From 182b29087f2dcb63267166a322609670d2e17467 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 19 Jul 2022 14:07:50 +0000 Subject: [PATCH] Locked versions for releases: 7.16,8.0,8.1,8.2,8.3 --- detection_rules/etc/version.lock.json | 2782 +++++++++++++------------ 1 file changed, 1403 insertions(+), 1379 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 06841ccdf09..7a11308ee63 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,142 +1,142 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "80a1e50be50bbff3ad4c80bdb84fae234c4b5ba106a15e6ed2570580a5d60b46", + "sha256": "45b250b9a9bf360a293fa80f40cbb0662947e2cb4720c7ff2ee4c7ef56780da6", "type": "query", - "version": 6 + "version": 8 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "7.16", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "6bd8502bc40bd03620c90d9b566806eabce8546ce2a94ee8b2a6afba2bfd8d9a", + "sha256": "3c01d95323f7c5eb6e183e2123acd3cdd13019c938cea3a4331856c7fc486ca7", "type": "eql", - "version": 6 + "version": 8 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "48c130a4cc7d3fd34f76519d5e62d293629ee285d092ef4850400464786572ac", + "sha256": "f5fca5544409efa9be726ca0e0b1efcc9802cbd29a2890e2f612f30655bc5597", "type": "eql", - "version": 12 + "version": 14 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "982cd5446f2364c8297740d85ae9e707dafb0ba78e9c08622405313d96b4ae10", + "sha256": "8fd5f277abd94553256f5126cf65e0d069d1d95482145cfb1b66e1e553d5657b", "type": "query", - "version": 2 + "version": 4 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "AWS Redshift Cluster Creation", - "sha256": "0f9f2e6b27d7fc8e499195aea802559ebfc86c27bca6c9e14b3a0c9ca688c89c", + "sha256": "037ca803c34fe7d284617518d7fb90f2db08411167a0059b42d74e1fcdf039dc", "type": "query", - "version": 1 + "version": 3 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "d1d8134c952b55fa1b0bee04fa68195ff7ae87787222ae233a9002be2a19f94a", + "sha256": "f7b2c8b4dbc662b7655d6a22c185a96ded676dfb7bbd01ba1387a147cf49c877", "type": "eql", - "version": 2 + "version": 4 }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "68c2afebb98ce672775564854f7dfbb1d72f8c30b6c945c86bd7c74421382cb4", + "sha256": "b1de0af156bfc3f36a6e07bfd27aeeea26c2fc55324cef750b6b1795d5ec28eb", "type": "eql", - "version": 3 + "version": 5 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40", + "sha256": "520a5314864e727b87f4d29ec56a032097bc82fdbda532df5acdb01f02584c73", "type": "query", - "version": 1 + "version": 2 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "56fde644941c8dc935907706539c6147e325aa11263d94d18329ebf769ee7838", + "sha256": "ce48c3bdbdfa257d18b05177b3829acf168c94668cc0cfbf3f7f593fc77cc668", "type": "query", - "version": 5 + "version": 7 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "502568bda8a45463938048cbebfd2f4b7ebdc9c42d21fb2f5909d98b4b9e8de0", + "sha256": "55455b766db2b90dcbc598a0b7474a3c2b226fcb1d6d03b9f6fe4e80fe170ac4", "type": "threshold", - "version": 5 + "version": 6 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", - "sha256": "aa59437d25cbe738b072814c67b5b678717edc99329c857a2eddcc4b0fc42290", + "sha256": "14bdcd91647f19550a79a44c07b3e926479d56bc68299652a91a3b9ef627a7dc", "type": "query", - "version": 1 + "version": 2 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "b98a066f2cf74984ac8e04ea0db6503d30605711ac54d6d341f42c09a64bb515", + "sha256": "81c47e09cb2adb59f51d6cf2473cd6c6ac520f4e1e3340d99b04a306c2bb25e7", "type": "query", - "version": 7 + "version": 8 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "6624bd59e3484cbeccc9ba462120dbe3f2687e9197709fb7ad303100c52733c1", + "sha256": "47f75a5b7f32b38770f6701ea8a559de3e7f37eacc0e5690ac3f2bfd4f43b63a", "type": "query", - "version": 2 + "version": 4 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "aac08399f02ab0704bc8b64ba045fe7dd1578736d85b8fea2ef0cde8c25958ac", + "sha256": "09547c03e6129c7949f7f3416adf014489344d5f43d4090c9235bee2730437b1", "type": "eql", - "version": 3 + "version": 5 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "81e0cb3eb2e76becdb12a2b8a5551cbd8ebc53eebae7850d5349a26a363177a0", + "sha256": "9a71367ce47f6c9a0a69120cf743a61e12ffb4619cdc3e785fa76d2639853d1a", "type": "eql", - "version": 5 + "version": 7 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "03e2c849f488b4255582dc556738350c682785e1db0c8716435248bd3d26337b", + "sha256": "0346953bc339297acd752cfc29853af25dcb4e17cb0b09c25014c67684219e2f", "type": "eql", - "version": 6 + "version": 8 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba", + "sha256": "14216eab6a7b7da3a481da0958407b9c094d4b7397d8893010ab7328ab9080fe", "type": "query", - "version": 6 + "version": 7 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", - "sha256": "97d7e293810d547dbf62a8870db00621434ca316153fea733c6b23839fe8942f", + "sha256": "a7de1002d6f143e3652830157f48a969010b4f7702d3c4cb6b40b3b920e438d7", "type": "eql", - "version": 5 + "version": 7 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "24081b70d3c6ce13c8bd50d44c705b306d371355afcef70dd1cafd8105c370d1", + "sha256": "7bacbeef7e30a296210ae47a4d89084c9a061c575961862466dac562a92ad356", "type": "eql", - "version": 9 + "version": 11 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "b7aac4ac25a00672dd28ff2c7b8295335ed04f4040eb355166fbd9e0e346bf40", + "sha256": "bf0429e76fb9c1db6f809649d079add564548ab3be0cde7b59b0927794bb0535", "type": "eql", - "version": 6 + "version": 8 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", - "sha256": "3a499c8697025a438c86ba5961db32de9237c228e0337aa79b43ac98a7624d64", + "sha256": "9e1e62112cc8fa1fe71abcabf3fcfadbef76d36fedd31d254acafd00134195c0", "type": "eql", - "version": 1 + "version": 2 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "7147dbd3f68475c0087ebb6aabbc2b86ebbe5be53eed996c4499c4b12a6efc21", + "sha256": "d5e7a7f1a49e2fa16ac871bdc6c45439313a800e8071b31203b2277379185350", "type": "eql", - "version": 2 + "version": 3 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55", + "sha256": "e37783a55e181e238dbc63c6e18250cdbf12fb194ca0e8ee4d5df5fdaf6c4042", "type": "query", - "version": 1 + "version": 2 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -146,15 +146,15 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "9dd3814b461fbb4a289ff60e9bc8b793e2cb11bb20225ecab60b3199dddf441e", + "sha256": "94b21cc3439ddd578f40b04f3f0760e4017cf7b26b75b0d19bcd7165dcd89880", "type": "eql", - "version": 2 + "version": 4 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", - "sha256": "94e72ce4ad6b954cf01ab7f7a175c472e6936b75e330dec5da7847381fce4224", + "sha256": "6e9241441b9445d0757086740e6a26c7f53742de3203f78b3d1248dacbf5230e", "type": "eql", - "version": 3 + "version": 4 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -164,15 +164,15 @@ }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "d2affe457c5a635a572b2b85ae763252a0f0269f17e458d5821017b17de7a9ca", + "sha256": "b2240da7e55153213f9a0a9dbc78def3abe219d21e94d42b23edefaa71dfc749", "type": "query", - "version": 2 + "version": 4 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2", + "sha256": "625e15fc2de85491b9506d68b1852e7faceace28909534416f3fe6df4b4e7506", "type": "query", - "version": 7 + "version": 8 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -185,64 +185,64 @@ } }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "4016b72789d6fc2eccdcc5ab3c1edca49249e6204f8bf791ba691994eda2bb02", + "sha256": "b6a868ace5c50ef00fd112ef3524e676fdd5a08c109cb23b9b47a0340fce8348", "type": "machine_learning", - "version": 6 + "version": 7 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", - "sha256": "3c70d874ab15cb6c3bcaf45af91a2da0480abff53380a63ddacf190479d1d20b", + "sha256": "83f7382ba03556568e6ccdea4af57e3323b8f4d337eca24c65ecdcf0042b672e", "type": "query", - "version": 2 + "version": 4 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", - "sha256": "50c49407c691bb3554e8b8032e3e4d690e0a5628e04714428da86dd536b0143b", + "sha256": "62bc9a1a7397ad3195956c7328708fb582678451ffe3cc782b1f85979b5bdf97", "type": "eql", - "version": 5 + "version": 7 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.0", "rule_name": "Threat Intel Indicator Match", - "sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718", + "sha256": "08f8c238c50a92a88dbe751e24ae2b5cd38585ae57a0f026efa6cd46dbc395ec", "type": "threat_match", - "version": 3 + "version": 4 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "584f6799b8d5a9a6c941ab48c63d054a539546425843ab0192ff084ffcae3c0f", + "sha256": "bdca11580ed32e1bb749bd8c4a037bfce7a5a7c81e2a2ec2e00254d4dd045cd4", "type": "query", - "version": 2 + "version": 4 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "4e12ac0fb84fd0825957284198b6a6419d7164c0a4bf84a19836ffe7a3839c86", + "sha256": "4f65a254b91f16846c6189e21f976f2ab319216256efef85bc787ff753867722", "type": "query", - "version": 7 + "version": 8 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "e58851a94750450c6adccec2d211decb5601ef6c8fb04337f7179621fd807e28", + "sha256": "36cdee8e3178acafd49828550dd6165e96c9d6c6d363a22930ef0951f8196354", "type": "eql", - "version": 6 + "version": 7 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", - "sha256": "5afc77de9c885ae65a464091203ad5c5e282658e514751bb85fb54ec09fea3de", + "sha256": "8bd114a36716ac06730186c5119475840212339b2e9909b85c264f329ca0c1c5", "type": "query", - "version": 2 + "version": 4 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "a9f964b598c41ad6f015eaff73303e9f70e8c87ce2bef2eeca17742e02ec14f5", + "sha256": "a056cd092ce3c6debccd3cea5373f808b6ff0b5cdc843880871868f589a60660", "type": "query", - "version": 5 + "version": 7 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15", + "sha256": "040a83a4a14d69dbfba9c759b3726e57989f4b3fdbb1b9b8e4333ff9e4a37ba7", "type": "eql", - "version": 8 + "version": 9 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -253,15 +253,15 @@ "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "min_stack_version": "7.16", "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "7d16ee5358944e8f1ffcc6a1c546c3bf938b26bcce752e118aaa63d1b5ae3633", + "sha256": "adbb844008cf9c493562c5309080461156e41dda2c575e5b11cade5ee1a4a642", "type": "threshold", - "version": 3 + "version": 5 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7", + "sha256": "a1abb66bb89a9724aa3a92789e8f5e667f5c0d2a37ba66e76aea86e582544c95", "type": "query", - "version": 1 + "version": 2 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -271,33 +271,33 @@ }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", - "sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c", + "sha256": "bfc1d542142473400cc94fe152f8c04cc7de3bd98303778df2b0d5a58750559e", "type": "query", - "version": 2 + "version": 3 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "72179393e4eaeb676c7ddec38aa17e29cdb602ddbac0b4b4c2727b39bbbd33c4", + "sha256": "1c6c1c28f49e19d27efb32b7a0a94a862573e140b8942e8a0c45900daec5fdfc", "type": "query", - "version": 7 + "version": 8 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "c6bf0b04d83c6734da31ec49c859872b27c52b8f09ef1738038447cd4a5c95a7", + "sha256": "a15b96e8d941bb34de5bb1cb20c05f46756bd2696a7b23366a894956b4dc78d7", "type": "eql", - "version": 6 + "version": 8 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "fc2ae1c2e96c70f44fd2103a1cce06b0b4499458add7325e1677415df46f5598", + "sha256": "4a20f58f0a1db855cfb8115993b2280f23082c4ef693accd4d2ec807eb182b36", "type": "eql", - "version": 5 + "version": 7 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "03dc719901ede4c776db56acbb5acf4106c348b9dd70cd6ec496d0d734175124", + "sha256": "7fb44a62a05cc90c6b10e741f676d7905d27fa4ef775cf8573fce85759058f5d", "type": "query", - "version": 1 + "version": 3 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -307,15 +307,15 @@ }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "afa57fcef927a0013d38733fd287cd98a22f439dcacf84a243dfea19eb9c13e7", + "sha256": "419591e43cc4c101c42c537120a98b26c5a6760abfb24f6bba8fddbd20d524fc", "type": "eql", - "version": 4 + "version": 6 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "8ad6cbdd0db141f7bd71e7d4b28197c28f709d99d8a641eaee4b763c35a8514f", + "sha256": "e5790dc9d7d98b10575456ef8af365bf8a86f281dae6619132f654749623c1ae", "type": "query", - "version": 1 + "version": 3 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -325,28 +325,28 @@ }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", + "sha256": "940536e80a749051490f0501c2df3b04f015c5b179f880b8fa3b14ca6b81d485", "type": "query", - "version": 7 + "version": 8 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "d4acb2e675bb13e2f7434a310b7de904a02db375f43a3f773ba591d3c3870de8", + "sha256": "b0ee983787f62183b3667f7047688f963bc0295b3724df34227e4b3f3a78000a", "type": "eql", - "version": 4 + "version": 6 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "2fdb60cdfe201b7d1532e7d87392f0e022255c7c3e2a1ef3fa313e2fa286a9a4", + "sha256": "0defd980c5f36ab6de665344d2af0fd49f0d9df73599ea799119f808f1debef0", "type": "eql", - "version": 3 + "version": 5 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "7.16", "rule_name": "Rare User Logon", - "sha256": "f9e949d45ac4dc51bd454d12b2bd60ec23f8fe3d5ee9a15595a4663248317d73", + "sha256": "1ca465521ab62f33bd3e9430403f96bd536c8791acb2c9d6ba5840a918a6911b", "type": "machine_learning", - "version": 3 + "version": 4 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -356,76 +356,76 @@ }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", - "sha256": "a84027bf00f826384a1ba67bcc0f221a6ec9b4a6f53e2e48ab8f792f7363df7f", + "sha256": "fc7546672d97a31eb95f88c21f35c46b49aa5a6f04a30773542f9e78d4ab8428", "type": "query", - "version": 5 + "version": 7 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "8fb78fd8caf9f2c543f7a8496f9d8f54d2c309b521d9b3f1d1afb9174b6c6068", + "sha256": "2b983663df2e83acf552a0e23cf64c89b7d02608e47827e831a7f83301eb1157", "type": "query", - "version": 11 + "version": 12 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.2", "rule_name": "Kubernetes User Exec into Pod", - "sha256": "f8545df65e0a8bdd40a22f65868a004d6ad603694bc26f6e92b53ed7bcf8b345", + "sha256": "e506934f678c3a60a0d2b7da050ddd74369128da5913b624e77e5c95c4d5b254", "type": "query", - "version": 1 + "version": 3 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "babbc6287d174b837d32ddc45d7233af2a2325136cdd66ffb0cae01ff942611d", + "sha256": "27438d7546fe2773040ae8a26f1fa92ee7e93b3e006a0ab001dc3efae0168ffb", "type": "eql", - "version": 3 + "version": 4 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "37feef3c443830a3d928b7da63899f44ed20a7f945f63bb6cfc0d01b28234b50", + "sha256": "a02b14e0e4eecfb1f00811d8373dea27f41819134a1027b66d37d6cce4eb9696", "type": "query", - "version": 4 + "version": 6 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "e04dda94d308a00ea97e8f11881100e8b2be7301428d07415a022c25cd5d1c5b", + "sha256": "027f4016e7b011b1e1775524d011db0f3409297811bda118d962948325c35783", "type": "eql", - "version": 7 + "version": 9 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "6008fb7584493ce0e46ff236746b8e3f001c7bf8fd0a758ffa6b4253a598c64a", + "sha256": "89c50a21eb51aa54d6b6fcd02889603cc2335e8413be7e14437af051b41832a5", "type": "eql", - "version": 2 + "version": 4 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "255c2d46d1242a17eb61b119f3ca491cfca8ed4f92271129b91f875b8d820350", + "sha256": "4d30bcd92cee3890828af08b85709dfb90ef7f06f512ccf556db81857f7c0f54", "type": "query", - "version": 5 + "version": 7 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7", + "sha256": "a7f56655ca25048d75974ac817ec66e5a3abf463324210d596a63fa3ccc77711", "type": "query", - "version": 2 + "version": 3 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "d8a7a1b1bc8fedcd6d1ed0b5140a74ad097b382d1b33516d6dd4b476ed086ab3", + "sha256": "04c6dc1731b33bc9b5bf85e882a4a5e3be89b1e7f0a682b97b1ed306a41e214f", "type": "query", - "version": 7 + "version": 9 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "0ee9bdc342cc3d58a99e130d3659a7acda929c3b0d61733635486465999c6e76", + "sha256": "c428fc531a25f1681bb3a26b13b8cf56b29d6c87093b3a8f14a7a6d49dc16219", "type": "eql", - "version": 7 + "version": 9 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "743ba4eef59cba89f8746fdb4fae26087f3ac2c969a96e7f1f072ea6618a14b5", + "sha256": "17e0c2bd35bde2a29a13b0c3601999bb1555fead5b45f0b11654ff859da8c8b6", "type": "query", - "version": 4 + "version": 6 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", @@ -438,9 +438,9 @@ } }, "rule_name": "Unusual Windows Username", - "sha256": "105c5254659a1c9260cb4b1bf892b9717f7b3aacc4e4e92e84e3e1e82e0ff7ae", + "sha256": "4ff3772456ed593620849ec60210de9432dc48dc30e6ac58759c92070c40b598", "type": "machine_learning", - "version": 8 + "version": 9 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.3", @@ -453,9 +453,9 @@ } }, "rule_name": "Unusual Windows Service", - "sha256": "2c41319a596e55048d651a8eae2fd4978d2deef380839a9e743efaac6bf9b774", + "sha256": "164e159fbb600698d662b18ae9359c3148a1081a6bc17d2a6bc676acaabf24d1", "type": "machine_learning", - "version": 5 + "version": 6 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.3", @@ -468,9 +468,9 @@ } }, "rule_name": "Suspicious Powershell Script", - "sha256": "0d37e6a1f9ff04f0c8199abc65da52e5641856efcf15b181b8c3fc39f6b8db5e", + "sha256": "f391b377170a1ff78b69d38c51f88b3746b56c3f672c50633c7a15efdbd08189", "type": "machine_learning", - "version": 5 + "version": 6 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.3", @@ -483,9 +483,9 @@ } }, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "5664ad8db9671b02df9d85cc1137599f55f4d866702a8b557c998d278560bb7d", + "sha256": "b0f0bfe4c78d832bb5811386e701a34ba46596b0776b4aae77c5bbcee7c7d695", "type": "machine_learning", - "version": 5 + "version": 6 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.3", @@ -498,27 +498,27 @@ } }, "rule_name": "Unusual Windows Remote User", - "sha256": "f4c5891de1f968b77020f063af4f068994f9578e6d31dd8f6bdbe6f62fecf7d3", + "sha256": "5f17ac4c3cc60c4fdb00b1cd7c052c3049cf46e7c37ea0b168f2a7890ec5addb", "type": "machine_learning", - "version": 6 + "version": 7 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Suspicious Execution - Short Program Name", - "sha256": "175f6548b5de9b9d17a9a0a1cdab3cc6acaac6de7ed04ce578c3ea023a8d891a", + "sha256": "9c56eb08edee71a521ee52baf69072ff53349fc9ec9ec682b40c44adeb085f05", "type": "eql", - "version": 4 + "version": 6 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab", + "sha256": "7d83394fe2a874ebcd9fb9ca2b850058b329d201c17c88c56bc8c01ec312653a", "type": "machine_learning", - "version": 4 + "version": 5 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "545191239ffa25aad0736095596c8b1da4fe02b5853b7d098de97c66a389724f", + "sha256": "c3b65c31e31ae91f1b6ea2cde2a0b721a2bf5441f073847c72a6ce11c0c3d069", "type": "query", - "version": 5 + "version": 7 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -528,93 +528,93 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "59b061c54de834d4f8b093978bf45f2114bed02645ac3a05df8c21d94d0e692a", + "sha256": "13aa07e4133cb020c45be1acdd0b8e1372068e62562260328b75f771e47117e1", "type": "machine_learning", - "version": 7 + "version": 9 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", - "sha256": "6131c83a1cf59205fdd118cb16590961e705919f52e11aaf09b0c00bafc02db5", + "sha256": "27e3867bddb2721722cd88212ca83fa215599638a87132d122efd4a0234f61b7", "type": "query", - "version": 4 + "version": 6 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", - "sha256": "9f3f95028badc6eb4343d13638ad0780a013387a6677d2e415b451e293bece33", + "sha256": "44257ec40965e6ab0a48e4394db0bff1ea0ef3f7d5d3b41bb5d0fa409457be82", "type": "eql", - "version": 2 + "version": 4 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "0cc28de03b95bd0c74e9d341f45454944363883a447d9c6f9a48eeb1451611c2", + "sha256": "6187bbb88ef83adc4d3fcbbbb48f7b222116c03b64e1208ffa19e186d80003ab", "type": "query", - "version": 6 + "version": 8 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "645486ddfa80dd7712def7d98a7095ec46e5307b181819b66c70f890f32ec756", + "sha256": "ce771b5fe692673c9406f8817adb67945f35fca9271439cd07325d772d3781eb", "type": "eql", - "version": 11 + "version": 13 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", - "sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4", + "sha256": "75c7280b4e96dec3da01270b1605656b1b566c914736d730a68aa1697c57d408", "type": "eql", - "version": 6 + "version": 7 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "3a5d842001943ed5db6ed5374d80c132f413d534608f6ddaddc2ea66b39ac2ff", + "sha256": "8d4cc52b957bfdb3a6c846fc54c5652ce8164a6ee9d6a89dbcd785d221b9bbae", "type": "query", - "version": 2 + "version": 4 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "0e87841dc0e6587203b2e298d78fa79c2d4f1aaff4b20d4407ef3c04734ae5ce", + "sha256": "6d28212f584655ebdf16b8a1227664c6520d759f381994b5e76d0465b1eeac00", "type": "query", - "version": 5 + "version": 7 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "0edd2adb2012b1367353ef756b0ec88867a5ed19d5dc243f991845cf5b9d9e2a", + "sha256": "fb2506a7553a68004f7906317b152c1834b9e71fd638f99e54be6547512c14ce", "type": "query", - "version": 1 + "version": 3 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791", + "sha256": "56c7c664e2231aae0f28ffeaebfd255b0ccd630664c396f8b269c2922e5eda24", "type": "eql", - "version": 4 + "version": 5 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", - "sha256": "85ae33aa6ea9da5d75b1566ea17607b7675b777fa6a3bbea99899cee587b85e5", + "sha256": "5c856b88cd99da9cc3234fbb92474ade21790debb6b3f9cea3084dfbab5ac401", "type": "eql", - "version": 5 + "version": 6 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "fe0775b9258ab492e0ec9b626336cb0565ace7438e7a9c9c817aed1feab9bb81", + "sha256": "ea63c66850ece824dfa17beeac377c983725434b3a238dc3f1cdd08163cc64e6", "type": "eql", - "version": 8 + "version": 9 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "ed8663447000841656eeb2b4364396acf094b353b6ec07cb28048c63c372c2a3", + "sha256": "5131fde7ee1d9a7ab0bf8e5af795722e91d8700dcad6afbc10007bc8518bc09f", "type": "eql", - "version": 7 + "version": 9 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "f12a62cb3e7043b37dd8cc3bffbfdeb5a191ac0e33d733d4644b245ac3c8d252", + "sha256": "fba0eaa1fc953b4e7364f5c98fc3c215c1d57826f355a11a2caa45bc09408a23", "type": "eql", - "version": 5 + "version": 6 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "713e83e5cc4759b596713bad5c8b20ca123335d567bb2fe189ba8f139cd87b0f", + "sha256": "65d6c2074ed96c11a1a7eb5855eca328f8ec420fba30b02af0970affe953ecd2", "type": "query", - "version": 5 + "version": 7 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "min_stack_version": "8.3", @@ -627,9 +627,9 @@ } }, "rule_name": "Unusual Sudo Activity", - "sha256": "9d82b230918f0db964b2f2e07fca49ec284c7105c28d58018a4d322e5893bca0", + "sha256": "c6be4060bf372fb218bfcbc987431db527d1d404de0c0226220b5b0e89eedde3", "type": "machine_learning", - "version": 3 + "version": 4 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", @@ -642,147 +642,153 @@ } }, "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "9d8ae15ea65c8d17c2ecc6ec2ec2b8a199580d92201179792f91b8e3961b9148", + "sha256": "592c1d324791092c35408fd96fb03480164f1a163f0ba7868b45fee8bd8f3fab", "type": "machine_learning", - "version": 4 + "version": 5 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "db699aa748d2368754bd1425dd417d14af479b9812bd1bd1b30fcfdaa28a8a59", + "sha256": "a25a6cfa7841ba61409e38f3cc4451de3b533cb44ae51b026ff5e2cd75fd893e", "type": "eql", - "version": 2 + "version": 3 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "f2122f6b1acdab49ad7f6bfc06655f446578271776fd3cf5b24413d055341f10", + "sha256": "263ec2e81aee7854f4c48de271ae8664a07a70f98565f8c4832ee72a69be3c1b", "type": "query", - "version": 7 + "version": 8 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", - "sha256": "5a208a45a3c9ddd1f06e0a5cab66e7ae07fc7cbc3aa0543f5241fefc9908a3e2", + "sha256": "97dc8e7e9d6f7c4863906556b2bf8afa6d1deb8b3274c2f5345b42fd092752ed", "type": "eql", - "version": 6 + "version": 8 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", - "sha256": "be7ec65d2c7f90cd999aea89e4fdbc01e3b0e56926c2d3e7c6ac23b8daf8afba", + "sha256": "68779756c120c0580947cdc8b8dcadcfeeed29dd753ae01e6f72dd8efac2dbfe", "type": "eql", - "version": 2 + "version": 4 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "927ea25a70453624aa091c7fbb432f35923391e79036d62806e4d9aef78dc909", + "sha256": "f4a7ad3abcfc2f6cb892997349ed218d525c3c7946886cda699b52de3a23cffb", "type": "query", - "version": 1 + "version": 3 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Access of Stored Browser Credentials", - "sha256": "ffc126e733d39439f6dbf4169c174fa3d69e58fd8e75c9124c8b2e5a19832d2e", + "sha256": "4553f2e574d2cf169f0502ac6fae657d3fe0152795d60d41e6574381c8489823", "type": "eql", - "version": 2 + "version": 4 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "d73d4137d9648a5df1eaf5056df15b41eeb90de8072f4b35326de8d286d78330", + "sha256": "382d58e6dfe06d1311617f60fd4a251a23cbb5d63ada9943fb89552b5f26411e", "type": "eql", - "version": 2 + "version": 4 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", - "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", + "sha256": "8115d21dd456ce86386f8c16c107d5ec2a16816f39196cba3c2eecc8e66ceccd", "type": "query", - "version": 1 + "version": 2 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Modification", - "sha256": "422509485dcdfc86588db158efa6b71aa506a3a040879ef9d58ff360d9254116", + "sha256": "f4a814e58f6a670a3e9710e4019205d89ecef4e9d52ebd79f3f48f11f34589b6", "type": "query", - "version": 2 + "version": 3 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", - "sha256": "4f224e42287dded2b371f213fd94adea7581f4ea593ef8efe14731814f32b26e", + "sha256": "d33d74f0f5ed0b09a671003ee7a1672cf041ce88e69b9ca69e539dc48869e839", "type": "eql", - "version": 6 + "version": 7 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "75a57f1c9430b9bdb9d55f9a4fff16d0dc5f6d7ac51ae2012e3afa5bce80cb1f", + "sha256": "9e73a7046fc7dc4206001185a63b7f5a2bf9a30e8c0c6328439ae5cec68009bc", "type": "query", - "version": 6 + "version": 8 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", - "sha256": "20778cf6abac89fc8fe2c2a7c71dcd89074aa9da95a0c2bc14d9fd694fc7b9f4", + "sha256": "a1948b5ae91fea4ce3a8c7a0b863a08c5e59ad5e656cc0af0b18d372c8954cf7", "type": "query", - "version": 9 + "version": 10 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "bb8096354dce3087fc76625206e23fdf959a562504690ddde6c4e4e937092ce0", + "sha256": "8b75a7b4ea44a044d29bb5f99ac806eb87220d4428b3a19202080570e3ce6a12", "type": "query", - "version": 5 + "version": 7 + }, + "2339f03c-f53f-40fa-834b-40c5983fc41f": { + "rule_name": "Kernel module load via insmod", + "sha256": "00034358a863e1b9dc7532f056419e3c240ddd0e1349c00956bb2dbdeb11fc8e", + "type": "eql", + "version": 2 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "rule_name": "Lateral Movement via Startup Folder", - "sha256": "d530ac665a15face07297369f65e4960527454f70a5d5791eead92fc7a3d5dd0", + "sha256": "d39c2a96bfe8caf70ca04a61df5a64e8e356b7fff3a209d8f261011fb644a800", "type": "eql", - "version": 4 + "version": 6 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "64a8b7c2b0532a18d1e94f963c74136c3cdf97ace12540d5e9daf5af4455fc14", + "sha256": "03d60a42b218a3425b1c8a279e97ea42c136cc926a108dd31ad63859fc6709b7", "type": "query", - "version": 5 + "version": 7 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "d46cdb1b26cedd1fb2fc7f785592b4facad3b2d931dbf2b66122946f01a21e31", + "sha256": "be2db230463885d98a8ad9898feb2627ca08c7e087a688f7416571d380464b46", "type": "eql", - "version": 5 + "version": 7 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "fec04f92c2b0f57675047b2adea17e89769476a9e131eb9ce8330f4e46399d8c", + "sha256": "75b4f206516f9b67a6dc144245d79607c2c6034f644cb9b56e836bf73566a7b0", "type": "query", - "version": 1 + "version": 3 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "7600e66c79a7e595f82b2a9de4fe4ad3627b99577a2ddc803bea6675f6979854", + "sha256": "ac0f55226d2cfbb0f5059695146058edfdbe1f75b8de385ec1256ad516d64e27", "type": "threshold", - "version": 7 + "version": 9 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "b0561460404e467a6624cb6966703895e888d6dfa8ff1700ff3a94fcfde9c5c5", + "sha256": "f31adb3fa3094ba723d71b7fabaf76ebafb34b29cbaa17bc9da44aed04748716", "type": "query", - "version": 5 + "version": 7 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "089d0ecdbcb613691dc9e414c064213c63e11df6eac4880f3ee5199aa9072446", + "sha256": "a452d8013223170883e9dfe54e40a70f096c56809ee6f00b4b3b3bed88923cea", "type": "eql", - "version": 5 + "version": 6 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "1d74ec0969839420f2e03143d2b535768a053e2d0107ef6ca49719cfe92adb03", + "sha256": "b6c23f7521d7d4662d605fe4a8321928530806195c5a705d7762e1a123d8eab0", "type": "query", - "version": 5 + "version": 7 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "2128fba8e36ba35ec3b5e45def2d5ec1cef564aff7859deaa5891a458edd7576", + "sha256": "a99cdb39ee38891fe4bfc8dda8b5a46b99bec7c9aa68e8d1c860d44bb4e683a4", "type": "query", - "version": 5 + "version": 7 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", - "sha256": "af7d9df7a1ecbd1fd0521df43976373d7efb60df9227a6402552425ce3b3d97e", + "sha256": "9925de722df210b8b76e7626bf00bb340d6c2a06e53487a0ce0837bbcdce6476", "type": "eql", - "version": 3 + "version": 4 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "7.16", @@ -795,202 +801,202 @@ } }, "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "cd977e5eda4ca92edd601f5de221d9d26603820e531f8c5670fb3014d62385fc", + "sha256": "e8ae7f22635132da7b5bf3533b25a8dc4f4f40bf2f7211baf9eeafdade399681", "type": "eql", - "version": 12 + "version": 14 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "148f9ae24ebe6ecc8e536ef7c3a01267783438c802cd162447623fe2a303902e", + "sha256": "5f8c991fc80355641f7da3804551fa38f93985d850c0f7ac004b3d7ba38fe3f5", "type": "query", - "version": 7 + "version": 8 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", - "sha256": "1d856f4066095970388744bc7a5129d5bab0782175c24645216ab39908f5c34c", + "sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79", "type": "eql", - "version": 6 + "version": 8 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "cb592ba956c6a56693208fd5686ae1c03bb60011a352ae21944ffd7a23fa4336", + "sha256": "44131e75b2ffdd9b9397fa03a42e494a40e02d5dfb16fbae205211f908f918ca", "type": "query", - "version": 4 + "version": 6 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "2a58bf53b9f99f85fa184a7d00f64256623d20f43f4005b9a30cc242d826d6ce", + "sha256": "5b7f062c1061acd1a547bdee2cd186b6c4acac8a77399a78a2a0a7b8e3ec81dc", "type": "eql", - "version": 5 + "version": 7 }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", - "sha256": "d2e259962ac2b93ee1362e4906165fc59b3e10e810d2ac53c3f0f32e52295c90", + "sha256": "8cc89a2f3954e9a94d134551b2c7e35824ddb4b0953aec193a7ccde465ac6c28", "type": "eql", - "version": 4 + "version": 6 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "60ef1293f83074accd18d8bb8d9ec092840a776b301017bf38daca992135547b", + "sha256": "d5aab2a52f1bc26129c172afaa1fd1b1e4cc8bd5f54f140f617385c765cd7f37", "type": "eql", - "version": 4 + "version": 6 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "c6bbcabb66a2baaca5c8d09a361af561231f5180ca801d7f91f31e9e770b8cc9", + "sha256": "5a2f33680f5d3113713dd626971011549b97cc2b4350b07969eb59c02e9ee152", "type": "eql", - "version": 11 + "version": 13 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "d2d855c5d81207069a66dfe43aae45b4431bc671049e13b2b1c79444d9d9b2d3", + "sha256": "088e485e3d1aeb759eb92a66555505e50734785025cc47355e17829f84d82169", "type": "eql", - "version": 8 + "version": 10 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "9cd1a4f9702a99116e02df6ad072dcad54e2340114f686fcc0e4e6cfad2b80eb", + "sha256": "f9e846a69050133887912df81e141b97faa455c9fb68a2e604b6764abb1bbc8d", "type": "eql", - "version": 1 + "version": 3 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b", + "sha256": "03683b876a96a5fe0dd98bb1c35c92bcdae7b8a549404c7c78008beb2242f655", "type": "query", - "version": 6 + "version": 7 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "2a81449e1515fb56c82b0a45f0ae80c75614b0ccbc7854c01b59364ca98f9559", + "sha256": "15489abed565f385ccc3c13419da55555decde42b0c237d07b1c432bc438d62b", "type": "eql", - "version": 3 + "version": 5 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "83edd5ea4f7c27a4c4dbe143e79f097c6974e9b6641a6c4e7ad6cc709c75d4ca", + "sha256": "f7a65f1894ac1a55789336933ef7b59790e6d9bb6f56a8a3cb1a0cced4a7ecef", "type": "threshold", - "version": 4 + "version": 6 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "ba5f90755135bf439d352a2dfda0a6457b196807dd95e11b1de481359f11d022", + "sha256": "5c32cbb481613e7aaa4f329f37af1c5f6e0b9085744a72a79a6cdc7ab4d208eb", "type": "eql", - "version": 6 + "version": 8 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "c9bfee8980152e41d3e2c0d9102a76838b7aec7da2cbce098861f35dc303bdde", + "sha256": "309aecd37f11dd3b2be99b60a7cdd396aa3fe063de5b5661080c78eb6431c22b", "type": "query", - "version": 5 + "version": 7 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", + "sha256": "a4941554ac460c2671018ed946fed7b822821d7d491e0454b59d81e4cc962182", "type": "query", - "version": 6 + "version": 7 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "6b354d3e0d2bde85f3f9059cb9b068f2ffcacdf5d19bb374e576b325e143444b", + "sha256": "b1bc45715ad3f67d0873f1022390ee9e80f1d55f616dea411a2a50739a1e271d", "type": "eql", - "version": 4 + "version": 6 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "sha256": "db6cd2a29bf48936d744aa3859daa68606c4d83a43bf252be9930a0fabb253e3", + "sha256": "f78557a14b4f64fd1ff4c7fce4917302b71f9ca134540901b84a0f427e2c74be", "type": "query", - "version": 2 + "version": 4 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "defedccb891832b93199ced00f6f614d48838f61bb610b44e3f56464c7115485", + "sha256": "8c3c41ca109dd2dea80139090de9ce09e5fae9f0a5e0318894115d944a8dd281", "type": "query", - "version": 6 + "version": 8 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6", + "sha256": "3007982e48712f1a2dce9b7569e767c68d4325b6964c8ecb84df17d31245deb0", "type": "query", - "version": 7 + "version": 8 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "146671f078cb7b638967dfe4e5f0891222dd0b9aee2dae7c5e0783145dd09e95", + "sha256": "6003ad2de2c3be0333fdecb27c68927ee1d9b1643d51c2bc8a074eb92b79b4d8", "type": "eql", - "version": 4 + "version": 5 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "e47f79c39c992cb1760ddcadb3faa9fe9b31980089d5509249a9632ec964c4e7", + "sha256": "20558f1e83c887e42704b28339c343260a72fe04e8124791bb9d47a5628f6632", "type": "eql", - "version": 6 + "version": 8 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "33b768a4456770f5a2eb024ab81e723b4ed3a53b57ebcea0b5130fc245fd6b85", + "sha256": "d90530c9ae74cf0f103fc3ba8c3adebc2ce808a12babe73eb0e1d524c9df69a6", "type": "query", - "version": 5 + "version": 7 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "7.16", "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "d067277b6d08d5e3fe395beecf2eb4a88a5ca6ae5691b52a1d334bae5e23661e", + "sha256": "10c613afa51415b16d20d908959aff6312558e02c66d990e5bed76cd9736396f", "type": "query", - "version": 3 + "version": 4 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "c30b4dbb58d32a0f0bb0e4cd56091741708bc6a1a3532af6bf2bf17b00a21861", + "sha256": "d97e88fc65ade898c7a2c2cce7ed1f75ef6c88bf3f95b36c17273a4f5886e5ca", "type": "query", - "version": 5 + "version": 7 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "c6a4927641d1eb10338c2323c4b715e7290427ba2c1c757e5184a711e1f8b0a1", + "sha256": "38f7e4435a8c27a2e920b4c1a72c7cf098f1e9bddd5d813b5c0ca67c9f97464d", "type": "eql", - "version": 10 + "version": 12 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "a1de315cc54aa0aaf8d5b2db8091cf72a7f1ff49d92e382fb790fec77a936ab5", + "sha256": "032fa8c41a3aebb176ecc96c64f43a85b94037779ae108772d2c63d77abce433", "type": "query", - "version": 6 + "version": 8 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", - "sha256": "d42fae44d101f779758e4abaaac8cca749d7db643f3b825cdd3787e5c6a81355", + "sha256": "500ab53e848428facf3907e3a4e9be80eebdc22125896e911be7bd9e42b450bf", "type": "query", - "version": 6 + "version": 8 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "a24945bab294eaacfcf22ab684f83b21b48698fc1861f44d1ac9c1c11fc23181", + "sha256": "6e1b6cf51240cf453c37dad7191ec4cdc1fb33672d8965a73e4a0bfd65b82ec0", "type": "query", - "version": 11 + "version": 12 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "1b6859e051349833d0808b47b07b5014ffc8e66ecb47ed161ba08ce5df0dd9bf", + "sha256": "5385a0f0781bc406c13e7ece8fa9d16b8c126277b4b7b7e32401885937073810", "type": "eql", - "version": 7 + "version": 9 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "d85e57d19e0378c8644514aaf68c5dfa7f02b70d17773d63aaf76346e5255637", + "sha256": "24029f0d193a2cf015820095d04f38db8e7689d9fd80bb54736635ae3d8c4a5b", "type": "eql", - "version": 10 + "version": 12 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", - "sha256": "6e01c88d75910af821e1f30d5bd7080c279e17c8283814a231ace540228449b0", + "sha256": "f0cc2f906a81f5d80cf206b5df458f41ab5a6ddfa5d63a0cf8eb5f8a77ef3c63", "type": "query", - "version": 6 + "version": 8 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "ce6834d9dafd66f45445b3fb0a4245eed24500579f2af85682e5e6571a13435e", + "sha256": "63f6a17ee37cbf0d7bd188377c4f6494d67a69c54f526dc1ca286046050c1ef0", "type": "eql", - "version": 5 + "version": 6 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.2", @@ -1003,63 +1009,63 @@ } }, "rule_name": "Telnet Port Activity", - "sha256": "b0bdfa73639226fb83eadc0303ad1801e0707743f96a36209aa58228d3bf6a89", + "sha256": "51ac5d0b9e729adae08b0ac327ccba30881f6e1f4f2922f64df9fb2e88c9575c", "type": "query", - "version": 12 + "version": 13 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0", + "sha256": "c02355a58778b3164e47eb2fe4dcca11c95bd0b4829fc967ca23e910651ee41b", "type": "query", - "version": 1 + "version": 2 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "74a0d255adb25d4827e203c7fa3922f546450ed3a707bdd96ce667237adfe184", + "sha256": "067954b553c6a6a033472967c413ffe2baf2f1984a4c5f66b32378fd025b061c", "type": "eql", - "version": 7 + "version": 9 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "5859d5a881eb68e584134cc1d2fc316ed5d0035510e0980461ec44f4572a6948", + "sha256": "af8852b1023601234ff897b8f5d1eeb58d02cb81ee32f46547b91478cddbba5d", "type": "eql", - "version": 11 + "version": 13 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a", + "sha256": "c62d5ce8c4fc09527a7d886368a1fab985bbaaf58798e69bd88bc3c07b619284", "type": "machine_learning", - "version": 2 + "version": 3 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", - "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", + "sha256": "1df2fc19b40b3789db427c13196b5b765717e8090f2484cd58b95ccbb46c23b3", "type": "eql", - "version": 1 + "version": 2 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "fb229621998495e7b0380c1bc096587e6dd9344371b3f2be0cfc6c4dcca4c3d8", + "sha256": "e8ea41815ee4f0e3001c542877739a0c31993fd8f340a30c227e83e1227a5b44", "type": "eql", - "version": 1 + "version": 2 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee", + "sha256": "ac78614bd3094562a1560a2ade267a06ee2169a3a4863bcd4b011c3b3ce89fb5", "type": "eql", - "version": 4 + "version": 5 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", - "sha256": "e0b50ed0cc754b83365d57fc0892ad795403b066b1f2b6e833f37723a3286e70", + "sha256": "4a268f078885f9bf65a072faf8d569aa95ce66ec5fea92fd80762160f8a045e3", "type": "query", - "version": 3 + "version": 5 }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "99138316d123f1f89b859dc2d11724e221fae9034c71a86aba2aa96d8e624e6b", + "sha256": "fc7fe22a883eb10e0a87f1d7b47eb949e0ce5873fec61ebf37171baa66867f7b", "type": "query", - "version": 3 + "version": 5 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -1069,57 +1075,57 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS Execution via System Manager", - "sha256": "ebfabf467dd8b14fa28c54259c168a98dc165de8bb93fd13dcc4354ef9029c5e", + "sha256": "e30aaa6ef219b4fe0519decd2f076f981fdae6f6703d1062ac5a86aa15cbec30", "type": "query", - "version": 6 + "version": 8 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "a7fca8f1cc9b8a710918f015f9d0cf42440b5e0f288c3b84009f0a8e12096ee1", + "sha256": "efc1781240e65e524625cc68984e802b5a8ef97c2dd150b7744be336c301abae", "type": "eql", - "version": 2 + "version": 3 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "5abfe9116b4ccb7e1143f2bcfa466f9280f7d3fe2ed2a632087c756dd44d65c2", + "sha256": "45bc3df7e2c2b5499ca87df6348236d516c14da7ea1db2822816b857e441e0a9", "type": "query", - "version": 6 + "version": 8 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "502aac930269b1cc74ee8f1300a827ff81280b9d466ed2a3b56623b4c9f89749", + "sha256": "9f96ba1fb17fd7108f6939e5e1bc860a0cfb33655b1bdef137f2da6178a7a156", "type": "eql", - "version": 8 + "version": 9 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "bd79d8b437afbae1a4d585ab89ef30e0f2d80ef4d3307a3722dbfead823ac349", + "sha256": "7e4e0d093d72157a60ebe588dea5f0e2bb25ab83834a0b02dd15fc010edb4096", "type": "eql", - "version": 4 + "version": 6 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "9844bec52014f739123ed6e75296b8ada4c863b14872750ececb4c8f3a939c69", + "sha256": "ef5a0e68efd70c0a8b9a31f9ddc3b3c0422ee69dcbe35e3c6107e57b357d908c", "type": "query", - "version": 5 + "version": 7 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "0e1cb80e58a1861ea1f891e1daf7b671e106f90d3d75fddb64c368b2dedf709a", + "sha256": "4da99ebf60dc0cd9177062df1130e8554f915b88bba2c1727abae432a4fbf765", "type": "query", - "version": 7 + "version": 9 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "befc279182fbd32a457ae9627ae90f59b1a2a9a5e33c12066b6412ee7583754b", + "sha256": "9e863b4c0ef5e0a4b580beca53c9f874fa881da45e1bcb5072b9a9c32a0583f9", "type": "eql", - "version": 4 + "version": 6 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "a242912740790ad096664c63b49e11e932516bbf3e5a54b0b58a023d4c426a48", + "sha256": "e8d5b9ae224dcfc8a91f31fa09aaa10122e856cd35facf81a2d70027ff2b00e2", "type": "threshold", - "version": 5 + "version": 6 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -1129,33 +1135,33 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c", + "sha256": "bde58cd0b520e18ffcf878245612b971304555cd5cf8ebd760f85f88f56d7843", "type": "query", - "version": 11 + "version": 12 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "78613742979e36a993f52ef1a7a4fb1de7e286ed4c5e52fe24eac7726f4173e8", + "sha256": "fbe045e7a873877010ee215add3c43341b4ea96b869c3037b5b47702a918632e", "type": "query", - "version": 1 + "version": 3 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c", + "sha256": "c68b4300522aeae03fc3516d2d25931b932ecde33cb71de6e93d31c77490ef3d", "type": "query", - "version": 7 + "version": 8 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "cc5fb7c79b4d4525210f19056a7405a458bf6998dbc99299d69d423137d00584", + "sha256": "1c2f64afb040fbda999b1925ab0ee45c9d59b73d38ac1619be8afbe85553a818", "type": "eql", - "version": 5 + "version": 7 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", - "sha256": "f3503ed14107c41e7fa5c92e89d8e93113e9056c32e25f5b29337cc7c3d718ed", + "sha256": "0f1389e561dd415dbf6768875f965cdaa2645f07949d8f62f18e5e4f722468cd", "type": "eql", - "version": 6 + "version": 8 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -1168,82 +1174,82 @@ } }, "rule_name": "Unusual Linux Network Port Activity", - "sha256": "1000f8d810e8053e982148bf3c89a01161b070ee8107e63e90cf68a25bb11a6f", + "sha256": "f37805a000dc96e47e4b4385c6179893e1a112ff14ad12102a0d676e9a884a0c", "type": "machine_learning", - "version": 6 + "version": 7 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", - "sha256": "f97ef2cca95b757b6bf71ab8a99259fc96ac07fc4ec00fa81cdd6e64ef085337", + "sha256": "5c953f2738e5a4bb145eb6d9c2064e876af9ae5a172452b5354378d3b38d28ae", "type": "query", - "version": 6 + "version": 8 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", - "sha256": "60ad0bc321eee4f3d4d9a5346985b65aa95105034d55525170670faa700a9663", + "sha256": "819375f19b32e2e448e4a6d6c790da158e547f395e990731f98ac61df0932c8a", "type": "eql", - "version": 1 + "version": 2 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "42081d103e3e0fc244d8e58fbcfb72f60fb5b2e60fac1b1ad77390c8451beb36", + "sha256": "5bcacdc2a7f872a967066f3497b12c82638bc3a659a27706adbff5cc5783eafc", "type": "eql", - "version": 4 + "version": 6 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "6e0372691f118774060de24fc117cc20e67cf0817806e2e53c698086a22e1954", + "sha256": "c992445902a380f67b598d21781ce1586e39a241bcb7d63148e53866a9d84375", "type": "eql", - "version": 2 + "version": 3 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "871acb6cd0c6fd18c41a2f2c3e4aa03f34aa9136368fd7ed7a2096e62638fc5d", + "sha256": "54a444395e530f3da53ecea232b29da0af823c473035107c81c556e7e9308245", "type": "threshold", - "version": 6 + "version": 8 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "min_stack_version": "7.16", "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "420e91f52a8fb273a099a96a3b3e8beb4c682a608f9ce67d763b32fa803a83dd", + "sha256": "671137a617f68347a5b72e2023df5d1d5b64d11c043b740ba98312e116007241", "type": "query", - "version": 1 + "version": 3 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "c61ffabbae249e561269fad5df75cc976195371c3f9e90b6a3a044a95dce6e69", + "sha256": "f9cb2a6bff7599b3637a0e303bfd30d0905e9b1052f453d9540c483187d324ed", "type": "eql", - "version": 1 + "version": 2 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01", + "sha256": "148105c8e3a9db85c29adf3f477245aa6162c8b71b330ca7533cee54cf8653a2", "type": "eql", - "version": 5 + "version": 6 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "42ae4663f4215c85784c7982dc137384838e9523f06f940f285a75320e74d9f8", + "sha256": "05fd01087a49917cecf35c1706a313071a62ac86786521dcd0b815f9389e5638", "type": "eql", - "version": 3 + "version": 5 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", - "sha256": "49fca84019de306b693f25ee758a76113137f7f37277ac183c412540bf7dab04", + "sha256": "ab55fccbbe1487dca0375f6d5d8d2915d0f8dd0abc3711082bd5f7ab4401db87", "type": "query", - "version": 1 + "version": 2 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4", + "sha256": "3a997b22b42280486c04c40ba96145e2c6142071ea7c4bdbf15093b798c3a5ca", "type": "query", - "version": 1 + "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "b3f891727a031658802366c46aa16b0456d98a653e97f0873ad9203e4a88005d", + "sha256": "9ce61e7735cdc99c6a56ed6d6dce9df66f19c2ae510238fe708c313dd25ff10c", "type": "threshold", - "version": 5 + "version": 7 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", @@ -1256,21 +1262,21 @@ } }, "rule_name": "Unusual Login Activity", - "sha256": "eab6fce106f2399bd04eff3ebfcd91a9adec38c91c2edcd421d663be4f085033", + "sha256": "eac541efce139cca456ca8646b0afe95bc428b04104cda8090ba31320a875e42", "type": "machine_learning", - "version": 5 + "version": 6 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "e4e4fed016f2f7f95e0547e9880feb0a83a077b476bc20dd27ac1cd3a58b577d", + "sha256": "56755b194b100eeda470eb0855c654fe20b327e1b99fdbecaa104209728e5b4b", "type": "query", - "version": 7 + "version": 8 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "16e1633c1d492f6fd2fba6cb5bb83e1c8f23bb316938e3a4e4492a8a36497cf3", + "sha256": "618ba466fd4613c40dac45fb5cae32a15e17dee64a222afcc72e6188f29f04d5", "type": "eql", - "version": 5 + "version": 7 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", @@ -1283,48 +1289,48 @@ } }, "rule_name": "Unusual Windows Path Activity", - "sha256": "6b7fa6eca7dbe6e2c1cab5f8f4fe85e211b7623bef22ff21fb4bc24dbe510a33", + "sha256": "372240447840d072e6b5b18657334c8e04027fa58e2f4b849aa033779574b938", "type": "machine_learning", - "version": 6 + "version": 7 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "ca60e2e85601f7d1db4c009cc581db67e2f3e9ecae3df43a4713b067f9c9a6fb", + "sha256": "198d6e6e114532535f825fce752586bc5a7c522149e5b3d6d2db88c409058b28", "type": "query", - "version": 7 + "version": 8 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", - "sha256": "7485e3272dcc60566ca499afce5cf1f87ab84c039d427a4ed6a522fd0a7d1bc0", + "sha256": "851e423813f44b73b33848927aea154be22e62daf4ecdd3379a6879149a06908", "type": "query", - "version": 4 + "version": 5 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "028d53e4e609b25d1ba9184b3d064ba5709b11efcceba3b499220feb503b07d7", + "sha256": "cb63bfb0c61803088becb44b9c3f8f1bc73e2260f0eea157a700f69a7437295d", "type": "eql", - "version": 6 + "version": 8 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.2", "previous": { "7.16": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "0c8c7cbbc5634f75e64baccadab65dea2d7b617c6529b847c00105cadd6b1770", + "sha256": "e42e40c2baa181d6c3f51c29b3ad19394bba3709da075d2c61d17bf16d393bb9", "type": "eql", - "version": 12 + "version": 13 } }, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "9adc15a3acfef979ec710bc2303ef945a4a40f8ccb39a054838b4eaa6a3ac0b9", + "sha256": "c69087be2366174103a5ac765084b05b5947745b58ca65590f709b73faabf6f7", "type": "eql", - "version": 13 + "version": 15 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "2fb5a3528f28bea1d5629229379f286d3d7b2c4dd003ee69343bb3ac9a1944b8", + "sha256": "28e0106b8d9bc8ac54ee00ee136e0576123720767e2ad6e1cc0f31c16cd70c30", "type": "eql", - "version": 1 + "version": 2 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", @@ -1337,15 +1343,15 @@ } }, "rule_name": "Unusual Process For a Linux Host", - "sha256": "e9c33face1c8c02435902a4a3477fe61fa7b2781006293be951e49167c994a8e", + "sha256": "8cb93680a545a5348985d497607b2d0a3797441d01152689255b0723e7a72533", "type": "machine_learning", - "version": 8 + "version": 9 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "e8534be952035c9ed25a97f05c8a974e50ea1f0f9635ddbb12ecfd63b85a8445", + "sha256": "792ae136492bee1c468c0d4c1f22069ea458a7b5598d173a7640014b23d6aa80", "type": "eql", - "version": 2 + "version": 4 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -1355,136 +1361,136 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "34086f00f7c81d099a3adb242947eb40dbe6ad2debdf1accf86d786204506af4", + "sha256": "31f023f8b52a8d8b5946b7d0f9dbab11f21893be803797996bdfb6c2fdacd6e1", "type": "eql", - "version": 3 + "version": 4 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "2bb49068fd730f4cfdbf988cd70e015135eb40d0aa149b8636e974c4ff88b8a7", + "sha256": "ef9a427dab36345bbc7fc7b215e2993f358fb29444e4d27ce1182ab7acf81809", "type": "eql", - "version": 2 + "version": 4 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "d8a4a40ae911a59d2d6d53b9d774feec83f8f135a5b33d7e05d12f96eb057dbb", + "sha256": "9cdc5c627de616baa3315053d9b60f5209f2f348f14875b70f28d839e2579675", "type": "eql", - "version": 3 + "version": 5 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089", + "sha256": "cf16c66a3b6953e016f2e40edbee489e97e385816b8241818bd2184769ecddf4", "type": "query", - "version": 1 + "version": 2 }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "7.16", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0", + "sha256": "c0189c96284facaab70cb39582539f6df586acf5eaa01b3c326823c643b90a68", "type": "threshold", - "version": 2 + "version": 3 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369", + "sha256": "3a7b1593039c3d45823d5fc337e5d80b3f0a791605e32611903dc3e926bd98f7", "type": "query", - "version": 6 + "version": 7 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "cdb824e4a9819c8e9889f065053418a5920b980702c0892282a34d584c8d6582", + "sha256": "86416e631a84457792ada6cecb10e4dc761dff8a81cc06e0dbfbe21ff1efd6fc", "type": "eql", - "version": 12 + "version": 14 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "170c4b4826b714b58e213aba5e0ce18904613c4ca782102bf36a665b4258a3fd", + "sha256": "ebc1e9be7060855bb004538d48a77dc3f757edda38e56820190dea71ded529da", "type": "eql", - "version": 6 + "version": 8 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "54f432ebeecc716460a030d6d37cdb842396275d6daf24813ce0f902486cd953", + "sha256": "5af7dc7ca0dbf635be5dae070e087d42c5f2351ac61fa75a165e2a7c8cdb9354", "type": "threshold", - "version": 3 + "version": 5 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "4c07864c9de0c88831a1a1b704628a56126012edebf132cb12045866c2d0f24e", + "sha256": "808e1a01dee8b44d384820a3fa6c98e74fe228493494c65aaa82ec5b507af950", "type": "query", - "version": 2 + "version": 3 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "3073045e9ea5f36e53f50791af38546a458bb0c5a574df76c087c779b505365b", + "sha256": "8a9495706a1456c58669b4d529cddec0e636b13416a3f2e94e9d71cc65519af4", "type": "eql", - "version": 4 + "version": 6 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "2f36549bd55b6f24b1c459a4ade0ee51f29361e90d31b8f42fde98ecab00fc0e", + "sha256": "613a9b248541187cc2f4e5863d5eba55518127600f82cc188da860bccf534957", "type": "eql", - "version": 5 + "version": 7 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", - "sha256": "86fbac365ea6f05358840e21847cdac1ba5feaeb3571e7edfdcec13820f6e50a", + "sha256": "23b02157e774ccd4c66cfd8020254f742eb534529e3dd3e09702945b3c2a85bf", "type": "eql", - "version": 4 + "version": 5 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "589c24ca630a77bad17ad6c4b8036cce404b7a1186da052793b448c75bb06371", + "sha256": "929a11054851130c72ad5fcfb859a5191a7891f1b250033f16af4a17f450022d", "type": "query", - "version": 2 + "version": 4 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", - "sha256": "61f36263e69c3eef14a1cb48a56aa01eca2883c628a1800960340ba1d1f9d00b", + "sha256": "76b4b534df6142578ba17c139387f4338044983089f60686dda68091177e7b3b", "type": "eql", - "version": 4 + "version": 6 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "3ca220c068f4f9c3b5fc467721f4d53681147e2ea4325031f15090e45ccb9993", + "sha256": "42e78cb6dc476edd74a7a4cc77231752fc728d27210f318e6353352c95418fa2", "type": "eql", - "version": 5 + "version": 7 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "3741ed6a1c231b1f47ca02dbd1bd5609bf58270bbec01faa9a946349eb07d084", + "sha256": "0db26f7363e8053c1381d8fb779841b8401622322eebea5d4cede4e1b3165b69", "type": "query", - "version": 6 + "version": 8 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "f080f65773cf86f0dcf7b5d2234c7b3123961338d5d11310d2bc007d0f5978c0", + "sha256": "6c9561bd680c539dae46e578542aba9cba90806a84e3e8b91704f7993aa7ac89", "type": "query", - "version": 6 + "version": 8 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4", + "sha256": "587a34e68e4cdea134965146959fd12b2739ade64e6df2b2ec43fe25b3cab661", "type": "eql", - "version": 5 + "version": 6 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "6c543d844a90fd931a4c36a1fcaaca7a7608ac2a2f6127382844943ddee4f71c", + "sha256": "3b511941bb68b935001973663ee104c94e5f51ce9e9988f5548338e211a6b90b", "type": "query", - "version": 7 + "version": 9 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "f6eadf53a53c859d3263ef9c0f123e255916897ab99b0451231ee9b818e772d4", + "sha256": "d0d1af19e474fa4a43c0dc904e170de75d7be924c7232462f337921acc763480", "type": "eql", - "version": 1 + "version": 3 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "33e7314dd4b45b521415255a0c6fc075f77dba01dac56340b885f8befad43b9b", + "sha256": "edc0a75fa2ffc6d9070e1e04410ec71cb243c2e74955e3f22a189b9dfaceb9b0", "type": "eql", - "version": 10 + "version": 11 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", @@ -1497,9 +1503,9 @@ } }, "rule_name": "Unusual Linux Network Activity", - "sha256": "f5304548d6e36152f1e8a35019086b17cb71276fcf3b12fec97aebb69fe3be01", + "sha256": "e2d8e6d71120243bc26087a7282a07c40509e5e57c3460bb6b05566b87afcc40", "type": "machine_learning", - "version": 7 + "version": 8 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -1515,27 +1521,27 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "d3884fdedd271fd8ef68a5e1be9cd5b96f723566fb795594d2c41cdfd708cf0e", + "sha256": "89f953967ec1e459c90a04faddb79329a3e996d02b17b2d2fccb64b7dcbb6892", "type": "eql", - "version": 1 + "version": 2 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "50fecd5f633def52322813c1945eafd486a657ed308f0a00c4ef1d5437850489", + "sha256": "4a87b532ed74cbd7440f9ec57ac5cbea065e2124acf03a2c2e25c65f6060c2e7", "type": "query", - "version": 3 + "version": 5 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "8ba5acc8850e486039277d2da8132a4203da644e6a12e3b500bb67629678dff7", + "sha256": "3608be420756b37fa605810def14db7395383d2e4c80842d4e6628406e15a3cd", "type": "query", - "version": 5 + "version": 7 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "7822580c4c1c4a801d5bc2d495742874654f65c943a3c8e33e7f7a9a57cc1f00", + "sha256": "ed2c9370862e7e9588290bd1220308cffac1b348546fd5baffd11deb67d9fa07", "type": "eql", - "version": 9 + "version": 11 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.2", @@ -1548,105 +1554,105 @@ } }, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "eab90afc9e1bee717a0f2d2c8d444c6ea131d22bdee7de0f594f43235e7286bc", + "sha256": "a60309dff671aa466f3333f41a31a9f0b07ade0b60c500733a806d732dd08124", "type": "eql", - "version": 9 + "version": 10 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", - "sha256": "a5518862b6e142e509712bef3ce38b3512bcaec6a6c764bf34405cba00d25086", + "sha256": "1762a35e44d0c99be8dd9123b515a8d30fe75580f5dff0ec13401bfdcf3caad8", "type": "eql", - "version": 3 + "version": 4 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "08df11e0b47db88dd1ea0c975775244bb561f4eedb48f626f65b3d8d51eff4e3", + "sha256": "c767cf2974b84a37ed9d7e533c9fc774c5caa31db7573052a133b1077ac19e7e", "type": "query", - "version": 1 + "version": 3 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "4e4fbdc65c3b54bf30a91147ac126d5e470995cd70f02c1dd673719b0738a0a6", + "sha256": "4e27168b1677a3c4414838ce02fe365749dc3a01a964992a1d790880667a5587", "type": "eql", - "version": 7 + "version": 9 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e", + "sha256": "7c071378e65d8168d8c2e1fa931505caaec90f7a44a9de1fcf80fc35f5d7cd4a", "type": "query", - "version": 6 + "version": 7 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", - "sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6", + "sha256": "1ddb47cf589c553cb8a3f4450f8e5e844f990a768ca5018ecaac3e13574a46ad", "type": "query", - "version": 1 + "version": 2 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "4bdc0613a8e8085509ab220421528184c30fde624e3ccd0c0ab0b8964f597dd9", + "sha256": "ec21f61f8d8f9880ed6b8bddf1afd429613797e5ba740478a3ecff3670f4b880", "type": "eql", - "version": 2 + "version": 4 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "1b9141827a5dee73525bf4bfabca359c75d2441235803082aac3a45bc62f7e6f", + "sha256": "cd15d5696c51ee9340d48f38b0e1d0d9a77567ccb7b72ae08fda8dc07110aac9", "type": "query", - "version": 7 + "version": 9 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", - "sha256": "9e5a518c440a470859b4dfcf1a8b5d910f8941a8a872b6087ef481565340fc7e", + "sha256": "e83e1f173bc605e47f440c42e553b45dd28cda90abf6497e245678c6a7708458", "type": "query", - "version": 4 + "version": 6 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab", + "sha256": "c577a8ecfea81bf251b4b191c289be058f3d8d696d941c563ff6e4263d258ed9", "type": "query", - "version": 11 + "version": 12 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "16a81e4dd634888d573b513f92f341b62b0dd86237883db37a35e77ebf1fde1f", + "sha256": "0f8aa3d3390fa540ba3e38daaada9df9aab90b5e6ab3fc8e69b4d97df528cf0a", "type": "query", - "version": 7 + "version": 8 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "6fc943ed6a7460824b62403a5a15857757bf17110c30528291bd3feedfbd1bca", + "sha256": "2f9cda17e45bc301cc30c158bcb0d6c0062cfe3f6b685ca6c11e241a22cc0a78", "type": "query", - "version": 2 + "version": 4 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", - "sha256": "aa62dc42194f1f23e125ab54d9142e666ca5d21e32937d12142c29a1a324b3c7", + "sha256": "cbdb31457c62480fd5c9dbf50a46f140aafd57d31ee5c2bf92d0baf962a3d480", "type": "query", - "version": 7 + "version": 9 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "86d42e7e69469e20c0a4e192ff7b1b3b8984297bb051fe0fc0d97a257710926c", + "sha256": "c1aec0b0b33c8a3075935263f0f719b0e21c7ba0bdfe187aab046b2de8a73393", "type": "eql", - "version": 12 + "version": 14 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "30630b7400b5f0f712f2b852253bfab1474a2ca6b9268f8a42ba5d463b335b0a", + "sha256": "c78fc2e97a561744176f7e493729c4382c3f7057779a9176829384ebd3c3f2ca", "type": "eql", - "version": 7 + "version": 9 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", - "sha256": "929b90e9226b83b1269f9a04cb4bdf8e8aa9ae3754590e7b98cec10c44617a0d", + "sha256": "b11bda77407059cc54037e469693754321f43bae2e53010ad95944e9a774276a", "type": "query", - "version": 4 + "version": 6 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "fccdc8cdb7b3ef92b3e30da671101575b76c05c404ebf4657415a612c2f2d490", + "sha256": "e90a1e07e34ea2f495f80b818ec08292d02a12b56a1ab8113c893adf20722fb0", "type": "eql", - "version": 5 + "version": 6 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "7.16", @@ -1659,21 +1665,21 @@ } }, "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "60e1a724d9edbc22f6528691c7025186bdb347bfbeeb7940698260f32e9aeee2", + "sha256": "d5594f7b8eedbb5ea3c923cb0cf51ae9618431b335128344238559784e938a87", "type": "eql", - "version": 5 + "version": 7 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "7ccd4d8f110c738a2b76576a8e8789744375b7af919a2d9fb8eaff54efb4c23a", + "sha256": "2908b94aec0f3070fd9d0a220730d79c4668f92dfe6d4731980484f66e51afc7", "type": "query", - "version": 1 + "version": 3 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", - "sha256": "85d74e77cea83a788a7e8ff5cecbec7170d475c2191813cc38a9f76fac5f0001", + "sha256": "209a16f07edd93802e8476f058b96cd02f1d753db48cff8113bc6e33e3af3bd3", "type": "query", - "version": 6 + "version": 8 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", @@ -1686,45 +1692,45 @@ } }, "rule_name": "Unusual Linux System Owner or User Discovery Activity", - "sha256": "e41fd4f6fee735f8f4d622091922635835073038420494f835501080da741b64", + "sha256": "a888530e840ce4cc7c277d6310c360d7a1ae0eba2152a82637594dfe782d270a", "type": "machine_learning", - "version": 3 + "version": 4 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "3e5d52af7c4dfdbaaef634c12d661be2128611ee551a23e54a7f0f42a32da3e8", + "sha256": "82cb59512014ab0e01173d569e396665f29f1872f19658346dd205b1c20c2795", "type": "eql", - "version": 5 + "version": 7 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "949d9585989c20d9adda4bea2921d82a86591c2f26aaf1ffff9db3fc76015f4d", + "sha256": "00f23ee0d4c2a3a6325cda36c6b9d05bcb82d630098f7351a305d1a4f905637b", "type": "query", - "version": 3 + "version": 4 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "fcd101dc07b4064695a8ca86021774beb0652a4896ec15b9e21537b23ea852d6", + "sha256": "29f7f0a29bc15d489a5dd0c181f2a35e41dd3a52f958e9c17556ddb5324eed71", "type": "eql", - "version": 6 + "version": 8 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169", + "sha256": "edd0c1216ffec478441f08a43ab313ac1130cf13b408a8328c878b9093c5f6c3", "type": "query", - "version": 6 + "version": 7 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "f1950eb7f6f8af4fe72108d6fe0facf987c4b9e54e3c3e2256ac37a091e93c4e", + "sha256": "8138db765525c64d667013ac9c356533d9aec2c7b165f949715bb78b6aa62093", "type": "eql", - "version": 5 + "version": 7 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "c045c86538a685bcfe037412acaa1643be511a3dc15c8c03326e6ceb8cfe0e62", + "sha256": "c15524f5fb2acdb5e9cca66a10aded162787990ad13c633cec64ce3f81f61c6e", "type": "query", - "version": 8 + "version": 10 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -1737,45 +1743,45 @@ } }, "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "af77025b9a595eb66fc50d24b2dd04472ce63a9aa0ad7a240af00ce76c0c6708", + "sha256": "c8a13c9384d8d25de7c02c4c3ecbd6092c8e0db842a3ea735c22a8a3206ee547", "type": "machine_learning", - "version": 3 + "version": 4 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "64a269e25fae2964d9e1cb61115089d57eebcbdbc1b822cf41ecfc490977e15a", + "sha256": "4a3ef64f498390a4d76dc560ba685c257cbf590ffe154755fa17c28b3165306c", "type": "eql", - "version": 4 + "version": 5 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "ac000ad6848bf4383ec466ed3bc10b7dc7489864b7a2cda751e0036fc8434677", + "sha256": "cde8abeb5602cceec08fc0e7415ed285ff46f0c199567dc7b9dc2cc243672fff", "type": "eql", - "version": 5 + "version": 7 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "928d8f1868027c7d42730c081bc9aee7b715081ed77c5ec3ae2da6ea17eadbd3", + "sha256": "103decd70a805abb5db8a398cceb56c1bde50dea0972ae09cd7d87e426cd85fe", "type": "eql", - "version": 5 + "version": 7 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "ac910f8ec6f72b2f316ab3cfb7fd27c597892005f07d95045b9acf42a19962d8", + "sha256": "8468dfe28e0ac1ca8f0451240a39d3f5d821c9283ac09106b3446287a63f12de", "type": "eql", - "version": 5 + "version": 7 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "1423cb901db24ee2389356865a804a69d1c5ccd02aca4cf100ca7486f830aee2", + "sha256": "d627f089be597dd9d5cd098afcb3df2539500a660d3d0565bdba0b3ec000f8bd", "type": "eql", - "version": 1 + "version": 2 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "dfffdd35d5aea389d17a849f0a12cb31558b2660b2a20485892c53848ded6543", + "sha256": "785758adb031dae686b1e5a8a2e10c923fd5c55e358519a85401a91ef9ba1a7c", "type": "query", - "version": 5 + "version": 7 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -1785,33 +1791,33 @@ }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "abb1da4a93de07129c1b5b615752a4b9824c9cf4fd8c0c555614dd029d6d7e8b", + "sha256": "1f4b11597a458a226823bbb7db38431c16c7b84e5d5050ddf42bede9ab3aa0de", "type": "query", - "version": 5 + "version": 7 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Azure Service Principal Addition", - "sha256": "8eb451fbf3b33b73f8476b07b3b278f1f89028628f41bccd347c3ac556e4e031", + "sha256": "2495b9c70186da669036c64b8dd8ff7763cf4669a56889df9e5185406bf9294c", "type": "query", - "version": 4 + "version": 6 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "8861a21144a2ea4eb4575801530892df3fff673dc4701f49c4863bf3f0bec8e6", + "sha256": "f102a96f06156afd27280e431681c6596ee709cbe8c9b9b8f83eb5442cfeb3bb", "type": "query", - "version": 5 + "version": 7 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "9284b390c8c7e73e77a69f2d0e2900f6b6ef1e04caca2806f594f3695bc65b86", + "sha256": "4abd1685dede15684e51dd0fa57a558a896fe68c9e8ab98260aafec508d8041c", "type": "eql", - "version": 7 + "version": 8 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "348a40858c559125d0eec34d7212dfdeac55ba6faa8db7c6ab604fc97c9aa6d5", + "sha256": "96c86ebf7124b5cf3b983a969ac7334dd3f702d1e63a3a3a98b183f193d4f675", "type": "query", - "version": 6 + "version": 8 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -1821,27 +1827,27 @@ }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "e4eda33820328a8ea3b438af247d210a2d27bba8ee73d91bb776965247b30b24", + "sha256": "384ea747a062c1e6197b9f85283fe5b766e6812db17234c78e527075e8a7a9b2", "type": "eql", - "version": 2 + "version": 4 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "de52074b13baa3ba8ae1a3f2d6678baf22283741d6a40dcaa7aa19bd2356b084", + "sha256": "11754c12da58eeb226af18f46d8f6d76bff9e42fc0831dd6a0797bb7eb3d9f12", "type": "eql", - "version": 6 + "version": 7 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "b11ea0b16c59af178aae7fc5869e311bc7e98918cedba5dcd6693398144c70d8", + "sha256": "323d4cd6580d5345a3d47924597c0d860fb1dba813e9aef86cf76e4558a03349", "type": "query", - "version": 2 + "version": 3 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "480b35158e6bde86c97da264cbbc89e51301efc810ebfc8913739b428152b2b5", + "sha256": "0b523a33b17db3789328ebb6b50e3d22ec51568fa9b76cc3276e35a066a7420f", "type": "eql", - "version": 9 + "version": 10 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", @@ -1854,15 +1860,15 @@ } }, "rule_name": "Anomalous Process For a Linux Population", - "sha256": "f66d977c873bbbe1eccb28231f01007c50dd98592508187bda912d8b06282cd1", + "sha256": "e4c6ac63641ad3c137646647688564006d8f03d12902f4945f1ccc36f10721a7", "type": "machine_learning", - "version": 8 + "version": 9 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257", + "sha256": "66b994ea016c69bcad77e78b66f2b07a8c7f59ac9a7390737f65a0669112fdeb", "type": "query", - "version": 1 + "version": 2 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -1872,45 +1878,45 @@ }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "37a539b9a5de70263630d4718ac3f39c295480c02aeef41cfc1928c27ed89315", + "sha256": "3f7e51fb3fd39d93a55d9d03deb86701ec94d7620881615155d0afa914c7dfcc", "type": "eql", - "version": 2 + "version": 4 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", - "sha256": "61c6683c858823ff29be886b335fa55e32c2de34b90c31b6e2329d406efa9278", + "sha256": "5404cb14b4ec1009a1ebcc22171f8001feb5e5c5c5d1db44fdd77e44b2000d75", "type": "eql", - "version": 4 + "version": 6 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "56d77dd4079675a4b79810d1ca79ee02983c2fb5965c0676e9c831340f0a6262", + "sha256": "9074d32b67e1ae4dedee47ef68052d2de75e18e968836494eeee7db8ced3559c", "type": "eql", - "version": 9 + "version": 10 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35", + "sha256": "88578952808e432ce70c953dd9389c864ad5c28f36135c9c64410653dbe492cb", "type": "eql", - "version": 2 + "version": 3 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "d93bdd2f8eda2395c9b8ab7c737460f2201732e3176d605b489d38221cd18bfb", + "sha256": "22770a8b9760d97187d699389f39f497a033c64f614ca20857a3ea8ebfb10c6a", "type": "query", - "version": 6 + "version": 8 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "9fc4ef03c57ceb4080449f8f6db2e2054bae6343b79b340c3b462697cb756abb", + "sha256": "dd152df8ece7c1348dc40c1874281029c3551a4a57cb217aab209817e6a5d91e", "type": "query", - "version": 3 + "version": 5 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "d6726a1a5d3a598df105d959b2d8d7b02e10a98c4e8c5f0f47e124bb5d1fab62", + "sha256": "6df1921e1f556508c74a68dee89124b0f9f578b146c42dbf6c2cb4849cff010a", "type": "query", - "version": 6 + "version": 8 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -1927,109 +1933,109 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "7.16", "rule_name": "Image File Execution Options Injection", - "sha256": "6f3da8f7ad3053933ead97d9f24027defb33edf3e295ff028bd18a9028833dda", + "sha256": "077626b93e411260c2b3faf85846d631184022a715c464a6297c069eb4f54ff9", "type": "eql", - "version": 5 + "version": 6 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", - "sha256": "a7b96a488a076900caca95e6820769a0f0d3d8a4d0d6cda8e543408c1f94f6c8", + "sha256": "e1ad8432acdc49bb52e5a27224094c56455fa87047e2fb9b67302db7da535d7e", "type": "query", - "version": 2 + "version": 4 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Threat Detected by Okta ThreatInsight", - "sha256": "0f9bfed2053b99795b40e69a51bfdca388143a9a3a4ac6ecccff16c81657acc0", + "sha256": "90194432fa131b45d4e0479283e97ea080275e0d226f1125fff0835c95e64e0d", "type": "query", - "version": 6 + "version": 8 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "209c61358a68a5f57e08fcecb5d250d936b555e23e0d9304078362cdf09b67b2", + "sha256": "06f4a7443048cea7bec58e46f208e942694f415dcc65320caf513b9715052ee6", "type": "eql", - "version": 7 + "version": 9 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "a9e5fed2c237cba481fd05a38576032d3cddf5a3b67341030a4a77725c478b22", + "sha256": "b93cd2bb2b978c4a49aa012e3ba233f122287ffdb705c852467201a2f5818c37", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "afd34ab4f1d7e038c874333fd83de248c0b54d625f489e74359f3ce4ec9ac71b", + "sha256": "f5bbf3a6897d121b556564a21ef56f038e25fa0dd8d6b2588192ebdee2c1f59f", "type": "query", - "version": 12 + "version": 14 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "e36b6e5cdc71883b3829db49b0ec46d102f02be1c7afb892e4b2a95c72a8b5fa", + "sha256": "d6330f3ccf74ee50d9d3260333eafed28c7cf320c5ece04822f8f008bf906aaa", "type": "eql", - "version": 5 + "version": 6 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "fde09756526a918a6e12316e4a86f8771eb5269f2b2caf1d407e0a5802d872b7", + "sha256": "1847729f7e371a84bd8c3834cb63a7f1a167306a18f986badb37b3467a13ab90", "type": "query", - "version": 7 + "version": 9 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "4a792f22d9793a8852c22f63e7ab4335f06f0948b4ec6e6db755e070f931e8a4", + "sha256": "431cfd25e36329eafa008281313032e48969664302df3523a6f07754afbc677d", "type": "eql", - "version": 5 + "version": 7 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.0", "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832", + "sha256": "32f883b9ccda701081df7ad7747f8d7ba939a23f7766b682130f07db73998f6b", "type": "threat_match", - "version": 3 + "version": 4 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "dc7c016e305be812b3d2e4288822690caacc18eff343975887b642f4639d43ad", + "sha256": "73621b3b95ecf7bb77651e8c4a1a76be7c54ab55a104eff31b5aed1e371f2d81", "type": "eql", - "version": 11 + "version": 13 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "8ceeff23f163dec7641b8a40206c00d20925523f3b20a5d2f4e08140113fd083", + "sha256": "f723112f0a9ec33a558f63a713b50aae50ac93e26b143960e52e5612495d5151", "type": "query", - "version": 6 + "version": 8 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "40b3b3fbc788dbb827e8599339d234daf485625d36845e5efee9b1db0284db33", + "sha256": "584f0ebf9567a6e446e1d24977973e8044caef2f127a13c8d50b7f64b5c51739", "type": "eql", - "version": 4 + "version": 6 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "52c5cb860bad700cc9d175680b4ef985f4c2b87d545923b755c96e802e023810", + "sha256": "c9bc62a408dbd33ff682abbf2e94d80def869069296bafacc5114a1782888d3f", "type": "eql", - "version": 8 + "version": 10 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", - "sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c", + "sha256": "1245a54f6eb888b0625cb5d21c2d3f9a32f00bd323cfe849f6c4c6e8bd3dc391", "type": "query", - "version": 1 + "version": 2 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "45706af41dd0e101a3f59b870ba870250864df9ed5c53ce61e227e1027bc6e09", + "sha256": "6023b238c4eefc97b6a59ca0a23a1985dd52daf852fcbb1d338f183812588e5d", "type": "eql", - "version": 1 + "version": 2 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "9a47baed80aaf38c9a8f7e85d4037d396c3a9b38097f0b8e272fffd95dceae7b", + "sha256": "1c68199cc49bfb97a0ba0c646a90d3b2f73cc356ef13470f54d602b4a0a4f901", "type": "eql", - "version": 3 + "version": 5 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.3", @@ -2042,9 +2048,9 @@ } }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "d1b4768478efdf6055479fffaca2f55ec0d54619814576b99b10c10ea71b829b", + "sha256": "e7d9e38374bdcf86d9d0e6705887db41bf409cb671d44f6d0d88b0a2b15d059e", "type": "machine_learning", - "version": 11 + "version": 12 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.3", @@ -2057,39 +2063,39 @@ } }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "21fc1de563e9b545cef035fc515694a096264e04a05671b680bbf89249f989e2", + "sha256": "d51e934a57b4c4256e283586d62e04216b1040a7e10f9f85a433aac0f9c1c0c1", "type": "machine_learning", - "version": 8 + "version": 9 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", - "sha256": "e63135af0e5924b96b28af7b3bf95259660d6458c0e1f94fee88f8d7d23538af", + "sha256": "6943781070b2e5afa4e3de92c0c934ba4f784cbb964d00cc9daafd12e86c2af2", "type": "query", - "version": 2 + "version": 3 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "b6564f471e4aa0cb13d07712caab5e9f503defbbec1aeedb2daa788a6a53417d", + "sha256": "299f64d887cc47236eae124f04e9f1c60d88dedb0e61fb324daf9daefc3a8682", "type": "eql", - "version": 3 + "version": 5 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0", + "sha256": "5eb2d277fc3beed4ad59ed441f5286ae09f2e33e7dc3f9919fc5b2cc669fd8e2", "type": "eql", - "version": 4 + "version": 5 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", - "sha256": "ab44461f57e7c5d83d961c3c2f612e62afa4180abc2bff89599028f52daa81df", + "sha256": "2e5f5ac59dea19e7af55d8f5a0db3a0bb5778cead96038507a5ffdce5601ea27", "type": "eql", - "version": 6 + "version": 8 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", - "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", + "sha256": "8a015133b3d5dca51879d6f8a9551335c5f6c322bb18887f8753213de297eee1", "type": "query", - "version": 12 + "version": 13 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -2102,15 +2108,15 @@ "previous": { "7.16": { "rule_name": "Google Workspace Role Modified", - "sha256": "4776d80c0d1069ed8363242d7b09b4934c3efc58c9db2b87fb5045eda98284e1", + "sha256": "9cb9378f77ddd21f125d4bd96ae0f071a38f364c8fd7d446fb6d72144274f37a", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Google Workspace Role Modified", - "sha256": "33a6f2e64d79ebfed4fe0f1b4e5c4a7968b9b4941e11fa0cf720ef3810e38a15", + "sha256": "77e1106da71ac154b2f000097ec9a4f5e544a32769a44f8804cb17ad3a573b06", "type": "query", - "version": 12 + "version": 14 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -2120,57 +2126,57 @@ }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "6897e1e8f7b9944fbeb558e0232b7a6cff15c0e14bf002b9bd4699a4350468c6", + "sha256": "51b71211f2330b05b22a8d6dd64e77162f85f3e6362da0409bbed863d68cff1b", "type": "query", - "version": 7 + "version": 9 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Service Tampering", - "sha256": "8e5473155c744a9d9579c9fde809857339d28ed1969699c8087d623f3be4eee7", + "sha256": "4cb4c84c49964353e7d511829b5030d3c5c5f8c22e6354ab4e7621eff3f59435", "type": "query", - "version": 6 + "version": 8 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e", + "sha256": "02939a6d0cebbf9eafac923b5c3c06b0c8b545c8e51694a6d42886c7cceed0c2", "type": "eql", - "version": 2 + "version": 3 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "3e2fb37fef273486c5032188c9b3bd7baeeeca83a4b49ebb212f95ad0e1451f9", + "sha256": "018eab05a0b4a2c70a3af863b0b8641c9efe94cd2d02842baf414d34b4b7674b", "type": "query", - "version": 1 + "version": 2 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "fe4e4318876cf618a1e21bd9cf33c5e2df2b85efd5b8e7801d31ebdabf213df6", + "sha256": "81d0f87832fa695a99b4d76255d2c78f58656da7a1989f1d7fe894cd620db85f", "type": "query", - "version": 2 + "version": 3 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "a69fad4530cefa62bdc75083a025fa8c6e94d771a95245a080ecd31994e6bf2e", + "sha256": "cd449787ab01780179a70626e6b6db732c370bbc384e2a54b4038b3d4ee6c2dd", "type": "eql", - "version": 2 + "version": 4 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "38fe49e47f59a5c88d21d80aec8562353d0a9cb74ab81ba0b00a558095927119", + "sha256": "4f2c37e7f067c22daaac7b0a6d04b26c1195ba5b7d88911e80464e0388148980", "type": "eql", - "version": 4 + "version": 6 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "c2f7bf9712e7b52b568aa4ff657e6cb033c602ea071e2fcfcc37247605f999e0", + "sha256": "0e4a0119f2b0ddb18027ba970f7160526b519bf6f4c12331e52b0754db14770f", "type": "query", - "version": 3 + "version": 5 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "39f2ea0432ed3122a7a0d35999c6c5e031af504f3cb039cce854a4dbbf267128", + "sha256": "7f898ca1f5959083807b00d39add548b7414230f058b767ad09cdaa3ff52543d", "type": "query", - "version": 6 + "version": 8 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -2180,109 +2186,109 @@ }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "377e5ce257eadd1dee5a301687b5b23a736ba35b1dc669781ff1b2e99b7a41a2", + "sha256": "85bb1aec79329f7e94bcce8357743ed8fd42b459d5ba231131f2838ca6ced383", "type": "eql", - "version": 9 + "version": 11 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "b9eee6e8e6eb2c238952d35b40ebd2ef4d70e4a462e513ac0bf3f939a447c986", + "sha256": "08f3e24cfe4835d8036094fe9b3a70cc04e6c938362bcd3b31410cd803071f6e", "type": "query", - "version": 2 + "version": 3 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "7.16", "rule_name": "Unusual Hour for a User to Logon", - "sha256": "cfc6d020a4aff760e43c4f33a76f8e3f56c9aca58b2199c4c498bb3f6f966b42", + "sha256": "18e5843022fe112c68e810deb69d810815b0e1c76dedccf6d67f0bd5350f3d8c", "type": "machine_learning", - "version": 1 + "version": 2 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "af51bdc27c86e87d19b50f0daa04da3c6df9a80227f61e73e44e86db37f30006", + "sha256": "7de31794df789ba0b1d690a2b230ecfa10b7415038ddae6ba003f69debf031a8", "type": "machine_learning", - "version": 4 + "version": 5 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "7d4448c4595f5cf1ecdfcfde84e6c0bd302004eb1a71c73591e3e339532195e6", + "sha256": "043fb6685ee21c9cd0a6a574ef411cf5548ca2c8913ee806b028c20f53afdd0a", "type": "query", - "version": 8 + "version": 9 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f", + "sha256": "41bff26d8ac04c3a2f669a13e1b3edfca89037be6c5c41504748ab258705d9f1", "type": "query", - "version": 1 + "version": 2 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "c49e587f117514667308f02354286753e05f298b84b3fba56709b49bd9570b1f", + "sha256": "edaa42397d413323802f1ef7f9875f5de10bed34577f53a332289a143cbc001c", "type": "eql", - "version": 2 + "version": 4 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "753b7a23d96a32763774e42a9ac7992bb99fd9734dfa3c25aa20caf83f352aa8", + "sha256": "1abb2447d34ad3e537afe69f7952979911c10b4ac2de409942b8286690971ba8", "type": "eql", - "version": 6 + "version": 8 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "5300f30cfcc5c187c41d721d3dae57144ef35a521c5f5f42a68cca607bab7536", + "sha256": "51517f9a409f7b6c6a70ee3417cb14f1ec4aa9323d6890a09c720defffd6fba1", "type": "eql", - "version": 3 + "version": 5 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", - "sha256": "db73c1cae414a7e328d7bd8022798a8643bc9e40bd45b3dfeefa437c8931b5ae", + "sha256": "6642892bbeccf36486c3f19d505311daa4e35a6912aaf9be425ee81d1fac8833", "type": "query", - "version": 5 + "version": 7 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3", + "sha256": "0072ff59ca4feee94e2d1c15d48244bba7d6706c23b5fa838b2d80f112d5d3ac", "type": "query", - "version": 7 + "version": 8 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Application Added to Google Workspace Domain", - "sha256": "43a87b2b542b409c6cfbe267485d8b1ba8e32e9ea553f6180b7d0362c46ea2d9", + "sha256": "05659e0fca8bfd5b058797e8189179ad491969abb24b47e22e586ea42c527deb", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Application Added to Google Workspace Domain", - "sha256": "ab5ac05b1f57b0e9a197d51506441eee921132528fde66e99b64021454556e71", + "sha256": "ec6539a0324a98a6aa29b925a1289974ea3a12aeb742bc770909000833208099", "type": "query", - "version": 12 + "version": 14 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "84ac45e0073c5d7ef4203571ae659413ccd26eac3b505be34ee11115d25db566", + "sha256": "d37e29af15faf62c3fbf19f50869a10d88c9b23c0f34c1eb9822c8c844d55152", "type": "query", - "version": 5 + "version": 7 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "fff0babb781222efa28975cac8a64e687dfc4370b983e6c3e9786b024d2a52d4", + "sha256": "951a743ae11f1ed1692e49d566ded2359f02b6ed4da096e34a3482e04598d064", "type": "machine_learning", - "version": 9 + "version": 11 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "739693e9483eba009ac5ee8d2fd3c4da0f3637baa84dd3be947e4e455d60e0e2", + "sha256": "3517ec72db9cae961d7f8ad0287b0313d8d91aac26cf62094f1bd05d125dddcc", "type": "query", - "version": 5 + "version": 7 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "c71d3a9620a24c9e598b74814d68d6741eebcc62592c72cf6dd22bbb02339ee3", + "sha256": "7e3d14629cfafc91401f89e4897f7c7c3af8fd54751dd0047922f11e48777896", "type": "query", - "version": 2 + "version": 4 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -2292,33 +2298,33 @@ }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", - "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", + "sha256": "261ed028ee263ba006328a8c896e65cd95d0625ba3b766284fc088be18662cc8", "type": "eql", - "version": 5 + "version": 6 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "14042b6c7716c8acdb6338aed6238ce1e8422f1717bce3b4a3969a382d9b2202", + "sha256": "9df5bb35528f3f5bb0ac68cf9ec4f9d32a872ee610cff97426f7bf0efdab74f0", "type": "query", - "version": 2 + "version": 4 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "rule_name": "Windows Network Enumeration", - "sha256": "a8d8fd60cf7e270b2c2e36f2ede12840784085549953c8cb27dc721d43c9bcfe", + "sha256": "7b40b87ee1a93d70b7e567f0a0198401ed29fdc5a08e73e173aadc29c7852f58", "type": "eql", - "version": 6 + "version": 8 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Bash Command-Line History", - "sha256": "4d0c013b8dd99044bdf0024a186dbd9e9c0b4442245c97e3b61314ce54816f96", + "sha256": "97b6389a0577016d4c0e86d27d8b77a359c768b9759938f8ed719c5a9a777f3a", "type": "eql", - "version": 8 + "version": 10 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "442ed95d9672fab5f430323edace7c2ccf7ee203111de771abd23cd5cfbf3e58", + "sha256": "d35e6ff48649e3a30d95560d23ae40bc1ad2619e6acead5608aa29af679d6c7a", "type": "query", - "version": 5 + "version": 7 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -2328,27 +2334,27 @@ }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "5f9880c56b50fd6f10c9e092181344d89f39e264561062c8c34d2b811b766721", + "sha256": "208c9dc783b874256a75013961f8e8acd13ad2eba00a96f8650b87449a5e9b55", "type": "eql", - "version": 3 + "version": 4 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "48ba1263524fb870cd81eaaf17abbab057a5f04d9737f5fb881fcce07d133df7", + "sha256": "125f574ac573edc5d5f43c146d9de2c771ad5aa9bbdb2c4f4e91e4a8b6a2b16c", "type": "machine_learning", - "version": 7 + "version": 9 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "1664db594a454af4890a7ec808978fdd268088b8b9f21f3956900c607de66cd3", + "sha256": "c3d965a2b7b7826538d16c9cce608d337b5f64162c178d6fbdd0756b26c36129", "type": "query", - "version": 7 + "version": 8 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "8865595e2418b8460fccf1b3090d7ec582d17939e8e26bb42b714e35f2b79d8f", + "sha256": "b6672245265d500ac777de607d8edf6b31aa2bceade6a79152a97d283673274d", "type": "eql", - "version": 3 + "version": 5 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -2358,21 +2364,21 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "ee5b8127fbd2fb5d6fb5a1ad6b9071823bdccd69f2867ced85c3daf3470bd887", + "sha256": "14de188f0368c8113c85bd365c39d0989d1cf10ed21e6b6ba1efd219c805c7fb", "type": "query", - "version": 4 + "version": 6 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "67d8f54def5ff499f3b1bb0ca261c83c5fb1dd3f55d2ecd1bead89a67d371545", + "sha256": "8bdb1ce979fcefabbfaa0f4dee8b269cec0e1e7ef1d333a502ce6f17eea56cde", "type": "eql", - "version": 2 + "version": 4 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "315f0c609385f4ef62c8a23ebd01250630792d3acf1a85a78f37a594a6e1202b", + "sha256": "b45417b00380069a221933c6399e8126acee41d3f266601835fe2a23df3a52e7", "type": "query", - "version": 3 + "version": 5 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -2380,55 +2386,61 @@ "type": "eql", "version": 1 }, + "84da2554-e12a-11ec-b896-f661ea17fbcd": { + "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", + "sha256": "454e3aade32ff61723c870c972587300415eba273679cc9f1b5a4df21f3bb331", + "type": "eql", + "version": 2 + }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "7.16", "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "8685535bf9243409313814ba723d4756086bfd934685c8d4c488df2aae0f7afb", + "sha256": "3bf17186708c52c7309102c6cbd0a12c4c5c9d95582991840ae508cd11941ff5", "type": "eql", - "version": 2 + "version": 4 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "7.16", "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "090277993fca5c0b7466a70ead493206f923df9d98dcfa4624f7d9d624135bf1", + "sha256": "f793a90a7fd2e9f187f8e0b0557338920fd9b61a318f11cc7abdcf976519c5b3", "type": "eql", - "version": 6 + "version": 8 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "5118602879dc1df7dc9f3120f7fc0d393448b861d0ad4ff3ad57e40505bd6ac6", + "sha256": "d1607dbc2db188f1fb8d5f14bb44bec548d2f8421ea47f6f06d8c96dfc062c12", "type": "query", - "version": 7 + "version": 9 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "AWS RDS Security Group Deletion", - "sha256": "81346c952b5ea1ef59195fe979282495f1bfc0578a043e4702e30911879560d4", + "sha256": "f27e620f83ba596ed1c588ddd0f4f35652e89675e375e6b07b7031497ac74263", "type": "query", - "version": 3 + "version": 5 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "49b5381fa47e4fbc5e74d84264a7b41d0253bd4c62d2131fce97453e885668a0", + "sha256": "a512a85a5d2c0d61cc409f3340238120091f8cc568fae60a5b19bf6cb51c9425", "type": "query", - "version": 6 + "version": 8 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", - "sha256": "24c93a54e3558046bd14bf1bda2da780c66b2b4ae6be612adffde0612d389101", + "sha256": "b55b1241816124ff03a9d5d57583bcdf421dff533215d423116d1863b8103de1", "type": "eql", - "version": 3 + "version": 5 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", - "sha256": "94436e95522ff9b53a6319cd88739796bab4984279a26a9e6bca4509e08904dd", + "sha256": "06e3c5026a6339436c2ba8655621ebb2da7d12585ebd09d0971dacc7a5d5d350", "type": "eql", - "version": 6 + "version": 8 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "49529bf8713ae032ea90a2bd741304fc3073aa411d60f1731fcd86fbd75c3d47", + "sha256": "d25da9be59ee6e3016f6467f3149eb4891eabd8a2bd208c91f8ac4d4821d5f36", "type": "query", - "version": 3 + "version": 5 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -2438,21 +2450,21 @@ }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "5b2d7848cf8058ad890e13ec5f3e44af3cc531a0179d088fdbee5bce0333f0ae", + "sha256": "b3e16a1ad09fcd7e2283f4ba72590c1058c5e17191b169c0dbc889e7787165fb", "type": "query", - "version": 2 + "version": 4 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "1df09715f5fb118e20e7f5ec6b69373747948590487d55ea4d610ddd5a86ab65", + "sha256": "5d3fe50f6bf7f58ae791db716804cda640079b345bf8f9f1279020081500b898", "type": "eql", - "version": 2 + "version": 4 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "67ab762be07f91d1b75ccffbcfca727b6aeb0d821dee16ed03a6a663bd52ee5b", + "sha256": "e8fa7fefd7cd8374cfb0e395ac7c3b0a89fd74a2f60e9d79a24127bca6ae59f9", "type": "eql", - "version": 5 + "version": 7 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -2462,64 +2474,64 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "8a406566ef82da155db97b3a1beebb344df49359242791eede92f672f71dc074", + "sha256": "bee1790861dea1f2174388239161deeb25afca3a7517f9db2ffe2f2587ce724c", "type": "eql", - "version": 7 + "version": 9 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", - "sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007", + "sha256": "84fdbb4742f2acb8edc70958e3a9125b7e482b54f5c67b93d6bbf49a257dbe54", "type": "eql", - "version": 7 + "version": 8 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "26e7c7e706638948c9e8b88b3e9595a11a572137460001ad4041278283dda8f4", + "sha256": "9c96c7dd65ac739184442f2bee6c5c6b91438ba3cba9a993b5fc86f15b2a9f68", "type": "query", - "version": 1 + "version": 2 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", + "sha256": "61295cc3cea50fa249804f351e8155868b97e93959e8f1d1a94d822c51ae546e", "type": "query", - "version": 8 + "version": 9 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "f9f14a8051c32e043be75ca358f526845101a7da1f619e9839a00ebf32df14b9", + "sha256": "4586616e81b75bff62cfe3b5984efc1313bd45806ee57fdcd22acb42089cf4b1", "type": "eql", - "version": 2 + "version": 4 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "39d70757faa0cbb8300bcfe88690a5ab67ac0efe7d33ac72e5975902b1e1b2a4", + "sha256": "c980bafc4ba3b54953b2842fd08d02fa805ef199c797587849e4e05625d3bfd8", "type": "query", - "version": 4 + "version": 6 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Suspicious JAVA Child Process", - "sha256": "a578c6ffa3089b0c5c9f2329a0ea4631ba599a350046ee0d17cd7594b6ec253a", + "sha256": "219a9bedef498436f26a9467c7d9398c0a8a656e2740e60d9768074407878031", "type": "eql", - "version": 4 + "version": 6 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "7.16", "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "ece6617d0c710bb863cfc4efd2fe61e53bfc9df42a5584c739b063d25a49995a", + "sha256": "327109cf402f1221b8c6b125821afb765217e789bbf653c628d4e0a7ebdd2a7c", "type": "eql", - "version": 4 + "version": 6 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "1ef638d32b8a25cfaeee7f43b7c5ec3ce34ea722e2b037241f7403db07c4e81f", + "sha256": "73fa1cce891ee006c32650991843135e8c3b22297fcce1f98242f3b4f1d70504", "type": "eql", - "version": 4 + "version": 6 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "1287f3709369ad7e39723641b691426c67666dc67c11d19db9be42a5106b512c", + "sha256": "6454964746426ac9702d2c976d94882221eb9ce1ad9b2bc0519b7f256d6fb519", "type": "query", - "version": 4 + "version": 6 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "min_stack_version": "8.2", @@ -2532,57 +2544,57 @@ } }, "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "e8b7d833a2cad5ad92e04ba43b572eb374e775daa2ec9fa71f72a4b5cad614ee", + "sha256": "be36f608696a60e995e56d51f29baa67f2cd8c36c86cec71f6f5ff21c6d89d3f", "type": "query", - "version": 14 + "version": 15 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", - "sha256": "639a58695ccbcd7ca4a9b58d65eb28c0045ea168aca723d27370331d0dcc6a79", + "sha256": "1355afdf29d32fb1c3e94c3b44fffc450e517d06c347993f3b0cc9d1b4c16f9f", "type": "eql", - "version": 6 + "version": 8 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b", + "sha256": "c67b68e5dd8c58394af905d6d43fb52fda4804d8e05559f4e3acc30255baaa73", "type": "eql", - "version": 6 + "version": 7 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001", + "sha256": "365dff69e83d18e0698a913577e00d9e8342b03e502853d5eda7de1dcf0bb907", "type": "query", - "version": 8 + "version": 9 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "8b35059e3e2c9c1cfabfbd9ae383daa10e26ff3840e20952d4805a3bdb73db8e", + "sha256": "223f8d3c41ecfe859e3acfb203079fc170fe27b1c4bd4a22c29947bf238f6e0e", "type": "eql", - "version": 2 + "version": 3 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "c457f1f1b2813439401359cec7480f53b710fb09f8a3af76de317538e47377ff", + "sha256": "896a13afc84fc6ae065daca1b061f028df9383b39c0d75c3b69c641de91fcf63", "type": "query", - "version": 5 + "version": 7 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e", + "sha256": "b12dee32921ca6ff7c7b390a19ac0d2ee3e7e956d2c1efba79587c42ebc20e7e", "type": "eql", - "version": 2 + "version": 3 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d", + "sha256": "863c82226f43772f3533a4f83705f1cb95f11bc1167ee249118194ae6d742fcb", "type": "eql", - "version": 5 + "version": 6 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", - "sha256": "bb302afcbb15dc8bd5a6a79059fb4d67396737dac261262ceb6d5711021f2b9c", + "sha256": "2526222686833202ed533f2f143e4df84e4dc53a271e01c896af4c467a4aca15", "type": "query", - "version": 5 + "version": 7 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -2592,162 +2604,162 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "b67a5ad8438ca5f03153173607bd3e2f12cf73ba352e1f3d094c85dfc7c1e7c3", + "sha256": "00e01283ce7ee80900ef97b32f84db309d42d308bdaee6ed1ecc46212a47bc75", "type": "query", - "version": 8 + "version": 9 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "7b5d096d90addc9b02252f9d407fdd13b77181a99c0e5ab42a7b70747921ba46", + "sha256": "b9a43af3fc990e61cdfe2fcccc4567cd889f9da516a128eede58345c6768e5cb", "type": "query", - "version": 7 + "version": 9 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "e6a46ffeb7518f0f0c6d871a56526257340210b16c109017bd88c457b6707b4d", + "sha256": "bc1b529f9188d6b978a977217a53aa17210410e1741a348c6579d6f879fcfaff", "type": "eql", - "version": 3 + "version": 5 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", - "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", + "sha256": "e8197e578e7a709b3ab3b7833da7dda9332c2c9956444eb5b2d9c3c435194d23", "type": "query", - "version": 1 + "version": 2 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "0fe0766cef30ef7f13a641148fc5a4d89c691158770233026342921f02e6b0bd", + "sha256": "9418aaa45f70578345d9ae0881ea6dbfab0ff015b0cdb7a21907c3290b99f76a", "type": "query", - "version": 7 + "version": 9 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "206d5aa1384191583bac19ff057f907ada6d4a79a91ee47c974487013ecd74c0", + "sha256": "ec9534ac38221f08c69b35033685edb9c9705c60e49f1c525716c0225efeeda2", "type": "query", - "version": 7 + "version": 9 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "3235c8a98dd7280928ad77b9fdd7d87a8189c8025c82c4fd4934cf5c4be7f067", + "sha256": "9adefc6fa8b06aa2d868fa6d31516219034b58495040745d11c80085191c9f08", "type": "machine_learning", - "version": 4 + "version": 5 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "05cded9c521f7c1c3d294ea3bc28690cd66db94e95e1fa3e54e2e1feb518ee94", + "sha256": "30f744ea8a1d1a8e4057cbb587fbcc6407ad69eda84de422fff9f8679d7f6c81", "type": "machine_learning", - "version": 4 + "version": 5 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "b15eabc6db99f314e02c8cd2d1afdd5f9b52301be4089503c91cd48a51740b98", + "sha256": "9e0003a4d4cf507686f37601088a03180b0281e5eb9ac7195f053539998d4d6f", "type": "machine_learning", - "version": 4 + "version": 5 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "86b425a524a1db4dfc1c5ee933f99ef66307f6fba8d6070b2a27bbbfe1275316", + "sha256": "61ddb35e3f52ffe59ecc81d2b708b5d23060d0922299dd60d8a599da516f4625", "type": "query", - "version": 2 + "version": 4 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478", + "sha256": "746c04754fc565aeca79758d77314d0ef46c01a45ed9ab811fb72476ca97cdf6", "type": "query", - "version": 7 + "version": 8 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS EC2 Flow Log Deletion", - "sha256": "98ebcee9a4b929baa3c37d53f589bbce227b1f2446f3f3c7c356add09b1dff31", + "sha256": "0564d339e7e3ccb9e8717bbdf6b6c8c712581a4fd6eeaeef0908fc02bc7a2fda", "type": "query", - "version": 7 + "version": 9 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "ecc07276a30e1c2b066d22354d26535909e33b5c78f61e56ba7267a91790cc9b", + "sha256": "b8c3ce194a672208519da88f7c41c3b32cb4420879eda128da26e7092197b6bb", "type": "eql", - "version": 5 + "version": 7 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65", + "sha256": "e4e3fbfe5541801f14ee027a2cc2e56362676fee8a2785c86d5c7b1c0ed7f083", "type": "eql", - "version": 5 + "version": 6 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "3c0f93a51365de485043e4961faba1a74302db6036510abbde8f1b0b60e4de3b", + "sha256": "5ec1e79923aaa0e99aabed335419a6c200972553ebdd4d99139bdb5bee03c8e6", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "7f3e1672e2c15b1f4386242655493bbd483c0c30d377b65c94cadf17d5dbb100", + "sha256": "9849e83482f1d5320dcd34625797ea53a05ed7d411a802f2852a40e0e79da573", "type": "query", - "version": 12 + "version": 14 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3", + "sha256": "dddc8c43c484f02c524a703587dcd5ce459cd175839be2bf3cfe60ed071df00f", "type": "query", - "version": 2 + "version": 3 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "6160a0f0792097e86209482cea32782afd35428338b00cb36c0fe15245637629", + "sha256": "33f55756c5eb02716d08d9c2ba5fc6078a766a919114bf7029a0feb10b105993", "type": "eql", - "version": 8 + "version": 9 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "e7199b7564ddc365ce924851aae185ee10cd63b272d5c35f43c44e3f805d9b26", + "sha256": "e19c44c1daf8561a8b42d913b3be8fc7f223a78bb20d2e3fe0370028cffd0e16", "type": "query", - "version": 4 + "version": 6 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", - "sha256": "76e2c506c37e0ba6f11d046b0a7f98af64d20481efd5758e86f0adee37c6c80a", + "sha256": "b90fbbb18af459a1a4201a93949b1149a34f6cd4f402f567877b79b8003020d6", "type": "query", - "version": 6 + "version": 8 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", - "sha256": "31f58075d02cfa33ee584ba278c6a69f5194815a84f232236015c2289732e0ff", + "sha256": "af09ffe30ab11934cedfa062193534b6169e12da6f435260748ce4e5458030c3", "type": "eql", - "version": 6 + "version": 8 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "a665ef9f68409a2e93c611f82010ce20c46eaad3789062f5a6ddc85f3c522981", + "sha256": "48b6c2b4db3797e3ac2c39b6aca2291e19acfcc3b198f90712b034355d036fd4", "type": "query", - "version": 5 + "version": 7 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "bf46beb44ae071c1d51a5e3d5f2bb6fc6556087aaebec176dcacc2534e974560", + "sha256": "8879fd9875d0c6f968a35bf26b3d06654600e52b256c01e0818d07c7b89e6c43", "type": "query", - "version": 5 + "version": 7 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS SAML Activity", - "sha256": "db73bb49c842b6e76bc78b2f090869034d732417e7e2588dcc6afcaec00be4f2", + "sha256": "ab8644d2945f8f4f5ef34c03a405caa4d691e2c4b71e0a32e148686ad5649897", "type": "query", - "version": 2 + "version": 4 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "966905acce285fccf1d3bdaa7a20e880abdc87edb582b4bf914497e078d3a86e", + "sha256": "144ced09d087c3f09d76bfab1e7d3c1f57bdabdd49aa7ba0fe91571060a904e4", "type": "eql", - "version": 2 + "version": 4 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", - "sha256": "b3df2cf5b85f45cfe2549cd032fcdc0ba81feae74704c685664a74f202bd14c9", + "sha256": "a2e6e13672acfb9ae9fb203ba3af7a125acd7cc2b39b831d5dc6ec97ff9157d7", "type": "eql", - "version": 6 + "version": 8 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -2772,97 +2784,97 @@ } }, "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d7812909f8d6b7f07a49520b790a1a5d653f213f6d542753f78f0d29e06b612c", + "sha256": "b8f0e0bcd42ad4b4c7a8d16b4fea917dc3da3bd431d56d1b9146fce35a215ae8", "type": "eql", - "version": 8 + "version": 9 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "b9684cdb75a2a1269bf2e791e60465bb5fe8c0155cababa9c3bb4711ae5bd1d9", + "sha256": "a530a269b9592969af0fe65838bd12d8a2137aa2663fa6ff279538c8dc9f6bb1", "type": "query", - "version": 6 + "version": 8 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "5ee29abad0dcdcae5a013c3f3d55a4276d2e3dc2aeee0926e24157f90944a777", + "sha256": "985ef9b23234dc55b25cea555cd09ddf5e558b6ed0264c8635c80b38ac7163d7", "type": "query", - "version": 5 + "version": 7 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "1d81b70ac1e4228bcd3d3d0c3c1e32856559b239753ac6e28bf198a118852208", + "sha256": "90cffbf38e70469de8b8ce748bf6dc86d6bcf396cb48893483d1c1a7b60e0748", "type": "query", - "version": 5 + "version": 7 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "c8e41a6bd406b08af3b150d25058d4cd83f887d58e6e7b13f25c6a8cbfe3dba5", + "sha256": "ea99cd9ef8d67342ce0c1b010076e3ced1693602b7072d5a0404584bf90fbce2", "type": "query", - "version": 7 + "version": 8 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "macOS Installer Spawns Network Event", - "sha256": "cfaf9deaddd648ee2e3181949eb0bfd6054a43b6ff287b70ff4ce50c9bdb8ec4", + "sha256": "1c924a1136d0a837ce0e1aff8f3fdef1d4d1b8a230653b89ee4bf0ec6cbc0378", "type": "eql", - "version": 4 + "version": 5 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "1c43870b1bdc78d2acf56820453508b07eab611dd8a2af96f009411a6c27d2e7", + "sha256": "88d2c5f308cc28bcc031d965e8b50aa986c141f50bc673ba4f13d1ecdcfd9758", "type": "eql", - "version": 4 + "version": 6 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "7.16", "rule_name": "Spike in Failed Logon Events", - "sha256": "7672fb2df32a9f3da61cb0c2022f18f8bf57af080a3e29e0b647e715d887ef07", + "sha256": "61f615b40b9225e3e57aedededb1a8853fa18e9ff4e1a355a3b6604e6ba13610", "type": "machine_learning", - "version": 2 + "version": 3 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", - "sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09", + "sha256": "7bf646bac0ffe227164e14b9c793a7b89d60415f2b09183abb46c9ec91dd99fd", "type": "query", - "version": 3 + "version": 4 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", - "sha256": "69ee10a3df9f38002944cae6319b7dc0c72f45e858c467fa56e186c2fc332fb1", + "sha256": "3e5a528e103efa698882556f4ed88d9486cdc710c282dcbc111ee1649f800b5c", "type": "eql", - "version": 5 + "version": 7 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "8c64a10859c7d7dda21d039ae70fe9f896bea6d712691f63ac11ff1c6f3cc07a", + "sha256": "ef6c8c55cdc8943049e6041daeb1fc99ac07f953f19b551643253e8fbf8135c5", "type": "eql", - "version": 5 + "version": 7 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", - "sha256": "1f78348a9f4100c954885e58dd5e9990b2c4046405892b097bbdee110ea96f48", + "sha256": "a6dfa186d02163c2d134c0d208d5b58cf4029da56afcf4d70dd221b86240d4e6", "type": "eql", - "version": 5 + "version": 7 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.2", "previous": { "7.16": { "rule_name": "Hosts File Modified", - "sha256": "9031db9c1d5f0101bf2e4731e56aaea8eafb32ddeb660da5e3783876162f57d9", + "sha256": "7781b8fa8e3efcefff36f16dedd64ea47131e917b9a753e61c95f86427a03d06", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Hosts File Modified", - "sha256": "49a57a69fbfe3f0af1977b95830f2c3bd244cd7fe73ecdb2f7ebbd5c65183d86", + "sha256": "4273fb3ba5f1cf4615c6884ae41611939288cb47837b3a7bf3a8e783523e6399", "type": "eql", - "version": 9 + "version": 11 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "fa31f422b66351e594bf58218cb73ecb52bdabde58ff3ac8d91eb778a63fac31", + "sha256": "781600e7729464fbe081f95645735a242176d063824f68bf455d85d748d47d59", "type": "eql", - "version": 5 + "version": 7 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", @@ -2872,45 +2884,45 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "16b3b95b541ab2bbffc393a414d2706169362e99f8bdfa171a23e2a53361f168", + "sha256": "471cc585d9f8ced69466e297ae4f61b9e58ee967a30e25221d97cacf9aa50d3b", "type": "eql", - "version": 11 + "version": 13 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "5667e1f8a9669a7010baee7c5c0539f6a5c16dcf2049c4dec6370b2d45dee29b", + "sha256": "d7934b4d043fcf05073bb18ede97a1177401869f290fa7c7e7db5e66b829d26a", "type": "eql", - "version": 10 + "version": 12 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "fcb79e4901f94a558aaabb86747a1df0891e9184921c4130296382d54389e504", + "sha256": "06d7b068228fbe3b6b0a3b3a08696d011df932e353d6f91ba85d9212ed3b97da", "type": "eql", - "version": 10 + "version": 12 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", - "sha256": "da3737b1f7b999fe289b80a4c54dbe617d9ed24e83ae3d9e7be62a62563b9b08", + "rule_name": "Potential Credential Access via Trusted Developer Utility", + "sha256": "df5893436223f6f5c9ec2d8ef1188077efe117c3f4e5e94afb27701fe0f9f1d2", "type": "eql", - "version": 9 + "version": 11 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "c802c9c37dde668ec390c39ef03aa0593f23f3db6b4de77b57d1915298a60012", + "sha256": "85caae5e6133b35e3c9c96a9a78614f5e463243a06de92ef85ed835c67741173", "type": "eql", - "version": 9 + "version": 11 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b", + "sha256": "bb5a421f93153184544c9cb9f4a30cd1131cf22ec8a8c86860b37ac1a0246faf", "type": "query", - "version": 5 + "version": 6 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "e404dae5c5dcccef855cb68ac7a5d2990bc62e10602ee9ac83a2d44db9744742", + "sha256": "6339c11ce38b137d0fa78859d96efb02fe9bba15ff628d3200a8b12ab36f256c", "type": "eql", - "version": 4 + "version": 5 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "min_stack_version": "8.3", @@ -2923,88 +2935,88 @@ } }, "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "f2adae4151faa2a64ae9ff2e67c933ae866b7ef695a46927533cb8971f55c395", + "sha256": "fea0deb5df78c62de43e936d5a7c60a070afb4457c68c9f3778e86612ab2bca7", "type": "machine_learning", - "version": 4 + "version": 5 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "e84ca016541f24c87c4d6c934d39f4813e5a7a50b4ed2b828368fb604f691e47", + "sha256": "4db70af1b033320b7eae92f920938b910eede028506cb5b5799c768de3050760", "type": "eql", - "version": 2 + "version": 4 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", - "sha256": "3923833310eb6eed8cbf8fcda44d03b9f961d351e2e1e52967b4dfc4cdfe7d93", + "sha256": "1de2b45a29f2d8c8e67b319082ac51b835fe7f2122a80d9760652d4c5aa9811c", "type": "eql", - "version": 3 + "version": 5 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b", + "sha256": "481ef8a8984ed57c4209a5c825a9d953d88cbaf2ab24415e1aa5d40e9fb25f6a", "type": "query", - "version": 6 + "version": 7 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "f3406ca397e06939999f7ca3d674b4fb81401a65f23403bef4494ccd159e7d6a", + "sha256": "61c85e2ec2f907e06cb9659581bfec5911ee39fafb1eec268d7f7066215e2cd7", "type": "query", - "version": 5 + "version": 7 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "ff689b3bd1c5bb0b4f157cc38be2b84d8d17823bac91935c763b0b3d984352d9", + "sha256": "b92afb3cb8ddb2a8e0965eb3a57053b7501f58ef011fb636fa5348bc4800d973", "type": "query", - "version": 6 + "version": 8 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "d7a9f13cd241a8a41a9b8a0fa534b662929f57162382e173dc2a99ab49da8a8a", + "sha256": "baaafbf7d529b9951ef5b16493c10c3afbc67374daf576dfe1dbf017864ceccc", "type": "eql", - "version": 4 + "version": 5 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f", + "sha256": "801e2c323c982dd5593002ab0b55be430898c3a39a55cbbea3763a78e72b4c9a", "type": "query", - "version": 7 + "version": 8 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "596140887b6a28641d8551b50ee645155d7df979bc273d712f257e2a87321c18", + "sha256": "cecd8b378d90ff1e7057c45ccaf832fc9744bc8f3776deb97f2c47f3570688a3", "type": "eql", - "version": 2 + "version": 4 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "7b3b1690df6c6b2ede0ea186a352d58f47717c62493f9e48c34776123c3f6d3b", + "sha256": "c0c4a98aa89c95dece1b23a1708e4712eedf912024e18b649c87204d91b27bb6", "type": "query", - "version": 5 + "version": 7 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "f7d04cf28dd823e7ebe26abce688167b82cf1cf48dd91e557b4aa59ddcde9245", + "sha256": "2d2d26e1e48f6957ee35a58ab1f10896e7431ccd2fcb5eae32e4a78cc8872927", "type": "eql", - "version": 2 + "version": 4 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "fa8466cd045c26e5eed2ae6102ce495db7eaebf6dab6ff45ef2d4e1a9b3424fa", + "sha256": "bb8d136a1a37fe63e46a4b01dad61dfe6aa7a432add04d5ce631c8e76d26aa14", "type": "eql", - "version": 3 + "version": 5 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", - "sha256": "36acbd4e14f049fc24ccafaf677ff9c0d60f8de3a10d259e3702bdbcd62a8ebc", + "sha256": "a4ffef52c49a8018f8c68b0bec5c62af6349a374edc32872c7f6b70907732002", "type": "eql", - "version": 5 + "version": 7 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "7.16", "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "80d3c23f3267aac09f575e38679ce6ab8784d74f599a8ec2897a6a4bcde48932", + "sha256": "af1f6b1139386f2e329657d551701f981f64318017ff59baf4c6e63c73e325d9", "type": "eql", - "version": 2 + "version": 3 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -3014,45 +3026,45 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "b4e96a5981f76437befb7a429bb81752d2b1bdd22fbb69f417fb410c63c2253b", + "sha256": "15080508d672b95fcf9f0a575d7406f0058c7b0253bc3b7f0ab4f27f237200d2", "type": "query", - "version": 5 + "version": 7 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "a8f05e0880af5eee9583781ae4d138b80f47204e064fbac508d287673ca17255", + "sha256": "ab35b00fd1f3a31300bde7d8a3e0dac776770c892578babd9837e5532e53bac0", "type": "query", - "version": 4 + "version": 6 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "8c4c8ab828b11155adf651f53035cdcf8fe3f554234049b374fbdfe0bf6a6a8f", + "sha256": "8ecbe22c4449148084624b62d3a9d5ac1cee28fe279787b787496d2e4ecbf24c", "type": "eql", - "version": 11 + "version": 13 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "c3d17caef381a5e8390cb4562f57e69687174f2022e14ffb1da0e15b8e84365e", + "sha256": "ca4522efa05af46f5c2d15dce8afad5428e8f9286f6e069e3ab6de47a4b1d518", "type": "eql", - "version": 3 + "version": 5 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious PrintSpooler SPL File Created", - "sha256": "2bf22a09a09e4e8ad307bb84a60f1ec7f5846e26ce56c5202da4008ab73c7d0a", + "sha256": "0c834aa122c687f0bf64b255ca5bb7a8985fdbdacb382132f33c2a85fb9c9623", "type": "eql", - "version": 5 + "version": 7 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "0af224a5eb8a33da9642d8e48a9bebc285f01e0e81bcbda039a6de6148ac6039", + "sha256": "e88078808ef1cb74258d5e45d00597dac0c94a3f8c88f56648d25f0deb6ebf97", "type": "eql", - "version": 6 + "version": 8 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "1f59c0bfab965460c7fea8706f18a0768cca899c0403ed1110a2d274c6727b1a", + "sha256": "6dc0831da214e7f4439b66554c58008ae27a2bb42833b0eac6cdea43a111c751", "type": "query", - "version": 8 + "version": 9 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -3062,60 +3074,60 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "ffcf3a23ecf79db330993ab61cde6b83bcd1e767ff5c2f1ef06eaa13e17a8a1f", + "sha256": "02aaca00464a4eab73b292952a85dc142b752a121d47f4828d309464707e413c", "type": "query", - "version": 5 + "version": 7 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Google Workspace Password Policy Modified", - "sha256": "cadc95b5eb7938b3b7310150089830d4dad51e3499916cd2f5c82446659b4051", + "sha256": "c6815b312e514dde1e95bfba50fc831bfbdd71cde761c45cff9928ddd5251005", "type": "query", - "version": 12 + "version": 13 } }, "rule_name": "Google Workspace Password Policy Modified", - "sha256": "7741aa9c38ba126329fbb075496847374a2dd8d65aadd49aa25b7f0f00e6aeb5", + "sha256": "481dbe65ac8cce7d089587638b9a18a5a55eb19cc021659fc43a52c0982c1cc3", "type": "query", - "version": 13 + "version": 15 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a9a699185b39bab4117e8a996852590bfc99e93898674e94bc027c3dd6dca030", + "sha256": "f0f8cdb52a52a12089e7390724cc44bee3445821c663cc35e2a63f065df204c8", "type": "eql", - "version": 5 + "version": 7 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "f3e51f33c8c8fda2a728a1e73185ef757441a7a1fe4d4c7e057ba1ba00e8fd4c", + "sha256": "9514b2ab490981c6da52e14c7e684b707df17a30ee85bd55cf7aa8ec16abef5d", "type": "query", - "version": 8 + "version": 9 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "202bc852ab071859636c80b729cda9593499618b3f2dc34c38e267c76a453f6b", + "sha256": "3805b6abe092f8150ce3feff11762060da5dc1b40e4d939e49ea72ff72f54e8d", "type": "query", - "version": 6 + "version": 8 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", - "sha256": "32886e295aee99147e0c0079d526e97343bc4fe6c27706ef5e991e3913f9ce22", + "sha256": "54ebc34710239c6175fb3ce1ed17729fd6e0ae21a18203a378110af793611af2", "type": "eql", - "version": 4 + "version": 6 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", - "sha256": "d9ef79e203bf39157dce4e28b94d8ecc9a2863e1171d5003948421ce236c9a2e", + "sha256": "1668bc65df42a4f69c15b674d81fedf8ba6c52125f242c2097936b53559ade94", "type": "eql", - "version": 4 + "version": 5 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "a4fa795f24e1eecf02164092ec16a99174eddb8733615dc448b876ebd08b8426", + "sha256": "acb9b71ba876ce876744b2d81deec5f975cbc9622840ecf0c9a35e6460932b07", "type": "eql", - "version": 2 + "version": 3 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", @@ -3128,72 +3140,72 @@ } }, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "1c145ebc96d973eb2cb7dd091071dd3dea4869b769639ac1cfdcebb36348a6c3", + "sha256": "9b2eaf86371aff6000a3d4b9b7d74e70b256f87b85f94a34d5308a219be6d071", "type": "machine_learning", - "version": 4 + "version": 5 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", - "sha256": "441dfd8343418bbfed2e8b8d16a371e1bf8e4d742fae0d6237c8cc4f4754fad8", + "sha256": "d8546fe302b17410b7f4f6c4f0150a1110e78f07d5ee2802fef2a921ee7f7f28", "type": "query", - "version": 2 + "version": 3 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", - "sha256": "9775c5accf062b0d84429dafeecc379e22a6f2f54a09fa49b77e265012c3d712", + "sha256": "9eb523c7e7f8f2b03de629dcf315e163280f3f23f07a3c8541352802a57c4944", "type": "eql", - "version": 5 + "version": 7 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "70a62aa5cade20e81839deb1cef446ae52ca3a21725d7bfc00c7fe0adb539d55", + "sha256": "0040e72217955da9ebe2eda8adb5a374ec22d203a0348411b4d64fa2aa297649", "type": "machine_learning", - "version": 7 + "version": 9 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "997ca5317573645e3d462b83b30ea09d78aa303adce6d796de2fe3be82e11cf7", + "sha256": "fbe7bf8e4c621ac26b7b792325e84d8a4ebaf756e9ac6dd25c21666bde8a4bec", "type": "query", - "version": 1 + "version": 3 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "01a8beca2e8f570d63e7614d558243b1d0b9c42d9e0ce9f439b10016f06eaea3", + "sha256": "cb726260cbf8b5a0f646d56b06b9be07fc0ff6fb2efbda14ded64114e8e1c32f", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "3d8eab60bf795ae6756c1c6058a7c1be2eb14e1c1777a7b4bda27e1906206c95", + "sha256": "20c318f7371acf3525de9993aed1bf5528fd64c464fb671052d945fcb5f1b428", "type": "query", - "version": 12 + "version": 14 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1", + "sha256": "0bdd548ca60181ea30cf746e0ea8cf8e345ac00870ff3ae9f442c4270de08f1e", "type": "eql", - "version": 5 + "version": 6 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential SSH Brute Force Detected", - "sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e", + "sha256": "6d0cb93c3879e8f129c1c6b3ba4f47ac8247824375ceadcff0e6a9df2e21ef78", "type": "threshold", - "version": 2 + "version": 3 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "a357b9a510442209bb5f8d23dabe74e4309831848d7ac1c52301f236013ec19d", + "sha256": "2626acff0e30a2fe082b30d09fe7f3a3dbb46c7349f961c427b70d2451ef2cb0", "type": "eql", - "version": 5 + "version": 6 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "e254b2fad135ecabff65179dfa71ce6dd7a05eae1dca58f099f498987c2a5187", + "sha256": "26ea45052873c2fae5f1ccd0f50fa9176397c090ddbc0845be2bcf4f9bc1e683", "type": "eql", - "version": 2 + "version": 4 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -3206,33 +3218,33 @@ "previous": { "7.16": { "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "8b04328630ae74389a2b77d23700d2bfd3900c6008bf0aa9654c2432b427b9c9", + "sha256": "d1b026666d40c609533cf8728001d959fbf822a6ea704f9471b93c1e1bc79142", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "72ff218857ba09e7c08970ebc6cdfcba3cd1dd4f0711dbd403b074fee911011c", + "sha256": "d83786fa0f0f46826d15f1dbf34d992fd97992857988a9f65a8f77da078abf58", "type": "query", - "version": 12 + "version": 14 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "bf3c9373100e7d25782f5d517203035fea52e6ed20f37e9669367bec59f4ab01", + "sha256": "dd87b932c4d7e0c7d1df354bc2dd687d599fda8e96b30a3dfa407ad8b0dc1dfc", "type": "query", - "version": 6 + "version": 8 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "ae34300bc6a31dec04ee9e3edfda886d660fef5b4b5b11ac17e87b1c12629a2b", + "sha256": "ff336cd10294d0cfed182cc225ebc2334e7fa5e5136f104ab922f816dfcaa962", "type": "query", - "version": 4 + "version": 5 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", - "sha256": "fbd9235f346b2954a4f2c978d543d34065e3534b0e17101a79a7fdc249a07656", + "sha256": "d372e9cae4f08c721e0f368cb73921df18cb974ca98e1f9ee341b24c499d7fb9", "type": "eql", - "version": 6 + "version": 7 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "7.16", @@ -3245,21 +3257,21 @@ } }, "rule_name": "Local Scheduled Task Creation", - "sha256": "ea88687da0b3e350cbec589c89e6b91be2999547a3762f95b3ee42423842539b", + "sha256": "d412e663786e8446c8b21ca4436eca75890995e2f9ba2af309afc077e1b63ef5", "type": "eql", - "version": 12 + "version": 13 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", - "sha256": "06532e4b42fc010315bdb2ff6a7743d79cab998f7801afc857a1c41f0637ba22", + "sha256": "badf206b4c63014bf266dbd796d05ac69c44c9ebc85b1f4c82a2fc7f24091ef6", "type": "eql", - "version": 5 + "version": 7 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "826bc637cc0f012b3a24a3c6e47b41edc9957eb2d361245eab2562f4d43b6247", + "sha256": "0a4d588cdd0c4213d9290aea4c33c56c38cdf509adc9abaec5329798250ab73f", "type": "query", - "version": 1 + "version": 2 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -3269,27 +3281,27 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417", + "sha256": "21fd46bd475c36754e426372fb2b0801f08c933bddc0c4ff1e91a7e0441e4df0", "type": "machine_learning", - "version": 3 + "version": 4 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", - "sha256": "4c7e904ee42a6ff60e2d1987a4bc1be0b90e5369160fb574294a40a60ee31ec6", + "sha256": "c67a26e60bcc0d0102f11fb944764f8b6dc3e298161377161f45d7c960e23899", "type": "eql", - "version": 7 + "version": 9 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "c1217476aff9f395f81ab6d124984ece66187ecdc92c7519c7cddcce25d69bb1", + "sha256": "f334352604ee57fffd7f2d5a4ee611d7b983e0307ea24fa0aceb78eaaf6a7d60", "type": "query", - "version": 2 + "version": 4 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "178f41173d20d636480f9ed3b789bb0815b9f38a327bab209b3a98e29e5ff6ed", + "sha256": "ca9bff584286546d693121bb3a8b62936c60e75448510fd6a71068d6cab64ca4", "type": "eql", - "version": 9 + "version": 10 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "8.3", @@ -3302,112 +3314,112 @@ } }, "rule_name": "Unusual Linux Username", - "sha256": "093dc7c42353af6d60328fd53893e9e14af849f5becdf3eb7967d069e7a58b44", + "sha256": "2d31e6cf93a5156f1eec94f0829760b67c1ebc3eb02dfc49406827d4b0761058", "type": "machine_learning", - "version": 8 + "version": 9 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "9bbdf50c864df5b81be0c6fc6f74032af769a6e57fa73aab899d75d6d19aaeb7", + "sha256": "9bc0223af51d5a440aa3392f44355d22cce419d813ee3df11a0208590ee4bc2f", "type": "eql", - "version": 5 + "version": 7 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "9f2b91695b4312bdd195b4b435baca4915e550c4d1d524e7d2fd81ad7f56f9a1", + "sha256": "f89480a8b012c185261e6c134876b0412e33eb35e5b881b56ed20f6e888ae789", "type": "query", - "version": 1 + "version": 2 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "dafc0655d05eda9f4d7aa25bc681f944dfbb3406af1af35b75c17f0361e07c05", + "sha256": "87a82246d12e7b0920ca0cd3c0ed21d78749a97e2d76695f20b10e86771ec614", "type": "query", - "version": 1 + "version": 3 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "c2e6159b2299edf22ee885dfe16c66885739f453c602cca8929190fd39417dac", + "sha256": "f9e950c1a0464cfeec425f9b40539d19786ee57940e42ccbcfa9dae65b5a271a", "type": "query", - "version": 6 + "version": 8 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", - "sha256": "2be4d09f50ef43f4f53efd5dd6e0036303eafa2fc21a20db86900d1ff4aaebf2", + "sha256": "fee88e407b3008427032dad110fde2345d4a282f54093f7280991a20befeb34c", "type": "eql", - "version": 3 + "version": 5 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "78cd566f7c38ddb92425d4255262993cdc7dd28e468339eeb2a65b5026f27890", + "sha256": "f9e7c547669253937f5c4f6d8f1a0ef17e3d2a2dfd660f265b8be56298d73b9d", "type": "eql", - "version": 13 + "version": 15 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "995e6676acb368df8d6782116f30161a65f7537ae0cc62cc30c60aa6072546f0", + "sha256": "5f6bff489f84771b7a728b6efe52c7ae7b0755f3f883249bc8330c72c72c0304", "type": "eql", - "version": 1 + "version": 3 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "10a7503a00c05ce3603ded3a6a5ca6c6cc3087c78881142356ccfa32882f6e71", + "sha256": "9610526bfdcb878273c8a63098822ca2cf40e9ff7984d74050f4680b5b33d8c2", "type": "eql", - "version": 2 + "version": 3 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "90d50261b3b2a019e5fc38ce8a60d012d3ce78cee9a83709883621fc5c108150", + "sha256": "a72b891ffff9a64ed0f7df50e6a9db6a15fd55cac3daa70c4e2231b5a220e5e3", "type": "query", - "version": 5 + "version": 7 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "54696851213ea2ef95385bdc4cb58d942bcf0ffa4d5663228c057dd9b5303bee", + "sha256": "f77fdd905b55c2e0d87190c356500aaae63b5c840e7023250714244dc9ad1125", "type": "query", - "version": 6 + "version": 8 }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "0ab87cf62524d8d39578a9c8b1af307d665f1a412a64dc559e92432735cacb55", + "sha256": "dc77b47449de87228a8cf6dbbbe8d2ae2e3bd2c3a6840a9e18fe2f56d11282cb", "type": "query", - "version": 6 + "version": 8 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "dd582cf7684e5084ab7e12614dac33c40c7f9fb8c58200da7cbb37d7bf655664", + "sha256": "434c624c1d4ddbd26abf31b01797279cd3eb29a00e4e07455d3188ac512fe7d7", "type": "eql", - "version": 8 + "version": 10 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4", + "sha256": "5dae170229a82ef184cbabf4ac2e3f63eb63df1d14b66d0fee6a3e1b5b9d8d9a", "type": "eql", - "version": 7 + "version": 8 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "313395d41d74e5f9ea9140c5b4cf4b7df1459a827c75a252a1a19ab50f72e16e", + "sha256": "8be0bdf2c5c59327a0d79bead790436d1ee2860046be852b30b54622a7850e7d", "type": "eql", - "version": 5 + "version": 7 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "4f17e0fa5cebe3ae30385335149befc21b643a6a3d17554cf9225a5013a381a9", + "sha256": "cee1d015a929b92ca29c739cd0dde4b5840b9274d7a7f9a49dfb18eee6ce508b", "type": "query", - "version": 4 + "version": 6 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "7.16", "rule_name": "Creation of Hidden Files and Directories", - "sha256": "9515b6e94011f55aaec0a81fd8c343771c1bd922a16a699075e105558cb4be3e", + "sha256": "fbca761b43c94cb3d69cd72767b9040c206f6b7f2383b5eb3060993043fb546f", "type": "eql", - "version": 8 + "version": 10 }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "c96ba2d6f75119ca2862fdcaf518dd485818272f81ce245a976d86583904e4f1", + "sha256": "9c46b2102e5e8fe2f5628ea58b100c07e32fd347df708a90b4a6735485090aaa", "type": "eql", - "version": 5 + "version": 7 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -3420,135 +3432,135 @@ } }, "rule_name": "Unusual Windows Network Activity", - "sha256": "7b02abc336d84242dd450c5912423eaaed3a749e68d8a3f890cfdc80079a6226", + "sha256": "52f5556168a640094d64da0bf2f46478207325c918d2a18d53b9630b39efe09c", "type": "machine_learning", - "version": 8 + "version": 9 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "132b4ed3fc8b5103df86b8e2adca81b8f64b27052f04f4592590316e4a333741", + "sha256": "ee6c6a0a7041f2d0945510572afedf08c8e319a697afdf2d7f2054f8ff482cdb", "type": "eql", - "version": 4 + "version": 6 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", - "sha256": "05d3511a18870e475f0a29b788a09df1b90b7dd3d8c30d71c1fd0f102b7a028b", + "sha256": "9841654857ff66d82c550d391da7852304992786929073e3c7587f68f0b52312", "type": "query", - "version": 5 + "version": 7 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "adb8ef40d1bdb8dc542122c628457232cfa38a8e3cfa3154dbc75847eed0012f", + "sha256": "dcab4b18e9e1c4c81101e4026b67556101dcc5f2df1fc1bb14c8d8f80baa9979", "type": "query", - "version": 6 + "version": 8 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "OneDrive Malware File Upload", - "sha256": "e6c68dc60c27ef6e892718a4e3a1071d1d22afb2050b249e94e4ffd94d91185c", + "sha256": "767df99a149ec41a7a73b99d726633ae999a3dd0fb28954e21a478b748a11d76", "type": "query", - "version": 1 + "version": 3 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "cf4ab6152eb828c653990718827e21f607f56f75618bd5f39f07e9ce0297f0b6", + "sha256": "96d772e93d7fbda7de31acf8e14f50cd18eae39127227b09c0de80a736581fd2", "type": "query", - "version": 5 + "version": 7 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", - "sha256": "e1f5cf52a7d175097f8214d1df8ae5c8b9210b46830621e04baedc8df3670668", + "sha256": "a0c2139754db6d98b6bcb6b20428d173b16bfb279421ba1870ee5e09582e394b", "type": "query", - "version": 5 + "version": 7 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "5346621003185f9e9f4f4bf9caf8ec32cd996948cd76122ccbfeb4fe19e92908", + "sha256": "bb169d4bd61eabf37d63730d2dc744cc1b1150f38cad07c1fef88b0ff8c1b21a", "type": "query", - "version": 6 + "version": 8 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", - "sha256": "ecbccde9d45ab87e4c3959dc93eb79ec19b29919d3e172c6a30c702e1b5b59bd", + "sha256": "1dbc5ffea6668c9fa1369750243870594f5f19a3220247eae24cf37b4bce5d41", "type": "query", - "version": 1 + "version": 2 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "ca527af48e84456c10753f6defd407323000ee60b09246ce33f95422e2242b16", + "sha256": "1546d03c55fa6df09321ee25cfa5b7e24e93abbd68714872289fef5474f9b671", "type": "query", - "version": 6 + "version": 8 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", - "sha256": "660c3b64b35ea795bb74c9eb7b6b3b83154cd7b2eafd8eacd053cb30c89785e1", + "sha256": "f241fb16cdb742b1e8aacb5cfbf7d9e8ae84476aa0cf2af9634b540422b1a426", "type": "query", - "version": 5 + "version": 7 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", - "sha256": "3b664e177f2cb7ef127dc2562387c2c1ddeacc1940e67f9341b2c548bf0afd3d", + "sha256": "0005eed7151bc66fb0cd04e87aaa3bf667dcfa1611ada4454766beb6ba00acbe", "type": "query", - "version": 5 + "version": 7 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9", + "sha256": "6bb8e576cae990d70ff8b16a6c8e408766a8aeda758c3f4de21bffb4c92e6f89", "type": "eql", - "version": 3 + "version": 4 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "d0bdf11f076a52dfe3cd8c622cccf0cdc97923e725c48647e4f01a08e043a072", + "sha256": "c0e40bfbb0993658ffc65f2aa928ddf04bd3bb4cab36d3eb5692295c546829d2", "type": "eql", - "version": 2 + "version": 4 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "cc6840aba4ea4559b570353b3df391dcb5b11a05ed0c0b141584ef294b4192c0", + "sha256": "b903b68f801e8ea76737f8da58506d0a3cf41a8c58e853a307b0b8dc46a8c08d", "type": "eql", - "version": 4 + "version": 6 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS Snapshot Restored", - "sha256": "4f5ffad0a0704fa36742992383f0ddc019d7cccaca8810bb8ff864f791f3699d", + "sha256": "f44355656ab97323a7e6f5a12725986d04186da5c171cd3d43fa5479bba9f3d7", "type": "query", - "version": 3 + "version": 5 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "b7af6c3dc975fe1841051e43ae8a61191cbe85cdded0f84c93c807772f48ff3d", + "sha256": "8af744d809e66335fdd8b420a68a55dc999b3b93b788916d2d06e645f3d47f82", "type": "eql", - "version": 4 + "version": 6 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "4f34a851ea5e0d5a304a4899574353546e939154981a9c0ed75767bb7be0f579", + "sha256": "479de12601bd58360df092a9a63fb5818b7e967d9142f819e26ad491b235b677", "type": "eql", - "version": 3 + "version": 5 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "3b663d2296f62cf34af39c377fbddc713cf42ae0a391532be2b3e6b619b90e76", + "sha256": "e9831ca3b5becdb0e68783790b36ff8efc3a0e898056a27f995b7d83053ba624", "type": "eql", - "version": 7 + "version": 9 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "b8e01edc11020238557b88b3db52fb1b046d6704ecec3c71606e6d560684c076", + "sha256": "f70a4cbe69fa9dc30861d8725bb5f16fd9eb7a7d6c8875f0c2613e0f7b7f0472", "type": "query", - "version": 7 + "version": 8 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "7ffda053c321a862e713b7900ef19daf1eb500387ba3bd6789b36e3e9f99f3ab", + "sha256": "8dc4caf0cab4c187c6bad1760ac4c11723c0c1ae1e03aea2b8ed3d612c79ed1c", "type": "query", - "version": 2 + "version": 4 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "da21a85bbd297173cd6188781e98d632908ae30503793b557fdda2278be8da0f", + "sha256": "e9606bdaf8cc52bc03c0de35b84bc98c73553ac3a8915da58ec88020a386f392", "type": "eql", - "version": 5 + "version": 7 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", @@ -3561,94 +3573,94 @@ } }, "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "e124e0a0c8431f7cb9d2620441bbba0cd3b662770721332fa1e52b056c6c3dc2", + "sha256": "bcad4cfd8ccb223531fa7ee1b05d05a14ae1a16699b7b3627402a8861c7a559c", "type": "machine_learning", - "version": 3 + "version": 4 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "80afa22868cdc85eb346cd133de505801f0b1dfcacb6244d49f865e0a376f74b", + "sha256": "eb957a3dd3c2ae652239fae36f0dd99ab850141c97b51d4598079a279add0105", "type": "eql", - "version": 5 + "version": 6 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", - "sha256": "b4909209146737396e9b58b34966b2b3891fbe958caeeb010d6c23ebf2cf207a", + "sha256": "93d4695226fe0c7257786aa097ebb9d3c74b8371625585352ca1fd76af727db8", "type": "eql", - "version": 5 + "version": 6 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "20cc6568ccfe584a934546ca41589195cc38d5c9c159424b793f04f55910382e", + "sha256": "48646bcbd4110010c8c8a2ce0e71e4cff8755e4cf1ae4e4a7e75dd52233f4822", "type": "query", - "version": 7 + "version": 8 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "1b4d93df41d8da4c5ebc6a68f84831693819f5b97543ea49de2b31aaaf1c0d24", + "sha256": "b007236deb7a9347f897ceb0161f1726c57aba660f3fce96e08b686e0076aa59", "type": "eql", - "version": 2 + "version": 4 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "f60fe5b32ff54a35a502abef27b7a8c4a8294ad3ad27523e6a38c233611f7732", + "sha256": "0e20c1d9c7505bac6f968e50499da0d632e80699fa86b8d5f80681f960853bbe", "type": "eql", - "version": 2 + "version": 3 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "5cd684e5352c22873f97c7431f13d4339b4d6605723012d1b3ea94395874bd12", + "sha256": "408047e2c0358ccefc0fb4c232b448d3bc7302a380ee5bc24002b68769722707", "type": "eql", - "version": 4 + "version": 6 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "494da2709cc0f5de102df7e3c7846c43ff969489dfa9f08fdf7aa82c241cde84", + "sha256": "4386351a99165eae57ee5fbb8dd05ebf0218c507d0b67817cc082f245026cf98", "type": "eql", - "version": 3 + "version": 5 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "f580607b967e59493bde8739bf54c97efe2356bf910bf8bd884eed7063ff7afa", + "sha256": "568ed65a981e9bbc685870951ed6d77baa80bf363018c8a2b861ecd9e809ead5", "type": "eql", - "version": 2 + "version": 4 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "88bf63fa5666b708286c1c057c13d9395886468103724aaf6336f5715d4fdc31", + "sha256": "3492f29a60dd6da6c073dca4d286e0e84513246f923efb71b2ff12918ba011b7", "type": "query", - "version": 5 + "version": 7 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "3e9b6fe3e1a7ff2c5a3c69f87b339ecd78c4f441e79c9f5927e9388c628a1d68", + "sha256": "5693c66099391127c7952f8bb15cd31dbd3a0310486de295ae5fc0448a2c263c", "type": "eql", - "version": 3 + "version": 5 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", - "sha256": "81788cf9d61ad308d13bca2f9882ffce48353414414d4bd05235253088b8407b", + "sha256": "48eaabd808b03d026b149864c92b9079d3d2059007b3725b0db4546bc065eb03", "type": "eql", - "version": 3 + "version": 4 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "8b74062307c6bc0f782c49eac88b553c420674e680905532cd167293ca1da13c", + "sha256": "367ef757eb933b6b4b09159845c8fedc97eec4dc8844727b456fc9035519c420", "type": "eql", - "version": 10 + "version": 12 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "7.16", "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "0c5ec551b85d7e7e8775c4c1508a831c6019881d679e137e6f0531968d3ab03c", + "sha256": "5a6326f3fd5dcf155cc0a25ca4d35790b841a977b4cd75481f8b40cd9ed0f33c", "type": "query", - "version": 1 + "version": 3 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", - "sha256": "0534f53daf22af73ee3e33bcb24223e7c54f624944059b8dcceb8b24fdbceea5", + "sha256": "78c9c95071c452b4bd48d9a8d46a37b55762ba51da228e5629e93a0ceb754198", "type": "eql", - "version": 7 + "version": 9 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -3658,57 +3670,57 @@ }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "324244d3a1a21367876830445120fc9ce2a3693ac832ce11442f9c71ba26cf1b", + "sha256": "e47a82025fff71c901874a69cc02f400b874b7d6ea323a9c2da0a310b73a601b", "type": "query", - "version": 4 + "version": 6 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", - "sha256": "897b7cf567d45aebb4daaaba655d2627aac02b5c883882dad6f9cd26c1243975", + "sha256": "5fcc0438736611bf19d8a2fb784a85ebba0ed2258c25ca58c33bfcf0451da4e4", "type": "query", - "version": 4 + "version": 6 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", - "sha256": "c2a6cf1e4086cf935e57ab571366cfab426f9e6481e9e5a3bbeec1d1efbc4535", + "sha256": "1464fa32140bee9421999d8f9dfd56570431120a98c6dd085c11b58d49fb46da", "type": "eql", - "version": 2 + "version": 3 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Modification by dns.exe", - "sha256": "317ff29db74a71fc93aa6b026358d64e13c35cb7b53ef0760f91a6489e20bc08", + "sha256": "f2595eda244fd4babde332e6b734f668a97ab1f7e128e4753c8ee5c8d3c56904", "type": "eql", - "version": 6 + "version": 8 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", + "sha256": "fa394793eba1edc3a72a7fda7424c1b43b1c1e9219dec37e8d7f4888fe2d78ee", "type": "machine_learning", - "version": 2 + "version": 3 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "8b02aafa4506d9cb5eda8c8243ed102f6b9e882c5a109e5c1f26b086ffbb0afe", + "sha256": "de64b4f06f8c8e2d5367a29a6312350edbc39cebe09b3f9c1063e947e4140d03", "type": "query", - "version": 2 + "version": 3 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "cccbd868c1f9fa563d8d731c88ed3e783e085b8c53412177f113a9eaa94118ac", + "sha256": "c762f5de1c0dc8d4fbefecbe5ec987d85ff703868558b4c2025a6491f8434e05", "type": "query", - "version": 11 + "version": 12 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", - "sha256": "211e2a7134d501f32017fb32b025c99a139a2eeabb60830d0df4ca74a56b43c8", + "sha256": "904ad71020b2254192c4008b4b25cfdb21a523e2303f94117b623a01c023cbcc", "type": "eql", - "version": 7 + "version": 9 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "1b4d02fffbdf3a1cc36547e5a68f20c38ab32701b8177ba87697a3b99c6e66bc", + "sha256": "d8ee45d0074e6b1d209b59fe30f6728feb04cfcdb6ab190e899977e14bbfecf0", "type": "eql", - "version": 2 + "version": 4 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -3718,66 +3730,66 @@ }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "rule_name": "Parent Process PID Spoofing", - "sha256": "1fef8434702bfb1e375a190414def78e6ee6a6523b0ab47eab82953922195230", + "sha256": "e819002160793a70b60760ff75655b16503255435496de2e3d0dc6651af974ee", "type": "eql", - "version": 1 + "version": 2 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "bf93f818a5acdc021805c2fb4f53fa56ededcdf991128dd0b0bdbbd7d3f18c8c", + "sha256": "ca362fc15b7aa368a146c5f16f7deff23a7f90907b1a6aea57a84a3989bb3d76", "type": "eql", - "version": 6 + "version": 7 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "f3008c2551fcd90560270ad7f389a439399cfee139bba0ae29358e5e9db2bece", + "sha256": "8af2a2813d0cd1bd5762df61f47e5d27027bbb7fac6855f1c80192bd6fef08a9", "type": "eql", - "version": 4 + "version": 6 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "0a3aa3ec4774795554e8be4d9db16b5aa97c1afe8673071bc15ecad2042067df", + "sha256": "ad91f659cd50d69a7b77a47f641b74719b6c82759845c8452bb694fd6686410a", "type": "query", - "version": 7 + "version": 8 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "648947b1b1ff3cf148413b8bd0b3b53bf36c5505da5988a23ec993fa3083b313", + "sha256": "8d88ef18e79a970807d13c2ba615457184e9a97681a7122c88b5ed0aa01b7cc6", "type": "query", - "version": 5 + "version": 7 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", - "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", + "sha256": "ab0e5f84562981f458618f527af8a1d99aab85d6300580ce5251d7e338c4eea5", "type": "query", - "version": 1 + "version": 2 }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "c887c38b43b71e69ceea2c9200eaafd7804f6a83931f19b86c13bc5bc97611d2", + "sha256": "48ff4da0fcd2b34c697f944ba226e3486441002f72b255f021f57009902e59a0", "type": "eql", - "version": 1 + "version": 2 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "f8496e8188b47da802b79dba6b01c3f9f4e4d7fe9c0adf98503ec33e0a2f6747", + "sha256": "599fc850f87b0b11bb3af05aa1936c1859f7c5e188c1f83be2655ea3cc71a1db", "type": "query", - "version": 12 + "version": 13 } }, "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "de718fed93c2314061daddd300ddb5e01064210ddc42d687fcdd988aa2595d5a", + "sha256": "379aa70b3b81cae45ea6880029e004184feb36e2552cd7d130bed11ec6ccf9ae", "type": "query", - "version": 13 + "version": 15 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", - "sha256": "ea21157960f47745d507cee8da54a4fcc8f75c41b225f6ee08d8462e6879a7c7", + "sha256": "dec593519b5866847b0d7da921caeab0f613b1cab036d4bda7a5775ea9d5e24f", "type": "query", - "version": 1 + "version": 2 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -3787,33 +3799,33 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", - "sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da", + "sha256": "741aeb42feeab9054165b3145253ab3826124f2ba19d70c33129b46f36ef7f2a", "type": "query", - "version": 1 + "version": 2 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "88d5829dab8d3f0f92799ccdd422cd9f521302270dd2c81d5ddb41b60b1550d9", + "sha256": "3c154df8bb2f10e7ba8dab80838e5cfda01a459490081a7e3dee24da89908476", "type": "query", - "version": 6 + "version": 8 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "dc85297baf482232f011b9ce98f169f3b7be8b1422de1cceb9f7af2b50560327", + "sha256": "d1105e17378ef0a30b552153d37efdb95eaea36ca5646f003c0647663335b7d8", "type": "query", - "version": 6 + "version": 8 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "2b1dac1ccc6843acfa825aa0f250925056ed80d273deef8c7fd10f656fd48f35", + "sha256": "d3d51648e56786364ca0f5e181a5e8cf20b152c6edc443c8748cab4de6a5fa33", "type": "eql", - "version": 2 + "version": 3 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "3f66423329bee6d660afe1e7d5e5d4cfd7203312e3babd6015ca1fee60af2659", + "sha256": "489836df0748f67381a778853cdb2b7d7a12da1149354d26fea4aca6ddd47ab6", "type": "query", - "version": 6 + "version": 8 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -3832,72 +3844,72 @@ } }, "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "4ee4b5dcb56b421f4908084b64cba1d0a70d0715936b58267f12b7462b96dfbc", + "sha256": "ad8165ac52cd15e739a9f7110aba3d306bb670730e8dde1c3b080d441333e10d", "type": "machine_learning", - "version": 4 + "version": 5 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32", + "sha256": "1c8be7221b73c0ef1a2ecd9c9d67a30493f1a138df4ed632c30a1eaaad4668d8", "type": "query", - "version": 7 + "version": 8 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "a3f866bf18352bd51f590bd78b5ea55a23c8bc7788e93a4b0c6e4a1f1d222873", + "sha256": "2ef23303a03fab3c106b182f89e598dccb55f2094b900d5f861dce5d507d3a3b", "type": "query", - "version": 6 + "version": 8 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", - "sha256": "71a7458a8e3515afa344a0b8fdf7d9c4ca6140e089769facca129a107f3ea389", + "sha256": "b0bcacf8a1b2f5dd70c355eff7dd9c80c49a6fbe4497601305cbdb1ea98b8678", "type": "query", - "version": 1 + "version": 3 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "5caf92535f99df8d56a98abed7b55510cd3786bf0736e4da940b6df0f5504399", + "sha256": "213ba9c7e98566ec9eb3d8e83fad522b44402a3bb574cd8d698e88b3de58c03c", "type": "eql", - "version": 7 + "version": 9 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", + "sha256": "bcca85d3d45fc537de6532533791364364702c835cfb73b358ad54ada6f52e20", "type": "query", - "version": 6 + "version": 7 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "5cbeb7ba36d4bca274e78516b67aa418552a39af7ff07d0605a306cacb27a1ef", + "sha256": "cd4f89243551c1339b5502a776a7ca15183d07da9cfd5df268a4c4b2e5954c56", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "734ba85eb72a8c8167a1247c75d48bbd9abb0a9954f8a357a20017258da978de", + "sha256": "1b2f4e7f57bb317809a9a7becb68e34c3c4b287ae23540064815f64ee925f255", "type": "query", - "version": 12 + "version": 14 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "d00a417959deca1431571d2146033409bf9cee846323b38c246d0484e9c4e59a", + "sha256": "a36221604c7228f14afa0c87c4cd65bdeb52d3d0da4935f9af77ade379ae2aad", "type": "eql", - "version": 5 + "version": 7 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "854b575f4546fffea89fb744d7d2f319a16bd9ce204eb9d386f9319fdd753494", + "sha256": "ec596232b07f57337ded42809b05e4616306c860f9cbbfdcd7016ce0f195b8f4", "type": "eql", - "version": 4 + "version": 6 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "92a93c83ab68d2d97a45dab6d50fa7243069c4a8231fe94c56714d38edec35e4", + "sha256": "c83b9154eb59550be3f873a64afb2d96a58e3a1e3d08eb79ccfe48c5e6addf8b", "type": "eql", - "version": 4 + "version": 6 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -3907,39 +3919,39 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "8021ff270be998297c5c97ba9fc27fd8a1b77952434ed4dd2bff1fabca2860b8", + "sha256": "73b8ba14aaba2436292df647a90336f0697440ef12fe71f39e201ffb0bac9825", "type": "query", - "version": 1 + "version": 2 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "3d11166da33b53f57ca622686e784d92d97742fb74ce962e3d39a909c6c9b84c", + "sha256": "963327ef29e41ffff32d97cc72c852380b91a1f508c7e73eb8997b8f08b7203e", "type": "eql", - "version": 4 + "version": 6 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "d69060f4b72ddf9a9f9b75d678b0c3847b0a8dece00b17b978ea865315c7a0ba", + "sha256": "23df78a46ef817bce1307cfbaae08c4b075908c253fd6742de612e50251342de", "type": "eql", - "version": 13 + "version": 15 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", - "sha256": "81d944d6e43616c8ce9d52f1959afb89444b9972b4c8269b28c8d7c74485e4b8", + "sha256": "d216e2e2cf3d06fa293ae9c2c3cba3977897440f561a3bcbb53130428bfae7bc", "type": "eql", - "version": 3 + "version": 4 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", - "sha256": "015b43d6b11252e9e5bc11ccaa1d78aa3587aa342e429b51f668a160ef3402df", + "sha256": "dd6f22083d81371c51d24b5b8a492d9586a3d8e31254a72791c9d8a26f035ba4", "type": "query", - "version": 4 + "version": 6 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "4b9eead51bdd9860f02d47c1a20fc4892ba90960f2151ebe61c89e07ed3f4263", + "sha256": "19024513ed918b3f834bfc02a6fade03e36daff8a7c0fb19bedeaee8a1613dd2", "type": "query", - "version": 7 + "version": 8 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "min_stack_version": "8.3", @@ -3952,82 +3964,82 @@ } }, "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "3d98f764fe976df253f64e01eebc8c21b6f053483109c520c47251ae353f12df", + "sha256": "6b9dd559b61d9f033e2e976296a04acddb2a6a0b94ed3db2b8f4c915685f79af", "type": "machine_learning", - "version": 3 + "version": 4 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "min_stack_version": "7.16", "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "eaec6ceda71a7d7f2ef470443ab29248249a5782241bd0d422c6c5201dff280f", + "sha256": "bf2e9f3bfc2bc4d8c1f18c62d4e5eea1c468abb712a2b2b9b0aacc6466013b9a", "type": "machine_learning", - "version": 1 + "version": 2 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9", + "sha256": "49857fe6b602ba67910cf3842eeea352c132f6555165e8bdc80a96b3811e408a", "type": "eql", - "version": 4 + "version": 5 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "36945a6918d4b8f1672682279ce8123b9ebbf06b04d6193f67d7f70ee25c2a17", + "sha256": "212b7a4251ddc96bd861b4f8504b07cff1ebc87bc83a5d62aeb1f60dcdf2a9b4", "type": "query", - "version": 4 + "version": 6 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", - "sha256": "14fe2ba1367484a6ee97e359ba9b8c5c66987e02d2865d8537b9ae9b1ef6d2ab", + "sha256": "4f1a9cea4e27cd4aa1579b26c0e1194e00c56dbaa173df926d00b2ac54ffc361", "type": "eql", - "version": 3 + "version": 4 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "2f43c3628e1f8540a1c844cef4b679344bf077381ccc1f8acdea765c8f3c63a7", + "sha256": "4d02db77bced0c1cac5a6880b9ad735a8ac63e6e64a6ba07a1130608406339f9", "type": "query", - "version": 7 + "version": 9 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "ff495b8181b94c67024c06bd2b1b9b4e52e571de47f5946026c188d07772e0a9", + "sha256": "c201f0d3b848da98fe0f426b9cdca17271f8baf00b2910822ac73e307661a293", "type": "query", - "version": 6 + "version": 8 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", + "sha256": "a4b05c5f542be50707efcc3268388b0090525e444510f76394213be2835b6911", "type": "query", - "version": 8 + "version": 9 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "99f23f66b2d5168fc92a02d94e79cfe27e1e7e3b869a4fbe1c8bc605c158fcd0", + "sha256": "d50f3ff9ccd6e2359663941db357279be5bf27311245ae55b36264a58ee89703", "type": "query", - "version": 5 + "version": 7 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "e042c3c4ababcee73270ddb582bb80c6c7859ecc5f62bcc4fc7e29e1c9c6a22c", + "sha256": "f6589c989117d006dd836fbfbaedcb8fdae15c48e0af230c838ece7cc7565381", "type": "eql", - "version": 4 + "version": 6 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", - "sha256": "ed067d19adb84d5fdb2bb9789fcc1eb9ae137325e9b41c83b035570270608cfe", + "sha256": "12bb91c5494107580ebf88ac8241b7af9912cc883383de028b8fb9fd9532098c", "type": "eql", - "version": 5 + "version": 7 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "e1c1c4384395fe59e788f530caefc25c56cbb6b0af0d06d448c7095b47643b7d", + "sha256": "0f73bf98639fc72beb510da6728437ba102fb0c9e0fa7e6e36d878d456094901", "type": "query", - "version": 5 + "version": 7 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", - "sha256": "bad21256e2539ed2889697b46ad97e31897d99ae6b81423aa0ed71e86c03c165", + "sha256": "cd672851cc7069c4978d323f3759c166eb8be77fcacdbd1f44c796534216316a", "type": "query", - "version": 2 + "version": 3 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.2", @@ -4040,40 +4052,40 @@ } }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "fb31d0eaf6786a71496f8d2605f731b9e3770b5a16af3d6e301e5b5432154634", + "sha256": "cf57a1bf422c49749bcb59940765ee03f6b5a4d0dc3a7f2e98dc31c880a71882", "type": "query", - "version": 9 + "version": 10 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", - "sha256": "0a8db0c43b681d84156a42b60ab5ecd8fe9caf71f2bc01c51a9c768bf9d901e6", + "sha256": "1d8cc8a55a1d2b97161f42107333d5b41c70c99e71afb4761268b58ced135d10", "type": "query", - "version": 1 + "version": 3 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "7.16", "rule_name": "Spike in Logon Events", - "sha256": "f597878752cb6e91544579901584b4938249c29026da834e202622b3194aac5b", + "sha256": "276ef460a2579b2a70b8dcba0e8abd837fb48f004dd5d47d1cdf4e1cad3631ad", "type": "machine_learning", - "version": 1 + "version": 2 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "7e8d3c2560ac6a468f7701f9ee237e39bc51231edf8d5b94ab0055d60286730b", + "sha256": "f795ea35f70c7ee41f46586159af9c713d96e6b0356ce45c1bd5e35dcf5b7e9f", "type": "query", - "version": 8 + "version": 9 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "a96204e734aad61228f51845056ce0f072c2740658b3d7b8af4eff8706a9ba9d", + "sha256": "03947d0ea22720a6dba1d55785a67eebcb485fde87be208748d1f3ae96ef50df", "type": "query", - "version": 5 + "version": 7 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "2e7e33d7a4d4b5507845fa13ff50cd296f435afed71b4d7bc58c7459ff11cf08", + "sha256": "589e122c626ad5497068f4f69cc7ef691042971e5ac9c4a8d1a1268a5af9888e", "type": "eql", - "version": 4 + "version": 6 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -4083,15 +4095,15 @@ }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "11c865273e884bc2fc14a65de9455d9d999fec216a350a79742055ea2689a328", + "sha256": "8c3b85bf2ab94ff8a61317300bd0592bd0f806b3cac35c6a1582e88fbc4a43ab", "type": "query", - "version": 5 + "version": 7 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "2d8957ba5a8d444bcd904025089be6e4eb710b93e029b4242316d5e95274facb", + "sha256": "f2ec062ac722a8377196646fe81f94a07a691c2fbeebf3b756ab6af33f321615", "type": "query", - "version": 7 + "version": 8 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -4101,33 +4113,33 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "7efa41860adf6873d8772c86cbb32fdbf1051b2e8f325178741c543cba9ac141", + "sha256": "9adb7cd1d7292a45f031dd2beda9b2cce1607bef38696f31ddd2eea4bf12ac34", "type": "eql", - "version": 12 + "version": 14 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "4a8c5adcb913d0b9b5b0cbed928925d7a23d8457a0956225a2d036c8ec10f301", + "sha256": "ae3dd3370dfc2ed86eb9de870716d0c842b0c0a4eb0b11f2cf08a2c7c2fed0d7", "type": "machine_learning", - "version": 9 + "version": 11 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", - "sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029", + "sha256": "3c571a1dd8be7ebd5a8a34f2c143d1ec0405ca997f9b91ddfda5df8707b3d122", "type": "eql", - "version": 2 + "version": 3 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "df0d9aa6e72770666c31afdde320557514d6318422eaa781b5cd48590657bbb7", + "sha256": "f32e6b1973127776314666998a5a0cf538c4c0fd2af4401388c467f0259e2380", "type": "eql", - "version": 5 + "version": 7 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012", + "sha256": "703cac8fdd4f1098c5947cd5c2edb3baae065d09e094928ded1d4404af74af7b", "type": "query", - "version": 7 + "version": 8 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.3", @@ -4140,39 +4152,45 @@ } }, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "f2e71281a73e50949328cab350a1fa9f8f5cbe687da5e0e6a3d605cf140c84df", + "sha256": "19a2c2edea07e896bd9ba7dd032f7c297419e8ec96096a7e75d3798bbb1d42a6", "type": "machine_learning", - "version": 4 + "version": 5 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", - "sha256": "5edf3bc8df71a855a4dab07c6f921c2a459827567c3c4149ec1f3aefda5453ee", + "sha256": "91f36256063fd6a1fb0d4b4eb1038a0ac8c4a7bd033041e693e5960e2174028f", "type": "query", - "version": 5 + "version": 7 + }, + "df6f62d9-caab-4b88-affa-044f4395a1e0": { + "rule_name": "Dynamic Linker Copy", + "sha256": "6cfd8cc95a24bd3c7b02aa0dbc131ae0aa363499d0b34da0215821ee11812f7b", + "type": "eql", + "version": 2 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", + "sha256": "a3541440857d1ba8ee264484e121f8db2e96c77d377ea44b44d7ae14a1ae7737", "type": "query", - "version": 8 + "version": 9 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", - "sha256": "a1d4f0fa9407969fc217c89005688467e15ce80b501d09f91d9eebda0756b9da", + "sha256": "779cd02ecb6ff9607eae001938db84e8045a1bfbd94f84eafc3c0f677cb29eb1", "type": "query", - "version": 6 + "version": 8 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "000d93890b8ee95ef2321c851b55f1d1f4292cec2d92dd53879b56c83a6c624d", + "sha256": "8c69d278b16327517865f29ffcae09bde12f424357d992fd78ed167c305008a5", "type": "query", - "version": 2 + "version": 4 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "0e7206d6334ee10726bbbf513659b98a614a9b5ab2e916603e598d530ff31e70", + "sha256": "91ff5a766f85f23419b5e4a3d5c7e7cc56e08346b67b1cfffcf611de54b08d9a", "type": "threshold", - "version": 5 + "version": 7 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", @@ -4185,127 +4203,127 @@ } }, "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", + "sha256": "7be7460a09221fb46025804643d238d30e4eac45f938b83c4aed1362cd64d345", "type": "eql", - "version": 9 + "version": 11 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", - "sha256": "0f7dfa6f861c221ea106353380859eee6f1a047f463f39fbacf7de07af246e71", + "sha256": "0d94c1f6dd74a20add3dfb6d3ce5888d4f4e6d5c9d8a2b51546f1fdcbb18a13b", "type": "query", - "version": 6 + "version": 8 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS Route Table Created", - "sha256": "ced07968e26a004585120ef12658b3be4f12bfa5f601e3caaadbbb4b27529700", + "sha256": "b203ce25ed8a48ee0722a99a4f930bb89426a56349eb42fb18f52f0f94f677e0", "type": "query", - "version": 3 + "version": 5 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", - "sha256": "d234e6465e48075455eee2f94a978eeead53a68f150231dc941a6ca4d1db897c", + "sha256": "6c37b14e7653a63f486d75e059237ca66963f021b23d3b82db13c17fedbb66d0", "type": "query", - "version": 7 + "version": 9 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", - "sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a", + "sha256": "472df9dc371166d7dad6b226846b2c2335d95a925c8a949249a6dba01f850618", "type": "eql", - "version": 6 + "version": 7 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "7.16", "rule_name": "Spike in Logon Events from a Source IP", - "sha256": "604e329a73f5f711f4d8aeb944976f58a8d5a993388062231c925fe211be1b91", + "sha256": "56c58f5b38dc07ae7023625d7b89740c6156ec4babe18f7b3052d1d64286ed60", "type": "machine_learning", - "version": 2 + "version": 3 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "68c33f06b1581f219147e1dd21155ea426dcd622d103e738942cfd6484cbf101", + "sha256": "83939370b4568763eb651229e8801014e6e48c318980ac868ba33aad9dfdf306", "type": "query", - "version": 3 + "version": 5 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", - "sha256": "94dcf7938345325b7cca64d3a410cffbb9e2503ddb509afb63a9721087a0b906", + "sha256": "d4ae7db68a2e9841b2cabab9cc0d07d0f88c101613ea6b5d1db19eae31b58fa3", "type": "query", - "version": 5 + "version": 7 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a1f5ea3baf0cdac73a57a9e180cf61389ace52590fbc6f7ca99deefaff67f2c8", + "sha256": "cf6a6f0eadf2cdccaca88796048d328c3ddbde3453bc36f69a564675fda98019", "type": "eql", - "version": 5 + "version": 7 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "5031da57a37dd009a981fac97fab322c1464d65b3f518b11934a4deb79d9730c", + "sha256": "0edd01c3d31e948400264fdab5bf61249e431275fd46fbee67d1922f4d8269d3", "type": "query", - "version": 6 + "version": 8 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "14866e4d65402730ee83038804d67b9ad1cd9cd8b5e29b60a6a2a3102d574154", + "sha256": "05b19ce10255b02ae25e80ba185732982702392093b4c05c20358ce7f132bd46", "type": "eql", - "version": 11 + "version": 13 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "e55bea74533e2fc5765e72b6d225511d1cfe053d9489dd81361da331c5c57f85", + "sha256": "440149ce814ad06d1b09e0d19d6426db59c610fcbbb8aeab7e67572d463050d2", "type": "query", - "version": 1 + "version": 3 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f", + "sha256": "b47502c00c1c5a89a76099135cda46927a2bac199a32fa69c796440b73fd9db8", "type": "query", - "version": 8 + "version": 9 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "0108b231b6ff6fd18135af37e0c9f0a4946bf4d9930a5a0b2218c5d6f8b84092", + "sha256": "025fac3c239ae8bdb22816f8add55a9f1f8683d33e9131a4a3a31b9b8034ab57", "type": "eql", - "version": 4 + "version": 6 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "76403b5bb1d921124b3e30083e2ae88bbeccef82d93ce47455ce0919d5a675a8", + "sha256": "21ee7339dc00ce872efd2292c6fba04e61b3115829b22346c6583ccfceafb56c", "type": "eql", - "version": 2 + "version": 4 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "8d8985d87033dc11c0e673c1d9963cf89369e11468d2d4ea2c786fe7ed03b518", + "sha256": "e2b2ef83a0bfaeed3bec1cec92615d1ad28453ffe4dc367116227cae8336d733", "type": "query", - "version": 6 + "version": 8 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "bcdd122e8566edca2f53e8e240809c4b74fe7a8351cf91d27f712b45b2848ade", + "sha256": "9cc4b2d0d69c50b16c191500392d6623afffd2b4a329bb2e9536341de907e1b5", "type": "eql", - "version": 1 + "version": 2 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "abd4f1d93a531d56627582b8eef736fdc31ba0c3fe3343aa6dd9e2d4ff6efffb", + "sha256": "d7e564ab0ed7612650185717def8f732fc9eaba9ad93059452d09ba72cd7ae6a", "type": "query", - "version": 3 + "version": 5 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.0", "previous": { "7.16": { "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "1b8f18bfcd5ebd6a7ef2cad523000d799d2cba09cde203a94541c9ad03327c82", + "sha256": "c2ac77cd236c9997bebad7dbd68fbca34417ff4c999a05fa26114d41393ec636", "type": "query", - "version": 12 + "version": 13 } }, "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "aea30c3bf1eb96e0c6f0c64da484ca2310b1ae26e8679030c0a30a8058982a77", + "sha256": "1d683a0d1ccb6ce95ce4cdeb2cc91a3288967a0940dee7834dade99469bbf965", "type": "query", - "version": 13 + "version": 15 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -4315,81 +4333,81 @@ }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", - "sha256": "870461090ff0ee534196576c1434c8bab00da1ea368665bc7fbea973a390e24e", + "sha256": "d5574cea1dee742493442d485015a56dd84807693c0dea38b92f3f8c87bf8f88", "type": "query", - "version": 2 + "version": 3 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", - "sha256": "ad9317a7f7fd99c1ba80a7666b86353686bb19e51c37e2af77267750ef650018", + "sha256": "3f826c3c874e18c70082ffb3f99d894848c2578120d903f8cda87efb42e096d3", "type": "query", - "version": 1 + "version": 2 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", - "sha256": "be780601c9e4a7e1aca8845facddfea5d71bf738376e9880f61beae46ddc51a4", + "sha256": "417a495a4fe5187b8fb6f1e914b20d342f43ca86452383e12a6095f6723cf2ff", "type": "query", - "version": 6 + "version": 8 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "b78ca456fd5276e71fb4dd70cc65b83bf83647865562528ed06ee91c4542b971", + "sha256": "e729c078dcf4e96d606f88ca1e5c5af1a449659cc6c1122c95169a249e03f74c", "type": "eql", - "version": 2 + "version": 4 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7", + "sha256": "def78e2a7f58ea9d6e4fe790d93765a71427715d5b30ac836d9328fc5afaaa2a", "type": "query", - "version": 6 + "version": 7 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929", + "sha256": "2fdf04b7009cd2472b90eae3023287e0ee8d2592461378505618292c3c102822", "type": "eql", - "version": 2 + "version": 3 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "a3f47174a8ef30c46dc619170edec3eee8d924bf9c984995c73b44c58f1c4446", + "sha256": "0baca867760c1194761c908b91e7c687a05c9f773f4553a483d55f6b6bc4d341", "type": "query", - "version": 3 + "version": 5 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "8fe19c0b6cca7e5777e54058ef0f6079b4c4209b2616679bbee54cdace3a536f", + "sha256": "c2363d4297c17ada60264f950fd5ceeb2522d94d858b1147b05e3cb6e8afa666", "type": "eql", - "version": 11 + "version": 13 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", - "sha256": "bae364e240fb0a873de25f69f6f79e34aaad7dc142c41af69719f0bbb657836c", + "sha256": "6930fda0828ead9f29766d8893239c3a557c78cd70ddbab9442598fff4688715", "type": "eql", - "version": 5 + "version": 7 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "a3589119873fe764082ca62c45709fecf67be62df872d4dc816e0bebc64b5429", + "sha256": "2065b472d8411b1ea18e2d430a1b8fcc460ba7147d81cc1bff34b17993f8f292", "type": "threshold", - "version": 5 + "version": 7 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", - "sha256": "106155918013377d2c3d72ff9b2d607114595c86cde344092595ee3340b5a9aa", + "sha256": "240fc0a7efc142acfbbd4caa14b7621b51ceae23df98f5759b41efe4681ecbd9", "type": "query", - "version": 2 + "version": 4 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "ba48b83e8f0e385808256873cab3e57bce0d236c1c9feea16110362486871dbb", + "sha256": "1525ec0087caa20e049ab4ebd2fdf4d75cb1fd1370bff99ce6dc73770aed7a1b", "type": "eql", - "version": 5 + "version": 7 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9", + "sha256": "f8ede6bdaae2f159c71ac86b1366f22fab966c71ac620a890fc4c89930bc6cac", "type": "eql", - "version": 2 + "version": 3 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -4399,9 +4417,9 @@ }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", - "sha256": "6c51a2f7039139e42c9c5ec21c8e61544c1b2becdcebc6fc2923654efffa8169", + "sha256": "e9d3a51ab454a0b3ed096e0296d4844bd47e146fde9bf8b3f8a449c70af34aed", "type": "query", - "version": 5 + "version": 7 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -4411,102 +4429,102 @@ }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "05d4c9f087486af875f198e0211e9ed7966e7e37e52aa9cd375374e56eb87fb1", + "sha256": "e5f2b03ed6395208106e3844cf9e70d2d68dbd6af7b61bcea3165f5ca9ec23ac", "type": "threshold", - "version": 5 + "version": 7 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5", + "sha256": "72face45470206883b10dc28a6acdcd239c0d3ef1605a9383b4444fdb422e6f6", "type": "machine_learning", - "version": 2 + "version": 3 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", - "sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403", + "sha256": "a85b3601831d4047395d6f38ca712e50515a4e8aa1a91dd3c803b3857d9a38bc", "type": "query", - "version": 4 + "version": 5 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "4e3dbed23985f9177ec4b64e9e8a39b7d134016e9f24a0511c7fa1b0ad3e5616", + "sha256": "f2c04977975186299b4c20414c3fcc749937686fc65d5c023d2bac38d4d7f923", "type": "query", - "version": 3 + "version": 5 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", - "sha256": "44ed2613b321b265aa643120f1f0f46f3c2fd6c4d7557b2ae4c9d7680e3600f8", + "sha256": "771a5f68207dec6f1cc9f1a8c88fe60fefd8be4ce08620eee9be68758e3ddae5", "type": "eql", - "version": 1 + "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", - "sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40", + "sha256": "d20cddc6cb9b6be1cd6a7423949f3879c7f7f43a3b4fc8387febbac8372dcba4", "type": "query", - "version": 7 + "version": 8 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "6b3c56dfa4b0f9ca84cf0a2d7eec8af1e8a0dc041776a9642ea05bdcf4905fc8", + "sha256": "228f6f139ec1c9c8b08ad6ec16b70da46edc27cfe4f6e0cd704fb38e4c37b7b1", "type": "eql", - "version": 6 + "version": 8 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", - "sha256": "0e2278ad91f8c5b1fd3b990bc776e2698ba2713b14833deeb6c76bbdc625341c", + "sha256": "7379a9e4b38b8ab051194763cfb39573689221db20c6e687894566e30663a7a1", "type": "eql", - "version": 7 + "version": 9 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", - "sha256": "413005382e39995f1a65b24a1c0e3efb5e4f0fdca179613f9e714a09e199b7b5", + "sha256": "b63b08563dfc194de8a13b914b30834f33c44a18e820f75946cc6c1c1bd1377c", "type": "eql", - "version": 4 + "version": 6 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "354d712416c35cb028b95cb1960ee6cc7db40176e030ede0068ffe2fa0d0216b", + "sha256": "c03a21a10132960ba8c84bfcaf4f975fc60bad973aacf6384f2e468d9679409a", "type": "query", - "version": 4 + "version": 6 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "e55c3cf978d32cfb164c5b8c8aa39ae007961fe094ad77f3c841b63d07cf2bcb", + "sha256": "76a4d813d758a006451e31e1f76347907fc4172f49929db17eff7f87835153a1", "type": "query", - "version": 5 + "version": 7 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "081fa89e03c534503260ad3e556fc428c707a6d443a39e2608dfe96f6f59d34b", + "sha256": "3fc370a8b713c6699912ae07459ed9ccb9af038522ceb0973f8dad25279c0308", "type": "query", - "version": 5 + "version": 7 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "e43c14d6cbccd4bb0e6ac4485ec72afa4a073da25100f4f5f31946a21765cbfd", + "sha256": "a7f240bfb4b91109d22ff1f703e2ca4c94d212076bbf3112d70341f325d86d17", "type": "eql", - "version": 8 + "version": 10 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "8da582f29fb72ed46e190081bbe82f4b0666ad3b883cb74b3986eff63610ef66", + "sha256": "40f95fee7ea8816408eeaaeb300813bb956de0b4df97f0e3237bca73a0a1c5f6", "type": "query", - "version": 4 + "version": 6 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.2", "previous": { "7.16": { "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "e971abb85880898c0a7f38127565be02a2d427cba85fca159380368553ae06ef", + "sha256": "57cdeb9b748e3dd0b5f06ed2b86b75ba3165a9a64d2bf2622805dd2f0c9e8cd5", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "538353688cf30c572e7050514a45b8f636b08280eae7673aad7b225f50b5f744", + "sha256": "c1d74857a7e7762a51086f84f1be549463424b60568c0b88035db0aaecb4548c", "type": "eql", - "version": 7 + "version": 9 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "7.16", @@ -4519,9 +4537,9 @@ } }, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "ac1ded91f88cd92988bdc5f20a34f790657172aae3e5a5a437641640b06091d3", + "sha256": "3fe25e314cdcf16071088596e01b717c7be9354046ef5d784a23e38b8b1decc2", "type": "eql", - "version": 6 + "version": 8 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -4531,108 +4549,114 @@ }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "6fa6e956eb12b63782fc63c6f32c520a9f7b0d87f3837a9c5514b2bdf35ca6ee", + "sha256": "dfb37944e3e7a8423f5ecd3087fca1b60d3691e9d79df11af834584077f5acf2", "type": "eql", - "version": 3 + "version": 5 + }, + "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { + "rule_name": "BPF filter applied using TC", + "sha256": "a45bca6f177105ff77836c134bd1664a95a690cb62b20d6197294a472a3afb8b", + "type": "eql", + "version": 2 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "58cbffa455c5c098fd444fa2716bd4f4a4e47ea7c9ed98cb3f3df2a8e8f50314", + "sha256": "534106656edfc2ee298abcd56b00b229a452f186977558a0a3055d37dbc44742", "type": "eql", - "version": 9 + "version": 11 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "779861ae9a5a6d779252d3f50f03be4b3b396c034d7cb7d558b8742884bd10d8", + "sha256": "627f8900c65aba70e655410d4a9f559c2556c757d4bbc16715f83682118cb5dd", "type": "eql", - "version": 4 + "version": 5 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "66263b5a6a9cb7c17f2fd4a6c8c79078cc09d49f8f35ca811226da66e5002fea", + "sha256": "ff3230c43311efe2360123fc5931365cfa72d2787b35a6a1b0be474e9f63887f", "type": "query", - "version": 4 + "version": 6 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "4ff19316c8b3536f59deae663c274c2a8ab6a2addcef635c347b28e515d4bd38", + "sha256": "ef8c951feb7ce27b3455b8a6d3836d4158fd5aa6351bd976dd4f0742dbbb3176", "type": "eql", - "version": 4 + "version": 6 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "75b2fa37eba863b363c80a411d125c57fe44e72971aec6689befafaf53212bea", + "sha256": "022442e94e9b157b3da627f2538b276b9aac60f059b799c3898f35a7f396f4c2", "type": "query", - "version": 2 + "version": 4 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "4f8fcc4f978c267b58a59c41a4e4f617ba6b8792e2aa22fb26f971279ea9f8cf", + "sha256": "0d9f806ba8b69905fad955d3201c753acc87a1837b7ded9ce2c3b66056951d07", "type": "query", - "version": 2 + "version": 3 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "ba0c743f8ab5070eed3f4c95b7373da00c1c49f8919bccc4113a4d73c733391b", + "sha256": "69f6e9352509b644c95ad43357cb6f9d3c39cb13a3a793ba5844232554883eda", "type": "eql", - "version": 2 + "version": 4 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "3cbd01915b107fea443d95d3745e5e570e2a31f0087d7029f3feb633371fe181", + "sha256": "dd6b5178cccc032b70ddc2807caee9ab6d924a81f2d3c3415ccc0e8f6cc4f12b", "type": "eql", - "version": 2 + "version": 4 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", - "sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110", + "sha256": "5262a4e6073b071fc281f6e7520b0fd5d2dc72fe5ee12be03ff920741797cf9b", "type": "eql", - "version": 2 + "version": 3 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.2", "previous": { "7.16": { "rule_name": "LSASS Memory Dump Creation", - "sha256": "c20cf6ad2f9a2341f530aa7cd2335230d2af19bea5f06d81c3d7dbb65e7d38af", + "sha256": "3e6e50826d519b95be8230a60471e7347a0cf1a3f68d2aa857aac4ce300b05a7", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "LSASS Memory Dump Creation", - "sha256": "fe88f88d9dffe80847b75edf70c1e2c4e578b0f4105a52f19723aa9cf4a87603", + "sha256": "ccdba814e2d55e3d217c8007c87e612352e91e290c154c69d32748b26760badb", "type": "eql", - "version": 9 + "version": 11 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", - "sha256": "0ec2175d57448fcee88f8c0959e36d170fb2c4316bbeb2724bc03fc65de12ae1", + "sha256": "ae9183ca74e4e99e5e06f0bd4706f32b20d2497aaa772145f942b73881f2c941", "type": "query", - "version": 3 + "version": 5 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d", + "sha256": "f5d3902ff9b854f19e046b13efc5652fb3357e2ba0b6a03004af5dbf6ad65498", "type": "eql", - "version": 4 + "version": 5 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7", + "sha256": "7ae7a67bf3618c7bd90ff834cec03ddfb7fdde73bf2786adcae9331c93b735ee", "type": "threshold", - "version": 1 + "version": 2 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "d8203073cb9b2238107d828480603ad46f5042d8a81704a91e7e71b0e0c38c6d", + "sha256": "8b716970a3ae6c3521ac2c34930178185ecc89e9a9cb83bca9e682e1ef1505c3", "type": "eql", - "version": 4 + "version": 6 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "f10789004ab5a0b3189568a57c3ba230dfee3b40ee91029e96db4796107b08bb", + "sha256": "9bf14a6e899e66713cc68e923fec0464974a147ca6e00806fbc7b72a00fc2ea2", "type": "query", - "version": 3 + "version": 5 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -4642,63 +4666,63 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "a051b45e6ebd98e14959c0987ad3b9e0a8588a46e64ce9ce4d3449c05ca513a7", + "sha256": "0eea0b65385ccfaffea183f5d8fe0dc99646b80e0ce365c4bb3a9626d4e8d7b4", "type": "eql", - "version": 11 + "version": 13 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "ba326ac9368b4e5d082ededa977176061cac940705885aa1dc8be2ce9eb0b926", + "sha256": "44c57bc161ee1e3d503a79ed1594a516a66e383ee248401a96dba30cb0c84122", "type": "eql", - "version": 5 + "version": 7 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "81dd7f5072dfe02a8bc46c3235883cda82b0941f34c4334fbfe738f8373079a2", + "sha256": "84ff62e38a254252fdbee7dd54a05c1d28934e10e02a095f611c07747cda8c2c", "type": "eql", - "version": 10 + "version": 12 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa", + "sha256": "14d44860e159f1c957f42bccf3f51ce2cfa26c9fc283f9f21eff1e52096dfcaa", "type": "query", - "version": 1 + "version": 2 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Azure Service Principal Credentials Added", - "sha256": "66ef58015fb2d2ff7483def6fea4d52755e99bc2cdc2a12f63ccba87b16641db", + "sha256": "3d93e16175c4697159259819fa02c614028614c09e009642e7cd51df696a2cab", "type": "query", - "version": 2 + "version": 4 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "5ba0f707d95e1455ba5ceaf33d751de1607ba2d8b4dca34d3c938c7768003ac4", + "sha256": "145ca71ba3b2babac7a556584f84df57a2bd677c1a766c61db2b7958754273cb", "type": "query", - "version": 7 + "version": 9 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "5d8d5e30fb647fda5e111159561585d252ba6c0dbb5fa2686948a5049413c092", + "sha256": "da2561988baf9f0171a26e41a80e7924b7371984fca58c3fd1662dd767f6a3a9", "type": "eql", - "version": 5 + "version": 7 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "dbfc825366177f189fda86d93c1a1a0c0c78ee47a6cb4bd8d6632cb38292641e", + "sha256": "d641237aa9ee963766061572dd0b8b367a932277639333967115dfcc6e36cdb9", "type": "eql", - "version": 3 + "version": 5 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "a1fab020030d01dfba1dc1c38293f9c6f11877acef2296e84bd9934cb13f0b29", + "sha256": "0535a4c3fe822272a67d12fd5fab71556d90c54dd17cd4702af6a45db6588d1f", "type": "query", - "version": 1 + "version": 2 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "9b6a01fd1ebe28d49977691c2436fc4fb42558b6e5f71af4c2d264ebdb31f81a", + "sha256": "5ebee476de3aadc8d6bec46ede1398e84614f270dc5c834a19d1adf957b0c0e1", "type": "eql", - "version": 5 + "version": 7 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", @@ -4711,21 +4735,21 @@ } }, "rule_name": "Unusual Linux System Network Configuration Discovery", - "sha256": "14d20e2e82e941edcdbd220e8a8452c2b7c3d439345f8c165c7028552891d60d", + "sha256": "3e1a2c2e70d9f98147ea21c6f9fae56684c8a0cc110ec2268f1690d2daeb11cd", "type": "machine_learning", - "version": 3 + "version": 4 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "c0e090cd568639eb8a72c9c5cffc485a12fe5c1e837a054e3a9ed90da45f7748", + "sha256": "8ca2d9242db939b7167caec5d407c518b15e29ca7bb97e9f2485503bed682841", "type": "query", - "version": 6 + "version": 8 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "4e1765ba0371caf2c48160431eb226f0090b88ade59e8d702f98df7448cc788b", + "sha256": "569766bec372711851a155fc64514fe8421e5c3db5f3c6e3b0ce5eb2b290fb6e", "type": "eql", - "version": 4 + "version": 6 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "7.16", @@ -4738,27 +4762,27 @@ } }, "rule_name": "Network Connection via Registration Utility", - "sha256": "e8a62abdfa0057ddc9ccfb78efdf4c3c8ab6e01fe6540087df5df85320283d52", + "sha256": "692d11da55144430e3a4dc36cb244c5a6c2f13bcd109526996cf310eb0df16cd", "type": "eql", - "version": 11 + "version": 12 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", - "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", + "sha256": "61563ac92d5e7bfdcfc1d708a640f4ff2c5ff20eafb8a41436344ddaf5c0b11d", "type": "query", - "version": 1 + "version": 2 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "f3105951c9d7b6566cb1ba921365735bf3b75776e1329e5acf10bc0827876c00", + "sha256": "2758b14515b2a13573cf49d0c83f57b5f4547370c763dd58ade119de3ce19251", "type": "query", - "version": 6 + "version": 8 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "dfe655097f29b7564cc2d0e02c7f3301948e3054b605caaedd2808d8651c113e", + "sha256": "583a2e68141b9adacd617c3da8517b10e3e9ee5f7d897dfdf86b060d095bb4f4", "type": "eql", - "version": 5 + "version": 7 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -4768,68 +4792,68 @@ }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "3c48f13a701de32361892a981d4eb05f2a8c7149984328496e2c10413facd24a", + "sha256": "4b763acfaf2892abb41f28cb3f0381a3742bfc4456a0b2001aafd8c4fe93cd26", "type": "eql", - "version": 9 + "version": 11 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.2", "previous": { "7.16": { "rule_name": "Suspicious CertUtil Commands", - "sha256": "3dbede3d16202481d8949fe2200959f78449ea2e1de2ef9d1b2ec9134d16cb35", + "sha256": "72b6aefd420c13f2f9a75c27271f96b8fc4a9d2ba474654cf69f6a5586bab85a", "type": "eql", - "version": 13 + "version": 14 } }, "rule_name": "Suspicious CertUtil Commands", - "sha256": "48842212ae6455135f5ac627d1ff61491e2c46152f841707485ccc13ddd506ce", + "sha256": "7aafa80bd5d1755dd6faec5fd986c4dd331ab5c5139ef457c089cec992e6dd21", "type": "eql", - "version": 14 + "version": 16 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.2", "previous": { "7.16": { "rule_name": "Svchost spawning Cmd", - "sha256": "8eda893ef038048202bf4c123453ad33bb5c23dd7808822d6382a5a2361054c8", + "sha256": "3d668370d9b557693bef4d3e27feee891c659346bc032f6d62a25a08561cf61f", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Svchost spawning Cmd", - "sha256": "bc1c7141ea3d1793d032e8ef37e991fa5b75f3dbffabeb5843f5625f90a7291d", + "sha256": "8b4f2bf818097982df22d332e04ca889ab109c64f307b5f6561105a8c058be0a", "type": "eql", - "version": 12 + "version": 14 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "01ee1a5a314fe80a4edfbd7802473022fa8ed3b34b017b654c6b763b8b334c55", + "sha256": "8ae9156a1e8b4fc571d581dadad39e033e00b984b7ce4af8939bfbe759cc8958", "type": "eql", - "version": 4 + "version": 6 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "bdc3c3820099bd72e96f4e009fea0a4f1edda746435b53c0a4c1a756f6317848", + "sha256": "2e8be374693ae806c801cd7688bae86a28197f10def63a9645c57e9bbf992ecb", "type": "eql", - "version": 3 + "version": 5 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099", + "sha256": "1b5384df54d213d82ed03c31b1cc6e0a2eb427f2c87cefc8da2bc88f7313bbb0", "type": "query", - "version": 9 + "version": 10 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "c9b9e41a62d00bd5dfba4dea0aa6963a3f2ae3ca40b2e997c0cd0f05725e3749", + "sha256": "e408170ea300561c99ae5593db56387d91ce31a3ec07158a067a54a140dc5ee2", "type": "query", - "version": 6 + "version": 8 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "d1a7cbc54b4f8910cb9a43b7d0d568b13418ca9fce205a9fbdcc2396a3baf618", + "sha256": "058b3485367d6815d5a861c285d75be6ac9eec348a195ee37c921d17d15db7ce", "type": "query", - "version": 5 + "version": 7 } } \ No newline at end of file