",
|
|
"type": "query",
|
|
"version": 6
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "9654e394fb859d2bbad76596b99237d6f8d15e70526ea0e27711c4c3a680ae77",
|
|
"type": "threshold",
|
|
"version": 108
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6839c821-011d-43bd-bd5b-acff00257226": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "97b4abe585f163bcdacc300075bf109cb501bbb7d1de90a2cdbbbdfbbd9aef97",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
|
|
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "e56e2b209388ed0f70bed3114edcf6d49e83959d733faa801e3d40209152e327",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55",
|
|
"type": "query",
|
|
"version": 105
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "46775980c978cd2264682497c62b9788b6645243da6b72ddaea5bbff0388df3e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "53f09e4c88d11c0ee66a186321981f9eb31165d73f02b874ca0edbed0844c6da",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
|
"sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"min_stack_version": "8.5",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "f2d4dda1642f078dcb77b698976c25ba557553c259a493e3a18224bfbbf36a96",
|
|
"type": "threat_match",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
|
|
"type": "threat_match",
|
|
"version": 204
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "8d25051f7633a37c4b90403be6fcde6352db2dc292a62a2098620fafb843e26c",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "f3cb8da67a3f69a296b53078b37707f55d6852f4c55b7bc074af6e3ab2a01d20",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6aace640-e631-4870-ba8e-5fdda09325db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "a9f9aa8f746871dce91e94cba6697e908e9901be0135860b93572a5904b48b04",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Utility Launched via ProxyChains",
|
|
"sha256": "7541e1a6c4200e3961759f0cdadba8eaf793f6e3e9e28dbb34af84aeac5f6fce",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "24dee3257162b876da6487b55368acb5b38040fd13ce5d0bc7511b0644e2ae48",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Container Management Utility Run Inside A Container",
|
|
"sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "dfc2fbc0fab4f84b16f206bb71d59399a3450f5cec21c03daa1fd20d529ccdc9",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78",
|
|
"type": "machine_learning",
|
|
"version": 107
|
|
},
|
|
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
|
|
"sha256": "ef918ece14946f78978846c902ca1e8891e295cc7065c895ba6e7e5b0d9f59b9",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd",
|
|
"type": "machine_learning",
|
|
"version": 105
|
|
},
|
|
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "c6d5f04ccbfb426d106eb3b03f1f20727722e4632689aec4bc9fc11edb28bc83",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "5049be04a29a5554df2ccf242d0b225a72316ad6e31acf19295f898d1ed96774",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "b93d5773dd0b96dd6d8e331197414f59005cceea42ac2b114e9ace428ca9f578",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "a1ae41d886802078065a49f39d3cccfc069db47d2052a9950cf0421e0187f9c5",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
|
|
"sha256": "9b7a1e7596fff4b6d70a4064cf79f606a74f214ef8aeb4234c08842d2c1b910f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "df0ebfd519ecbb1f865b556e10ebd19af3fedf23da2afa856e1eed3b78f786eb",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "ae6e77c0abc663eb2873c37d6321d6ae8da6355d89e5ebb728b742b16d2d14fb",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"7164081a-3930-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
|
|
"sha256": "bf6e413b1a7554ae0a50a51c3ffd97289d9c856bfa37a5bbd049676b408e9b78",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "565a3a934715161cb1c0bd792b9694d865ccf9df21072f0e5bd381c947ec3b65",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"71bccb61-e19b-452f-b104-79a60e546a95": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "9f0f49705389e6d3d70937bb6c9f6947b3a18dfcae7e1cc504c66380348e68ad",
|
|
"type": "eql",
|
|
"version": 111
|
|
},
|
|
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "44d4d66dea85165137a0d3f86d314a56a2d3de07baedee209e53118864691402",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "6936c736181dd010bee7cff6349ca6fd1495ff2e37f3c814d03edcec4f025dcd",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Environment Variable via Launchctl",
|
|
"sha256": "face2669be6ce58d7dc8b07bc4b200577cdf0bd21facb3d5266facb5df28a6dc",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"745b0119-0560-43ba-860a-7235dd8cee8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Sysctl File Event",
|
|
"sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Disabled via Registry Modification",
|
|
"sha256": "372c468ec6a0ebd2259d3b111dd8e4431353594ad85c0e66a0b97284f21d84f1",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"76152ca1-71d0-4003-9e37-0983e12832da": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"764c8437-a581-4537-8060-1fdb0e92c92d": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "eb3c017dfadc69b9ca322bd0fa4ac6795b89d7c3ac31f0050aa79171995b9df2",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "d9c6faf2209cb103e1548a470602851ee01bf04f32853d0ed66169fff27e6847",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "1d6f35d59421b7701973891ca9762db50f5dd087b3feb9e9e384ee927cdf1d36",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "d839f2d7fbce2eec0bc89c413ad6e482595c60d724f25203e08424a6fd768cd2",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
|
|
"sha256": "22a26a54eac8e02ec72df44fdc261481315acec5885269f591cb5fd1c46d1825",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "9f85a8053c83ad71c8540a2261dbbc4708549c0de62c0edd99395ef16629cc9f",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "3efbbd83a3795ef381af8172fedb8209e077505df6097622483b3275060f8be7",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "80710ac325d0c53b1d15965386e8fbb32e1c4aace237b63664d9f4db8f7f815d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"781f8746-2180-4691-890c-4c96d11ca91d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Network Sweep Detected",
|
|
"sha256": "dac06daad2d64130cbe33805c45aa9bdba206772051f496081644a309db32cd2",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
},
|
|
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Unsigned DLL Loaded by Svchost",
|
|
"sha256": "7b5df51876d17dc0c0978937514b88e32fbb68a471fdbfb5063af60dff04d178",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Masquerading as System32 Executable",
|
|
"sha256": "3b177629deb6dd64f254d75b8a4f6b71879b7ff33a70d98c184560b82d67277a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Exfiltration via Certreq",
|
|
"sha256": "4ef6fb0e47ac848843d2ae9b37eacc7369390ef5ff45ecf6b0a374512ad4b979",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "4ac2004e028233a74da95a3da67e70091128c58db82ac8df61b7cdbc9b564671",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
|
|
"sha256": "1dd7950a241f5882d741236f88f61e5ed12437aa16756ce984ee04379e2dcdf9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"rule_name": "File and Directory Discovery",
|
|
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "ef35c00c8f160878d607315e984c5aecf6fdca5f36d9db988c29e88f76d00270",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "29e6369ddb5da23c00355cf063d8da8f8dc008a9cd28b2d2f6324d8b9618c53a",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Tampering of Bash Command-Line History",
|
|
"sha256": "87fe7e562ce227a8493a541cc86e41d99ea61aaf827cce77b997f82c7a94c935",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "0d2e9303095644cff713d6cc47bcea144b0fb7d1c8c7026f50ac5fe60e57228b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
|
|
"sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "New Systemd Timer Created",
|
|
"sha256": "27bee4413c109d7597639a0a60acd77d395ddd1b5f6f4fb09c88c026a699a4fa",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"80084fa9-8677-4453-8680-b891d3c0c778": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Kernel Modules via Proc",
|
|
"sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process Extension",
|
|
"sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "0dbd2d102b454f0abdb7f1d0be19cbee64db8c5429aee66b1cc09dc125766d6b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "9c2f8341e807bf0b4ffeb0c40e797f72dbdd69d65b6db7a2a6c7f8ee10708d7a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "663ce5702cc916692b79094fb7c51dcad29f2f3687f8085ce74b1f699219eb1e",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "82f8ec9cc22e111eb627de7426fd99dd540938ed1e0d05473496ea18b54c3cea",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "761723a38f1f9d88a679524aa3ccd687c0cfc74e3b66a8bd2e62807a050d44ea",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"835c0622-114e-40b5-a346-f843ea5d01f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Local Account Brute Force Detected",
|
|
"sha256": "fe6cc04fb2e612cab72a6d221db5f03f75c1706355d5c212987ec5de3a2bd3a6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7bd7ca6309b09a6218ebe05322f1477ad28327ac05cab27ae9eb18267b43563c",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Transport Agent Install Script",
|
|
"sha256": "515f6e82dbcb3fd847170c6268af85216b517109cd597240c70908e1e6d0affb",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "5a3c03a8465e2bd10bcaa699af57945cf361af5ca71be2662c20a6746a5b4960",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "7e3d4366d0e82917ab82b493fb7f89d6c89013e0e9483692037c1e3264ebefff",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"870aecc0-cea4-4110-af3f-e02e9b373655": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "d5d6fbfe8a86e827bb1f10589d9e8427ba7b59bea1a9707d4359dce6fee0929f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"871ea072-1b71-4def-b016-6278b505138d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "70ad3fa6e2da2dbfbb0211d6835e6657b3c156417e77b4b8bc33b86c2b69167d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Suspicious Clipboard Activity Detected",
|
|
"sha256": "a845a994f21837d7225484856beb19514cb92efaadf804f6caf1748812efd2e6",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"88671231-6626-4e1b-abb7-6e361a171fbb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"88817a33-60d3-411f-ba79-7c905d865b2a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "de3dc029c5f1bbfc9c187b002dd15ae68bcf1310360b2f17694e84ce55051314",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Sudo Hijacking Detected",
|
|
"sha256": "a4206f33521819d8d7d53c211f4469b0f4d29f90aa303e728ed6c22f0acd0ec3",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "81f56a2b806be5fd445f656c540705be59af15be47b97fc7289e0b70ab357fca",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "90b8b19f30fb314195c63df104ccdd6013d5b93cb7f2d2672bc0e0fdce6e53fc",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "a7b53613b02ded1945e51652cf8c0a4b2548ec599948a7ac9a5a75287f819c3c",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "456c1af4f588c9d3fc039ba183fe378b0d32a8920c785254b0550fdd4329374b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Symbolic Link Created",
|
|
"sha256": "ffb3cada9e61abf88edfa4d4994b68df4a1c86040ef6344d2d5d2f2fb67e0bb2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Setuid / Setgid Bit Set via chmod",
|
|
"sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "a577ac9fcb46e067f2d9a3dfa1c37db43cf2b744e0701387877da0d9321a209f",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious JAVA Child Process",
|
|
"sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
|
|
"sha256": "577175231e8722658399f535dfe19fa278f3082f7848da4f3c65e77ee2a4118c",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "cf5d70e346d64085f11501ee4ee6aae18cc9a72891310160318db69144acd12f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "b5ba453579b913af45987a4158da3836e9f6d5c089b322ed9b4feb5d3def09a6",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "02d2aa1ce970af5dbef685da0cfc51fc7c9d7c82932b13d1b19d8f212a1ba2de",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "ab6f219326b46640112b041c6a7ccdf841ac3d4aa2e364b34b83a7869e301b70",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "b6a8ffcc1a8ee2a11059084442b0318bebe5bc120cfafa14f65b4e1d7b321062",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "c9bb739724755a7a6e1cbec08548874af36827e590163f7d6e0ff83b215c2fad",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Successful SSH Brute Force Attack",
|
|
"sha256": "930f4fe60fcf470067a75a7d6d9b93d3c80d639fcc0cf248c30c9f41cb98f70d",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"8d3d0794-c776-476b-8674-ee2e685f6470": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
|
|
"sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "9037dac927b76a260a11026c3e893f9f85b2d876004b652c74c012bb7fd93f5f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
|
|
"sha256": "dd3d04e43bbd83b16a0414f323260473ea086aa839efad492a35c4a2cd203829",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bitsadmin Activity",
|
|
"sha256": "c07d18b1bad6186dd2af856dbf2362d78f773b50369e7044b1e1329cc0f23cce",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "818146f18a2aefd065739007ec4aecb61ec4257169528b7a6605b7ff0cc0758c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "9c3c0848659cf6ee23a2450fed6a0492e2de6ef5758060587ab61c498f7a2a26",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "63e23dabfb3a8535a41b473614245b4df52a35760e0485a6e9f51e55d61615f5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "41382d29e3c6849b93e948bd226cdb0679034847a9d11893198c735da08564ea",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"90babaa8-5216-4568-992d-d4a01a105d98": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "InstallUtil Activity",
|
|
"sha256": "c1312553a07dda6fa6995c57f31922c18dbb00fe5becd831c6d1bb4246bad8c0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"92984446-aefb-4d5e-ad12-598042ca80ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
|
|
"sha256": "50456decf4f398de8c09653fee24f7eb07663c151fc638cfd1cf7c9584cb733b",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "d06b732a19959ac408573130e7312505731217a17ec0035068bf7769ab026484",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"93075852-b0f5-4b8b-89c3-a226efae5726": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
|
|
"sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "7ee6e483fa2c41549ec9d26ae3a319f27efcef92d7ebfc4c9e232c80f50c28d0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "3ab5284a9f2ffdcbb1cc8acb795f4da54e219abbd241a58dd7a0797097d55f66",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Kernel Module",
|
|
"sha256": "bc11b02e437e764264346f0fbf206b73fc696e806b497b4465f6df6841315099",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
|
|
"sha256": "547b20764fecd9340dbe641b6df4e4839c47770cd894673ee65364b20061959a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"9510add4-3392-11ed-bd01-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "1df41e4a31085a0992f0810059addf6a2ad7525c1b132d8c8e5396bff9167837",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"959a7353-1129-4aa7-9084-30746b256a70": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "5290a21ce82c80c1c37b7d9e1f8cdddb44b22b0de1bb721928355e6338583e5f",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
|
|
"sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "8de6fbce3edd5e6599051a15eae6429056bb4fae367b3cd3572ece577dc22e1b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"96d11d31-9a79-480f-8401-da28b194608f": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
|
|
"sha256": "ac2aae146b439c128acf93b6d08c60c1297ef5ce278baed0d2463fed3d109553",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to Keychain Credentials Directories",
|
|
"sha256": "3a52620ed72c8ba4b60a75bb884dab068504e8759c80fb2a40d44961074ab786",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "0cd5c0bc7910d590183a34269f1482a68cc7c267f915cdd7cdb8c11894ee3d6d",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"97314185-2568-4561-ae81-f3e480e5e695": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"979729e7-0c52-4c4c-b71e-88103304a79f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS SAML Activity",
|
|
"sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
|
|
"sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "b15108fed1be29ce5b03c10684a269ab6930c9843c4bae00bf62059a1151250f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
|
|
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Renaming of ESXI Files",
|
|
"sha256": "23394ff5cf8c8530a51e90c2408d609e7000dfbc5dff8724cb29cb88e63a6d09",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"97fc44d3-8dae-4019-ae83-298c3015600f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "e35230136b3e8717e95ef5022b13c355c44d14666a14d564449b2982dfc27e9d",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
|
|
"sha256": "a1197c00ba4334f0b61b5d4d3d8a5295997d4ea0558e29bae8140f3a5043e319",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
|
|
"sha256": "c01ebbcea37de715c7c123e6eac64a6049906339a0d60bf1f146d677061bbea5",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "6306143790d8722aa16246c98c608a9cd232df0e1686f9a92e6cd306e8ee7676",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MacOS Installer Package Spawns Network Event",
|
|
"sha256": "40258127ac6373780bfd25be362342b142324a166319243b55a747b477db70b0",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9960432d-9b26-409f-972b-839a959e79e2": {
|
|
"min_stack_version": "8.8",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd",
|
|
"type": "eql",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f",
|
|
"type": "eql",
|
|
"version": 206
|
|
},
|
|
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "8c02160e083a13d6519e4b952e3d3890879d81fb7b014cd29461f8c5e1e5dee4",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 104,
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "3d1c09ba378537737bdaa3bc2bbd9e9934d0e9cb7d50f63d33192377614d85f2",
|
|
"type": "new_terms",
|
|
"version": 106
|
|
},
|
|
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "e8cc9a60bbe510d51bd3ad134669feb9e5cb0fa08160bf27530801138c60e882",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "b2540b2ad922ec95cfd386da0ca9a614f308ef3262066028d23296d5db87509f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "9a25dad4f89fd07ae509d365c90397c70feb22604338c0b57ed2c43b1498c278",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "acfc1d0db0cb1de8a27ec3ec15a3eea599e9644d56ab8bdd06c8678cf1bcee3f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Logon followed by Scheduled Task Creation",
|
|
"sha256": "4e0993f31425ff82fe3e63aadcaf70f37978105fffef6e3988effbe42e8e2e2f",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "33745d6764626a4ad4ef565c71d285cde7a74a318e9622b428483457e45f612a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "69d5523e4e8bd2c582f84b522bfeae185f56d87fb6f698ba3afd72a1722cfc9b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "b2885bccbc5942ef0b109aafd8cc5f741f11e702109bfce0e316e37c66a45f02",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "0cc7ec48190d68c5dc8c36a1df944b214f34c599d8425caea77fbf4875d98ff1",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "776c171ad88eb90cf08b8fe5b55c1f9f0303df9c61b6c977aa899c710d7f8348",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "362420c35e0dec946d828d9efe8a1dd0e2313dec67f9a9b0f2c27f8361fffe58",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "18494ff65fcc575a4fe46296da4e82fca3ba729b57b21a1c55c64d81a92924ed",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "183d1fd02dc0fd574742ae54310b3f93b10da3165738e77fcdf8b460f5f7cdac",
|
|
"type": "eql",
|
|
"version": 109
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "479f3fc53ac311718ff6affc4889eeca57ac3a34bf6f10026bf60b6b8e915eb8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 204,
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe",
|
|
"type": "query",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
|
|
"sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263",
|
|
"type": "new_terms",
|
|
"version": 206
|
|
},
|
|
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was updated",
|
|
"sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "5b2271e8146d2aa236084a96b10d1b5a449f721404a7262dc44bde744bac37ec",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "9bb73e05248278c13545b111daf70f5b5b00005f472f1ad9a8ad6dc03a7e4bb8",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "2a6a370e108c2703a6ecd9df127d8c0f1b6d7306fa6cc25b5c364095b1395a63",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Subsystem for Linux Distribution Installed",
|
|
"sha256": "6c6d99f8d895a01d02dd4c824f549d027faf0fcd9e4164f5f15841495f797400",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
|
|
"min_stack_version": "8.7",
|
|
"rule_name": "My First Rule",
|
|
"sha256": "43d6a8a026423a6d83ae7d5ef0bed2a9cdf07d16f2c3c2f778c6634a42c06617",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "189260746002bccbe31e9ddb6ba7e60d701a6e651c5d2c19efe56cd242c954af",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux Group Creation",
|
|
"sha256": "ddc90b07b8915afee1601844439c2165c76171d61574db74efb13bca0d2783d8",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "7e9cfb7b511344e897eac5189a53654f476437241ee0c37b7600d2e033787ca7",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Mailbox Collection Script",
|
|
"sha256": "c26cd675ef7730a95a52e92c7f5bc7144cda7fb9f14144470c96dfe93b036da2",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "45df842bf3fc84a101466bbe60825f7c421c1bb2a632e810a097e320eb227154",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "47565477aafa65e36a393078e2728881f6776c4ab363e183c347d8b0e72f349f",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"a52a9439-d52c-401c-be37-2785235c6547": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "Netcat Listener Established Inside A Container",
|
|
"sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Potential Reverse Shell via UDP",
|
|
"sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel Windows Registry Indicator Match",
|
|
"sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234",
|
|
"type": "threat_match",
|
|
"version": 3
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "e666ba885bd91e597b94e0359330e1a02c9c59b43b48de599aeb78a26c32aaa9",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "eaba66ce5e3e1670940bb55f81b29ea66ffea88a4e63f1c2485ba55bbb0b0487",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler SPL File Created",
|
|
"sha256": "d2ecc2ccb29c2a4acf6790274133e976ad48787ab37bfdd12667ae6b58bfbc45",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "913d17dd423ad4f09f41eb01380f802d3c2c209812a27e963fd5198d566bdb8d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Malicious File Downloaded from Google Drive",
|
|
"sha256": "9e184df192757ad8e29a2cae60356352e84d9601bba380c446bbc4b64deb76c0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "a73b1eb6b898a6e001202a04fdd4d7fb4c5b701bd88b68a6840f1260506c2e68",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "c71a73ed18eadca2c2c082ca0d511745ce0960e56167e3ed59116b93c8b2720c",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"aa895aea-b69c-4411-b110-8d7599634b30": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "6fee4b495f1438946191a9f0a5d18e790c19b3546166fa5dc0126a090844c515",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "57036ece2d16588ff5db14cfef90686fb253e824740a435cd77099efb522ead8",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"aab184d3-72b3-4639-b242-6597c99d8bca": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel Hash Indicator Match",
|
|
"sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81",
|
|
"type": "threat_match",
|
|
"version": 4
|
|
},
|
|
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "9a5ead5bb94a1738ef4a8c11bf9f462123e5bd0feb2519f360526765f6f33939",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "742e178d21a4f38dbde0ceff9f3c75a33a79e70080f971e3fc63e644283c1f24",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "afa61dc2050d9a7e20f967d9211dda8036fdb4e3a725c969403a31ceb567ba33",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
},
|
|
"ac8805f6-1e08-406c-962e-3937057fa86f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Protocol Tunneling via Chisel Server",
|
|
"sha256": "85b49fc5764428ee7a05cbde9d031b14b82f8f03824c859dd58ec45f25c8a091",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "97beb0996e664075d6702369fd69d1ecd9b94f7d1bcbb93b2d51e49ebbe397b9",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "abc48431a5b42f5096e7d24ebd4ce9ce57b8f5f4f0edfbfb43583d71546b3e44",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential macOS SSH Brute Force Detected",
|
|
"sha256": "6d6c36df74a3227db9ddfe242e6d7e4598aa4536c80338756b9774499deb5d46",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "bedefb3843c8bab1185b36e6c8ced6d50cf2e073be5c0270dbbb3b1b27cb89f9",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "b154a1563dfafd9602e3c33dda6d0d75a294b8547da34bea70512edfeae98e01",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "908f3060b0c4846a176cfe5ad9f2187c6bf23b09a3fe9833680c524f1b6ff701",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "1784ba8b2bf2310de8bfc0fb1eb058a96c9ef25ba4a1e78a8e271a61f856f675",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File Transfer or Listener Established via Netcat",
|
|
"sha256": "bb502a72d7b3be033796d389420de72438dbe7d44096a7b8203caa4e7676c5aa",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Communication App Child Process",
|
|
"sha256": "d195fb652753fee06135cdc5beb9fb65b68e7895f9d0fc199416d9269c88cfd6",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
|
"sha256": "a332e02143efbab6ecaf181c31cf786213bf5fa96f20b0248162df6cd92552ab",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
|
|
"sha256": "26c12224f8502e7fc4d3293edee86f433e5a9232a94ff1ed704587a9c019e640",
|
|
"type": "new_terms",
|
|
"version": 3
|
|
},
|
|
"afa135c0-a365-43ab-aa35-fd86df314a47": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual User Privilege Enumeration via id",
|
|
"sha256": "e5a5fa72494c859d18b55169da07fe4402091b7b621b55c497592cfe489f3912",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "4affb2391184f7f15ecce386a97e00cbad45ccfc2b853a118c89fdbe6fc192b0",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Activity Detected via cat",
|
|
"sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
|
|
"sha256": "c8effdbedbafb2183ae0ebbed62b0c5290d8157f7c6cf64bd0f9df02ee6c44d7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"b0046934-486e-462f-9487-0d4cf9e429c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "ed8ed608b91ec1f89f10e2b4ef5ba1ca04884dc57c910b94f5f0b4cbb73021c2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b00bcd89-000c-4425-b94c-716ef67762f6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "fe6380b09c3b3d38b09818076fb3ef3d0693c968fe9ce5547c4a82196782f931",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"b0638186-4f12-48ac-83d2-47e686d08e82": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Netsh Helper DLL",
|
|
"sha256": "a6bceece7403f9bb47478cdb04702271892ebffa4ae4251220da5abbdae44f2b",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Network Share Discovery",
|
|
"sha256": "6b2beff828f6dbc7e7b0afe03808d0497daf94d97c99afb60f9b17cf65c76cb9",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "078de5b8caba30df61a3bc9e859848f359bf7a766344430b00b2c2046ed17aa7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"b2951150-658f-4a60-832f-a00d1e6c6745": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "dae5acefb06a64476ec330f3a9e199d0829f858f37e1a80b9f611ae9ecf0a42f",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "850a993dfb6eda757d5c928ddadb446f3ff907e01cc16c715a8274d56c405fa0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
|
"sha256": "cf799c7c2e95e99b29012536ac50ca736dbaaa029b937b73985d8f4b31b30e9c",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"b4449455-f986-4b5a-82ed-e36b129331f7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "46fcd9e76f08b0cd3308e57b64244a9bec5ce01b30e491015a20e1fd53e3de2a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"b45ab1d2-712f-4f01-a751-df3826969807": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b483365c-98a8-40c0-92d8-0458ca25058a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "At.exe Command Lateral Movement",
|
|
"sha256": "893d370046656c516a3d5b747ce8da0049fd49f11a14f685446dca5ada7bcbcf",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via OverlayFS",
|
|
"sha256": "933503a94667894209a5220b062fe18f2b075d5c0c0608171a3843cb264a4429",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "7cf6587d86fbdfeb3c6513bb3c44adaeeff97831c1afb84ac5aa64fb8ed82298",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "2a1696db25e3e2cd7578545491d669f6f258b52993267c6da8d5b2de3409c9b7",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "201dd81fbc35d779e3102c505a0546583887b43b606d36a68232641653d1ca02",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b64b183e-1a76-422d-9179-7b389513e74d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "e83adb7abd38295e3992be00556c51a2381e38d400259af3c0d3ba9e3abe6d2d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux System Information Discovery",
|
|
"sha256": "0d6d405de797c6c80d2fbc4e4771ff74da4fcec8ef4672510e7906fd491f0185",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"b8386923-b02c-4b94-986a-d223d9b01f88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Invoke-NinjaCopy script",
|
|
"sha256": "cb088aadbdd5bf616c55df2573347384815144c281ffc822045be2119b8568c7",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "9514a809ca145d976ad76c91de53390221ffa8bde79020b93c643058eaccd223",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "674552a858e0c108bede8311d70e4461a8f06e600ceccbe2ca598e97a67d2d8d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kirbi File Creation",
|
|
"sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "26cd2a27b9188a119adafb00b69b4b1d5bbcbc60cfd384696c76c50e54bcff5d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "ed8d32c408ebce2c38e498744b7f617e2d9a2b9a38139ad447c1c100b5844299",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Discovery of Domain Groups",
|
|
"sha256": "da6f8b65c43fe10336ad0774d7a19fd888def6e0dea1c94eceab12afc0e3fde4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
|
|
"sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c",
|
|
"type": "threshold",
|
|
"version": 4
|
|
},
|
|
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "50ce20970c0225897cbd6278da8c53629372100b61e456082a1018b045d9d8c3",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "e1cb2516563dc7520157b944c165c5b231a99942cdfcd049f1ef1d3213bf29d1",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"b9960fef-82c6-4816-befa-44745030e917": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "6babe233910e674621a9caa5ef06d385da6c55f240c6169e50263b3ee15edba5",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "2a8f252310526865a66c043e6fce6a09a1f3bb3a23422aefd2e8782f9f25e414",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SYN-Based Network Scan Detected",
|
|
"sha256": "a2fa63d2505d8c71652f2a4e23c141d1682d9ff045c088e18b89c6e85508516d",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"bbd1a775-8267-41fa-9232-20e5582596ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "41d271a7a3e18ee8bdec67895870a01f5bc3f8801a58b29bcba5ba615179f139",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bc1eeacf-2972-434f-b782-3a532b100d67": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "2ec38edc30ee4c822372bf3a9e2f00ebdead1b16f135cbf5fbb1c657fbf41c9d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Non-Standard Port SSH connection",
|
|
"sha256": "92fe0317a5bf0deb57dbfeb4dcf96a13fa08ceb7e7a1e13f9f597eb9c94cda33",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "File and Directory Permissions Modification",
|
|
"sha256": "cd8d1d1e784ddc62a5db564994d9192996555133c9273a6f1b4384a76249ec0e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bd2c86a0-8b61-4457-ab38-96943984e889": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "3d79fb63abbf974eea35cef0856ce1d799ebbf00d6ca813fc02212c88846a9b9",
|
|
"type": "query",
|
|
"version": 109
|
|
},
|
|
"bd3d058d-5405-4cee-b890-337f09366ba2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Defense Evasion via CMSTP.exe",
|
|
"sha256": "b31ac8c754822d3baf70384a75f0a66fc861ddb3ce0a3f8c40474fb161ea8306",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "4c15aa93333df41d25b1da7384c925b4d5277eb5694fbb8f7d8f7c794143ef0d",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Pspy Process Monitoring Detected",
|
|
"sha256": "3e3047dea72b0e200ecac521c558ec5c07205beb177d77602fbbc760d41b3735",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"bdcf646b-08d4-492c-870a-6c04e3700034": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "9788f2c111d4f8b2f3e0fe64bf7ae3413c3de45f8b030b8611720aac8b263436",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "836e67e32ec8fe118f5d1934b55e659b1dbcfce76125cce36bdb3c0e1f8ab9bb",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Snapshot Restored",
|
|
"sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Owner/User Discovery Linux",
|
|
"sha256": "51ab813449dbe6bf71c403d5dffdb662db965a2d42c8049eaac20ba8bf5a9132",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "7571708ba81c1f4c57ec35169932645127841b408009313e8f8135ce0047e56f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "9f7b054508c77d58f7d726725411dc517eef84d474347b3a8557ab84761eb842",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "1d3f46774fa553848617bda8c90e9702f60b946e32a622488929bf506f40dae3",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "f02b1ea97087aa0c75d168aafd1e53a360542cea5e0cebd4afb31782da226cbd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Suspicious Renaming of ESXI index.html File",
|
|
"sha256": "2195aa627b79e9257bce750418e362ba1b3e8afcb6b58e9fb9d1e7cb145e171d",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"c1812764-0788-470f-8e74-eb4a14d47573": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
|
|
"sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "10b03b0d2a557fd9f1db04ceba979e83c8291a46dd1430959c27531b5e55a74b",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"c292fa52-4115-408a-b897-e14f684b3cb7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "07321ea58e3520857e64122ab09803a1fc574e94988a20508aea507982b84a06",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "12590f132922a1117fb9cf1c66fb7db25fd6aa692e594ab5e353b1ba010c6298",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "a4c5424046eadd416d5c7852d917b60abbeedce771b7e1ffd2bc0bbbb6649b0e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "a694c2c72d254cbfd29fbeb4d0893e558337476a755af6c851563a1014065d26",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "d375bc56966923722625e5df9e79b926dbeee902679aa6cb57b02a7dae9b0923",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "fe7c45ba7ffa9b0a75ac69678e899b81b70778bc9e472fa57463c14bb425caf5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows System Network Connections Discovery",
|
|
"sha256": "56bf9828457985099728e90f9046ec5d50ba668e7b911712abec96eaa3d6d665",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"c55badd3-3e61-4292-836f-56209dc8a601": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempted Private Key Access",
|
|
"sha256": "878964185cf6bcfd3d1cee459b0664977de42cce6b31af0fb2ad35413e764dc5",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c5677997-f75b-4cda-b830-a75920514096": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Path Modification via sc.exe",
|
|
"sha256": "471c10523b0876136cb7b2ebcf2df348a37efbe907b5bb0bd57c7650ce7c4fea",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"c57f8579-e2a5-4804-847f-f2732edc5156": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "0754db6d4f87bf3dbed35d286a6313e4dd925ac4336f36dfb27b7f5fdb03719d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "cb3a027cc825279d6ff1f31d31e63c3ce7ddce596ef2f0427bba0b3ffeb643f6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "180f35496a5277ea5829782e66057c78d10f5cf1a375c0de5b836548f2236bed",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "8cf1d0abaed488b33ec708608f9a5ba1ec08a67e664df9145ebf1800d2701adb",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "cddefa7d53013d704fc6ae7740caee316c50acd79b1fc321a6f2f0b9120d905f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c749e367-a069-4a73-b1f2-43a3798153ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"c7894234-7814-44c2-92a9-f7d851ea246a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "66f9611335e40f84586a2c89a68668f5ad3a0f4f2fded39524a649132ad4360a",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "c36b22463e66e69ad7dbd01c7e79c4adb82bf1f6ca122c7a45c071c4029f298b",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "26595f8f9541a3d4b1ce33b50669bb5f8e620a68f9063c6c07ef0eef97271b42",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "aa52a0c9a38018a7a9d08eff12060ae5763f3672ab6f68acbc3a41dc323c4720",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "128d5682da221aeffcdc38868dcaa75f484b8b2411f3c7a2eae8881f6e41e861",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "276fda09a4647e0a3d729f05859857312616bc6c9355cbe2717d2c32fd0cc4fc",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "c9158b1c2fd25aec7b65a7112e5bd5234e1f16fe85d6cea011a2c447f8845de0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "c3dac03f556b89e88f147aed56f297767b5d0a9110cdf317ef621032e9aae739",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Ransomware Note Creation Detected",
|
|
"sha256": "6c899bbc998ab3b8926434c8838a0567b3e9daab6ac42337689be77fa96f4c6b",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "d820917b8b190283034007d7db8ba4ac8ef6bd82e9d9d8a9f256976c0fa2623d",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "dfa996d0665851351caf73bca44bb19208342678d818aff4cc77005b0092ca67",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Masquerading as Communication Apps",
|
|
"sha256": "1d87bf52f955049b3e1220e65c69464b5d6c21362b8762df0b397d412b1537ee",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "91b2db5824ba03638ae1b10d6b60a2cb0825c1aa43b80768357bf49d2dee514d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
|
|
"sha256": "94fbed29b0713d997d61575509179ec8a3aaf3580b4c2661a2a42ef4e7e50aef",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cac91072-d165-11ec-a764-f661ea17fbce": {
|
|
"min_stack_version": "8.6",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 206,
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa",
|
|
"type": "eql",
|
|
"version": 108
|
|
}
|
|
},
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "16d0a37c5a0c0c7de7d31afcbfae78cadf1e1c87ed0eb87f347d3c6a44b1ae00",
|
|
"type": "new_terms",
|
|
"version": 209
|
|
},
|
|
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b",
|
|
"type": "query",
|
|
"version": 107
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a",
|
|
"type": "query",
|
|
"version": 207
|
|
},
|
|
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "0efc16177bd032307d27579913e6c57c8d1d44ed1f5df38407ead5bbbe045dd8",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "08bf09dc443eb0fb41c941a0a47f67b866253111c50d852fec72b81e5cdea100",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "06acdf4e4f36bf4d2e6e3f0d424b81264fc5262e89ef2db45dae483404ffce09",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Downloaded URL Files",
|
|
"sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
|
|
"sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"cde1bafa-9f01-4f43-a872-605b678968b0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
|
"sha256": "8dd2c1c84b0fc1c9b380b49e3924012569cff3b126def7c497f092a63a057eff",
|
|
"type": "query",
|
|
"version": 5
|
|
},
|
|
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "e749e4d6a22d62d8564e36ff162cddb0342351273f7ae3f914f1781e4a6757e0",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "d72e36349524c074ac047562258cfce46273ee90ce47cd6b4d7bf6583558e37b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Trap Signals Execution",
|
|
"sha256": "0ba6ec2eec63d471e368b93ff67990a66c3d7e08e08719c6e2ee4eff8f216c81",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "33d3c47a50a64210f5b2ffc25ccdff6d5d37d16fc71e6dbbc5c13a18b6780cde",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Namespace Manipulation Using Unshare",
|
|
"sha256": "62f6fba73304cb10595e4f538a276512b741e0029111d72087049753411361eb",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "AWS Credentials Searched For Inside A Container",
|
|
"sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "ec194a453dd3acbf1dffd2e109f77cbbc7051fdfa80409701304809ce5654c43",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "da76314ab374a374b6612165cb783f7d25612235f241744919149cb6d00af975",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Expired or Revoked Driver Loaded",
|
|
"sha256": "58dd943fa10c8dc106e4f561c6a5755a555d7dd1116a6e82a02678f77be051f4",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d197478e-39f0-4347-a22f-ba654718b148": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Compression DLL Loaded by Unusual Process",
|
|
"sha256": "8ec13c2f3c6784d7cfe3f314135c8c4c8afe0087deb18c62bcdf5b41db55f5f2",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "688898fbfb57e6d44d1f755be87e439516aa1a084dd4adbaa97b65bf8eb86995",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "73e5e14af530fc3c0ff1a000b5b32bc30097045766025d6a7240dc31794faa7e",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "14a1097b7ee5b1d73b9dd86e6c7326ea224be99416f6f947d03c968723badf8c",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"d3551433-782f-4e22-bbea-c816af2d41c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WMI WBEMTEST Utility Execution",
|
|
"sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "6f6e3def0588b1a03d12a0293b5bbd9c1d0090fe90097786f9d7a4b13c95f02e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
|
|
"sha256": "a386bc0314dc614dce09c10f76f04e239c85cffb8e305a1a37dc816fe8d0e466",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
|
|
"sha256": "351666156e6d77e8c9c195311cd45ba8c31b9e97ea0fd1503c48c15a776c1918",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "7b25d0582e256fb4ce7c470b52e131cce26a826b62117c6ef9ff6f1769b4f003",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "d560df7cdf03af3bf9cb7e30466dd2430565baa3ead05a508a50979884b3b607",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "123d0512c4355047e5fc67352b4ba9a65b7bd2515f7513409a0276a2414ce054",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "80570780af03c2efcf7f4a9003e2c21b34eb66a062aaad55d9676514ffea140d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "e5a39260fe132207d539ea518652001adadec98c3bbe9ddaff7d7e7b0e673a57",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "9d6616ef8767f89e243b80ec3f320bdd3c8e6a46acc445fd040ae92aaf3e9c12",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "23765713e12113ddb20663a6b929ed119d23f9106635fe4998ce6990dd394d97",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "a83fb857076a042c492fa2affcd6539e499ab52f67b336d1e47854a3e23a13d3",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Untrusted Driver Loaded",
|
|
"sha256": "c5ce1faffd687af5423c4bad755a8d5d182a6c74fde100b49092067a43111e70",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "638b38528aaa1d362737de0ee6c2c010913f44c8179a2ac928dbedc9473049f6",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Code Signing Policy Modification Through Registry",
|
|
"sha256": "8376f30e9c1abd833e2b39242f04ba3f296fe0f2c153e3feda039d77b73ffd6f",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Service was Installed in the System",
|
|
"sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
|
|
"sha256": "297e315306142cee4a09811f704f80247b099304aaedca726a6b155b0a285b02",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network-Level Authentication (NLA) Disabled",
|
|
"sha256": "b778970c6f8ec04e3dbcf851f3553e72e19420cdbf1181efb2a8d360ec4f49a2",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution via Windows Subsystem for Linux",
|
|
"sha256": "17af58de4b6c1966f11b602f2971c9d50764e0dd5a201bdaacbca05fb50d7f66",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "2f96b5a3c80cb7302384f5ad110eb5b90940fd4f578994b45253302d52e07936",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
|
|
"sha256": "f64d050e90fd179771887f3ae5d3ecdd6d9c638572d6ecb8cb513fddcd5496df",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
|
|
"type": "threat_match",
|
|
"version": 100
|
|
},
|
|
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Hidden Process via Mount Hidepid",
|
|
"sha256": "df8a6dcbb0d179f109c810c8d819c0e48c62c8280a2c6196d00ba951b1486594",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "2ec7ebca77b749a6e4385185ffcbdbc71c0c3a9600b7599bb7b6462c6d84a28a",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946",
|
|
"type": "machine_learning",
|
|
"version": 106
|
|
},
|
|
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Install Kali Linux via WSL",
|
|
"sha256": "e530308b262a81ac2d4d51105ec00c5574674221ede76c621d967f3bafa48e67",
|
|
"type": "eql",
|
|
"version": 5
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "cdf948e2a073cb6319fa302acc7b0fc8a11477746659be69cff0c9b7860403b8",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "573c9ca2dbe19f1a028b5b5819057f1cd784de1be52279fb1eb1b99bf3aa91a4",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "0ec40a6ffaf45b8d92ca2b163b9aabf5bde1a0fbb801e77ab931a36571295fb1",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Query Registry using Built-in Tools",
|
|
"sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "First Time Seen Driver Loaded",
|
|
"sha256": "e35873c4c836a040e5f558474966d7bd8b224776bcebab71cd3db0279a1068d2",
|
|
"type": "new_terms",
|
|
"version": 5
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "3e2bd8f151616982adae6eeff5311584831c41100d151b5327e9a39e41354ef4",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6",
|
|
"type": "query",
|
|
"version": 101
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "1f4c0ae9dd783f3b83ac46047885d443bd3d578a6f76c1eb3211780b7b2e3876",
|
|
"type": "query",
|
|
"version": 202
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "0cb624873a820339db88e27f6c934f951767b06b5fa612ba655162ddac81044c",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Service Discovery through built-in Windows Utilities",
|
|
"sha256": "ff2526e88d22d00ba16eca2c07ec3bec5e06c7785739a7ab842edd79c975943f",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"min_stack_version": "7.16",
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "812d614780faf4725c6f1f5361fd6e47e40c2ea93429a55d3e577c3517074577",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e2258f48-ba75-4248-951b-7c885edf18c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Mining Process Creation Event",
|
|
"sha256": "d5d199aba7de4375e54e1a420264755c1e6c6e2326dabf9ca76f2cd5285ebe46",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Successful Logon Events from a Source IP",
|
|
"sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "619ca917a538026a7832ad49ce85327632de2c6218731727c03f1492ef67e712",
|
|
"type": "query",
|
|
"version": 108
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Network Connections Discovery",
|
|
"sha256": "656484abbd7ea6b41057e6c9b6b267bf1bcf9a7144ec6e07f6fe26948404ab9f",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
|
|
"sha256": "0897fefd02654839585af75de63a6c8ed5041e6659933458ff58f29327d6c410",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "b8ef093aa90790193389f0a3b2eb27568f9516fec3932bce89da7213cabf2393",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "71b3674d3f5ae08be304fa711dd538194ebb2c5624de5518b705a973ce44764b",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"e3c27562-709a-42bd-82f2-3ed926cced19": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "c3d5155da5baae86f8ea73fe2f45b44e3012406d9fc61cd2169142c81be06631",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "db6c8cc00bdbaf0ddb428a155db94ed7c9f288d60b6f199fab061f577a7bd7f4",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "1b8c0a0d497da1a7aa237cea422221680d66e067bd3cb56754342e2426b8456e",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "f58e148fb90ab12de044fc7afa0a2778b71ecd8643082310872048c0960b54d4",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f",
|
|
"type": "query",
|
|
"version": 205
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "89a6e5c6d2b9b24839bad3982fe4350838838f91a099081af2d9e17bbd48eb02",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "588ebf1bdd990fd6153d745e01de7aa329e4b9ad1cf727e6c6ae340a7691e07f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "077f0a7711bbf837f2e67231c713061aab1388e7194845c2724884baba2fcba8",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e7075e8d-a966-458e-a183-85cd331af255": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "c0e04ce1aa8f8652c9593631d1a9692ea6c265ee388e504ccc1d3c225ad62272",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "e6030f17314972964810faa00556377b009451a1f81181856e9cd6099eecbfbc",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious WMI Event Subscription Created",
|
|
"sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Process For MSSQL Service Accounts",
|
|
"sha256": "3b88ce7678e0afd9133e4614123484e05b3c652f2ee1b555271860a540e9e01a",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Credential Dumping via Unshadow",
|
|
"sha256": "6b4158b68c196337a5ca798c23c4e99e1f5b63dcc09404ce703310ffa3115658",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e7cd5982-17c8-4959-874c-633acde7d426": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Route Table Modified or Deleted",
|
|
"sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "9d7d295720f93607b0c637e791d1135a828f9a60edfd04a13aea1c2f444cddfb",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "07f742804dcc4362c3a6df0146ffd869e3e92a5e39ed19fbc676e1a205762fca",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
|
"sha256": "dc2992b1a27eba7999a488081a344e7546a35fed9138ada9a18fcca55cead2d4",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
|
|
"sha256": "386862fe4e944388b9eada8008e45520c98413131236b3c1dbdffd72bd7b2db3",
|
|
"type": "new_terms",
|
|
"version": 2
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08",
|
|
"type": "threshold",
|
|
"version": 105
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "2691fb427b7fddacc7927bc417d5dab77367c0f14203e072f86d3aefe7a62802",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "a0ba2b3c599f12c32b5a0939253f61624c5aaef4f8bec7e3c2a58427a1421f1c",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80",
|
|
"type": "threshold",
|
|
"version": 106
|
|
},
|
|
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "External Alerts",
|
|
"sha256": "987ec9abd74221c9ba9d74c421bc291c1a711da2030aac49cf842693483d9849",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"eb44611f-62a8-4036-a5ef-587098be6c43": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
|
|
"sha256": "4fd30c5b6cde137af4b4bfbe6147e6b9b22ee92011d517f81f11bfd501ecd62d",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "a05367ae65e4b39de37332b4894eb8085397b7fbf86eb16ab1899b6d60beac4d",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "b8f1ac64b7c560cb7647ffb41b0bcbedc7b257a7f316fcbeb491b84b7b09c94c",
|
|
"type": "query",
|
|
"version": 105
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "cc34ad5743714d022bd3d06b3eef95da4715d5b72e531c4235b17576ba88d2d5",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "160ed3a375dcc3e55e6117241ad6a6bc1ef32411c7d4a0d406c968aeeb017680",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "7ef91946b0330f608783b4afaf455fe3bb69d40331bd9be9573e1e1b3b9429d2",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"ec604672-bed9-43e1-8871-cf591c052550": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "File Made Executable via Chmod Inside A Container",
|
|
"sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "84fe4ed20d10995793ab80c3edcadea3a2e6590b1c71d8b0f7ae5f3400276e36",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "3482abb380dae16ed856b1c92ebf753d98d655730383b3e1e6329221b64d7f96",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Linux User Account Creation",
|
|
"sha256": "a543b60be5b2a1233c9fb7a049c1556d3cf7a3df31ba9a09fd4e7f1b427e5109",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "2bd1115d1a41b7a4ddd1ec2a4b7dac55b76173ff8ff1e3df92775705269ba0c6",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Shortcut File Written or Modified on Startup Folder",
|
|
"sha256": "0d2db57efc137fb2c937163b2d094d9504f0f8ef15c3c7805ad1b83d14ed8ee0",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"eea82229-b002-470e-a9e1-00be38b14d32": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "05d0abb50bae439b769843646d3b7295eef4a0bc5c024cf9798ecf355acd3575",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "dfcaee87ab5815bd4120fc20f1cfd41d481913aa1b077dd7e28539febe9bd5d9",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
|
|
"sha256": "421ac0a4b80d62b16f199e6f04b38b5b8c1c8dbed801722495c596321864b0fb",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "a5131bae94678610d7c365c497f62c084b0c6c3c2954fada880c3531d5e342e9",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "2e8062644461fe200b2c0e86e1ea8526c11447b53e129b6096fffef03a70986d",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "7ab8c378ff7083c1a6c05954e86861bc3ea942fa39a3e3ae31cdc225509315d7",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Attempt to Remove File Quarantine Attribute",
|
|
"sha256": "6433cb81a632852cd17a4e72400aca36cfc55a5f7dcd8826f139d7a029c91097",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f0bc081a-2346-4744-a6a4-81514817e888": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "1757d1031c5a71bf9d138675ce1ff87d27789dbda0f8da8764846ec8e42433f4",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Remote Code Execution via Web Server",
|
|
"sha256": "acc6575e3fa6df0eabd86bf1fa2a16fdcf95a33f0b3c99ef35f473bee3cbea26",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Forwarded Google Workspace Security Alert",
|
|
"sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"f243fe39-83a4-46f3-a3b6-707557a102df": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Service Path Modification",
|
|
"sha256": "790cb59192049129174ca88a5027bbc545f0d19ab6d4278e4bd826f2aaedcfc4",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "f296c42702e111663ae6795fba27be54503e7ec2e1c6a433a0f3cf3ff1c376b6",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f28e2be4-6eca-4349-bdd9-381573730c22": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "181e254a121f95897919759791f5af14565c11aa4ed7bab144e1e9c27400ac8b",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "66bb086ae806373755f3c312b7a40a726c84622d160a5d644fe31f651e50d2b3",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "ddf5498423537a85ccdbb7552f2986e755918e505b195b2aa3e6c58ab2825bc0",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
|
|
"sha256": "4c7e78b131d1198b5114a869eb0b7caafc11536152cd2368abfdd62ff264472f",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"f3475224-b179-4f78-8877-c2bd64c26b88": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "881b9fd8fe67814ac0e2fd46633b3d14bec837de65f947f3196690da517ec326",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "115660e13a810016b291f195725e24a486fef4f4a29c1b6ea99e35462af86691",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
|
|
"min_stack_version": "8.5",
|
|
"rule_name": "Threat Intel URL Indicator Match",
|
|
"sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601",
|
|
"type": "threat_match",
|
|
"version": 3
|
|
},
|
|
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "6529bb3e9f2e7ba6334ccf83e73cb084a6d4a6b4754c82131a2b29b573db94fc",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "58fd8199f7eaa97b77809fbe7b9b19e44632eef4618a3a85d269f4c10fc65dda",
|
|
"type": "query",
|
|
"version": 107
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
|
|
"sha256": "4a1c0d919c79748efefe5321d5e6652f4806a90a6748a5fbb97472ba5c7b6479",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "9c28b36b93bb14bdf7618dda4125499529113bf5a991135211322b859581d528",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Connection Established Inside A Running Container",
|
|
"sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WRITEDAC Access on Active Directory Object",
|
|
"sha256": "1985348b300faecebbaac140fff23f888d5eac725cc209b01811dc5cc860b8b1",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "WMIC Remote Command",
|
|
"sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Masquerading Space After Filename",
|
|
"sha256": "b8733fd0fd4e27a60869420a23f949e588a94ab43ebbc2bacdcb58250c6a82bb",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Account or Group Discovery via Built-In Tools",
|
|
"sha256": "402cdc6a8b9fbe4bbda7174be70efe396596bdbc7c8e4adb6b4edffeb52d8334",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "0e7d1a785743f7bd0167dacf31665648afe6cc0921d859d611decdcf3ca2bf89",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "cee57a655fce6db9f5c07b5bed43fda69027de2fad8e578801e6811bab06077f",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "244211398fba0bab7dda8256bd3c850b4d50809a75b98d4a729d349b94fee478",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Hosts File Access",
|
|
"sha256": "f1c8e65d5f5b64c4daf0001b6c893d1cb6b75923a7d71c1986c7a6366a5fee9b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Azure Service Principal Credentials Added",
|
|
"sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd",
|
|
"type": "query",
|
|
"version": 106
|
|
},
|
|
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
|
|
"min_stack_version": "8.8",
|
|
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
|
|
"sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665",
|
|
"type": "eql",
|
|
"version": 108
|
|
},
|
|
"f81ee52c-297e-46d9-9205-07e66931df26": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "84af71d36b636e2785c85ee6e6b0dcfc90b6df18c844ba0627a5605b8aa892d5",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "a2f610710f7b33470a65808c34fbd182dcd0512ec2a9678a18b05f5f24343378",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "9c50c505cf44d6eec05e8c2cc96a6569c7c14b193943425c21de51abbea9e5ca",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Unusual Linux Network Configuration Discovery",
|
|
"sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042",
|
|
"type": "machine_learning",
|
|
"version": 104
|
|
},
|
|
"f95972d3-c23b-463b-89a8-796b3f369b49": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Ingress Transfer via Windows BITS",
|
|
"sha256": "f58b2bc6df6119dd19b628c293c7dff6ea595e65b39223cf2d0dde59b882b15f",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Browser Extension Install",
|
|
"sha256": "6079caeac5bb8aaf376eca68eabd0a6470f809ea118a564a2bff36d9612b7e65",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "f5252571a3884a621635498b85bfdf070a396d30be00c83e6336d0c4e91979e7",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "56bfc5a88cfcdbba392ce9e25d0e7838831cac7440f8ef2a35107b6257261115",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential External Linux SSH Brute Force Detected",
|
|
"sha256": "983e0ddc1783910db137adf087a0cb74b34fbf20bf1569b9024cd5578ab1b84a",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Reverse Shell via Suspicious Binary",
|
|
"sha256": "df52af5aacf36ea1a7ad6a44b6238bfd08e8feb288d0bb5d1b604d6f8cd513b2",
|
|
"type": "eql",
|
|
"version": 4
|
|
},
|
|
"fa488440-04cc-41d7-9279-539387bf2a17": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Antimalware Scan Interface DLL",
|
|
"sha256": "49d714fa5c7450eb4f2ae0d249c48cc4200969fed6ea2b87d14a560608ca32ce",
|
|
"type": "eql",
|
|
"version": 6
|
|
},
|
|
"fac52c69-2646-4e79-89c0-fd7653461010": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Disabling of AppArmor",
|
|
"sha256": "84c459fa919be715728e6f1c0a8c4ec19b8480510bb411c3b81bb72ced32586f",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Masquerading as System32 DLL",
|
|
"sha256": "6dabae4a91d13a982c01d893b7091d39599ab9bbc1e7e88117adcf8ae0a70a40",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "cca4c8c4fe974be12e9a9717eb82caa9cbb509858bba01b5872ad90988772dce",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "8975d3c8774ec9437e4cd11148a51508e2c6d7f7d78d7201c4be6cfbaf0004ab",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "4b954791de8751f010850822c06e03453a0570b6d49480dce1b58cd1a05b269d",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "fd88b16bea9e60d003cfb12c298738c8c7c185dcbe2daa2b7efe66e7bc09b023",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04",
|
|
"type": "eql",
|
|
"version": 107
|
|
},
|
|
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
|
|
"sha256": "62b9374ecd5f2c092b1940f6dd1481f37a42f04bdda1015b7cb512ba22db08ca",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"fddff193-48a3-484d-8d35-90bb3d323a56": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Kerberos Ticket Dump",
|
|
"sha256": "5c50aaa0928ecab2b1476d973bb4bfb90d78dd9e2448e1aaa8c61daa32ddedce",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
|
|
"sha256": "a8ea104f14627b5bef865394a5a80d56b351edaa5b4beea10407d3950c42f419",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "da773bcc4a79e9c08e47654c4abaef1190bd351feb40255c17932f918361f591",
|
|
"type": "eql",
|
|
"version": 106
|
|
},
|
|
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Masquerading as Business App Installer",
|
|
"sha256": "60ec14b09417f0cb76b839ac47aa592120fc5692e363f35cb28840dcb84414be",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "eb594f40b846f2e27c3ac05de62f5c78c771164a6d579245e5e4c27990e1c049",
|
|
"type": "eql",
|
|
"version": 105
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "93c635e72bde1b37f08db8fbaab71b57c830ec8a6d88f9d868cad5cae1d4c602",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
|
|
"sha256": "3f05ca34ca031232a58c6bdd28c52d7ebc9751646383323594d0514a33322443",
|
|
"type": "new_terms",
|
|
"version": 4
|
|
},
|
|
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
|
|
"min_stack_version": "8.7",
|
|
"rule_name": "LSASS Process Access via Windows API",
|
|
"sha256": "89aab4dd5ac4c53bd4096c632d79151c726d6991f64ad42938fde25eed6a3c8b",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
|
|
"sha256": "16c98c01aec6efd485063babc9daf4aef11f4c6de3c2834b877688f6326a8cb6",
|
|
"type": "eql",
|
|
"version": 2
|
|
}
|
|
} |