From d43e274f3e9838280cf4dcb2044f36b25e816f72 Mon Sep 17 00:00:00 2001 From: shashank-elastic Date: Mon, 28 Oct 2024 13:14:34 +0000 Subject: [PATCH] Locked versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 --- detection_rules/etc/version.lock.json | 964 +++++++++++++------------- 1 file changed, 482 insertions(+), 482 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 4580e256997..b2e03b87681 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,7 +1,7 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", "type": "query", "version": 208 }, @@ -11,22 +11,22 @@ "8.10": { "max_allowable_version": 213, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "1373f91eab112faf20548ab4097d38478d76efdd3b2f1452a4ea00e6fbe5f971", + "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "945351b7a4886f20027e399a8f5b0273a8dbe836686f2fc058529a1427108950", + "sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "fc8f6b7d2a2e0d5c627a5ca1756b3b5df6ad0c51634811f9796238cc39a4a6ea", + "sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74", "type": "eql", - "version": 314 + "version": 315 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.14", @@ -92,7 +92,7 @@ "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004", "type": "eql", - "version": 106 + "version": 108 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", @@ -142,15 +142,15 @@ }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "3c63df8e9a4eae961ea24ad7bc9706960aa31cf846685ddbd8cbbba903e3b0e5", + "sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368", "type": "threshold", - "version": 111 + "version": 113 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", - "sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258", + "sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c", "type": "eql", - "version": 2 + "version": 3 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { "rule_name": "Suspicious Dynamic Linker Discovery via od", @@ -179,9 +179,9 @@ }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", - "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", + "sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972", "type": "query", - "version": 109 + "version": 110 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -195,22 +195,22 @@ "8.10": { "max_allowable_version": 100, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "4b3a1669dafbfd92293834f3aae32cdf1ece35c4f6591b33d1f3040fa44fce9f", + "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "b73f166a75fdf86d3f2056d4ae8d312ea463c44c64dc9fab1b77f809d7b966ae", + "sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "b73f166a75fdf86d3f2056d4ae8d312ea463c44c64dc9fab1b77f809d7b966ae", + "sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102", "type": "eql", - "version": 201 + "version": 202 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Azure AD Global Administrator Role Assigned", @@ -243,15 +243,15 @@ }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "0dfc0b069d300f001ad888794c331aa6459cf2a1afbe74e991e76540d3d1c334", + "sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570", "type": "eql", - "version": 6 + "version": 7 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add", "type": "eql", - "version": 113 + "version": 115 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.14", @@ -292,13 +292,13 @@ "rule_name": "Remote System Discovery Commands", "sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06", "type": "eql", - "version": 113 + "version": 115 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", - "sha256": "b20b0883dce0c126871b6ae34bed57fd769c23c5b5de5d0d7778bca20696d468", + "sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f", "type": "eql", - "version": 9 + "version": 11 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", @@ -335,15 +335,15 @@ "8.10": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "84f9ab9fddd97724ac58b9019c6094a320f8d9d0f2b389c4fc66ffd72c3e570a", + "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "4cba3feab1ad86e3059a5998c72b8673a2d37950425f6e1b0e80a4acb3d5e002", + "sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c", "type": "eql", - "version": 212 + "version": 213 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", @@ -438,7 +438,7 @@ "rule_name": "First Time Seen Removable Device", "sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58", "type": "new_terms", - "version": 7 + "version": 10 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", @@ -478,9 +478,9 @@ }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13", + "sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff", "type": "eql", - "version": 4 + "version": 5 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", @@ -515,25 +515,25 @@ "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "1a79fc397af3f12c7da606036342d1b41b7d2b17df4a446cd98e618b4e7e9891", "type": "query", - "version": 107 + "version": 109 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "020707bc72930c1c88624fa6bc70c89066d79ec0c2e4b211d7039857de3514b0", + "sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559", "type": "eql", - "version": 3 + "version": 4 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", "sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0", "type": "machine_learning", - "version": 107 + "version": 109 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", "sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af", "type": "query", - "version": 112 + "version": 114 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", @@ -553,15 +553,15 @@ "8.13": { "max_allowable_version": 101, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "1b2555dd5c85d73de0e5bba5942450628664cd1e0023117f44c85b562060643c", + "sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "5497d098e570a215007cbe03a87f3122353b2f7693d184260582856664ce0c69", + "sha256": "e3e0dae0ba3379b0f1c16cff9934161e82104fc80d18f14fcf96ae61dcd3e44e", "type": "eql", - "version": 102 + "version": 103 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -581,9 +581,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Peripheral Device Discovery", - "sha256": "c3889f256c7f95c492de240f96870f33ac83d81b6ad034e3aecf476450573762", + "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -691,7 +691,7 @@ "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698", "type": "threshold", - "version": 209 + "version": 211 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", @@ -778,7 +778,7 @@ "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24", "type": "query", - "version": 13 + "version": 15 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.13", @@ -812,7 +812,7 @@ "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9", "type": "machine_learning", - "version": 6 + "version": 8 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", @@ -940,7 +940,7 @@ "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd", "type": "threshold", - "version": 5 + "version": 8 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -994,9 +994,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "e95a20057c03b7af915f7bb0aa29300e680a683ac8f1c15d8951150d2acd81d3", + "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -1153,37 +1153,37 @@ "rule_name": "Unusual Windows Username", "sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a", "type": "machine_learning", - "version": 106 + "version": 108 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", "sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c", "type": "machine_learning", - "version": 105 + "version": 107 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "rule_name": "Suspicious Powershell Script", "sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601", "type": "machine_learning", - "version": 106 + "version": 108 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0", "type": "machine_learning", - "version": 105 + "version": 107 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", "sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb", "type": "machine_learning", - "version": 105 + "version": 107 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "2a67cb5cd32db22aa939d61ec976ea4d0aa9623596bdf8a430c808aa2aa77ee5", + "sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a", "type": "eql", - "version": 14 + "version": 15 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", @@ -1302,22 +1302,22 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", - "sha256": "1d0681a11138f4ae7bf2b6332f6fd7d4cdc980921332c53b1723a9b082b2ad99", + "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Execution of COM object via Xwizard", - "sha256": "75b9e2340d47646a740eb8b676d3f14570901f1077538b742bb0707df63f181a", + "sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Execution of COM object via Xwizard", - "sha256": "32b2823ce29ab2ac08642513c87f7d13eba21dd4653181deecac9f786e73114e", + "sha256": "cd42a38d9a6e35812d8c106382547d304b5b560c92518647d4dc73dfd75cc02f", "type": "eql", - "version": 310 + "version": 311 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", @@ -1331,9 +1331,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "User Account Creation", - "sha256": "45816938efafa31647f79f3eb0813237660ed5a732912ed9797a2fa64edd516c", + "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -1456,7 +1456,7 @@ "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc", "type": "query", - "version": 8 + "version": 10 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.14", @@ -1505,9 +1505,9 @@ }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731", + "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", "type": "eql", - "version": 3 + "version": 4 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", @@ -1523,7 +1523,7 @@ "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "54e718a88b4a68d227e6b66b126f993aa778b036deb6f8be5b61951c298f111f", "type": "query", - "version": 108 + "version": 110 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", @@ -1549,9 +1549,9 @@ }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "rule_name": "Creation of SettingContent-ms Files", - "sha256": "c6ab370809c60a6fc72b73ebf08275954bc19e7bee4115ff334fc436e4256db0", + "sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6", "type": "eql", - "version": 5 + "version": 7 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", @@ -1569,7 +1569,7 @@ "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "eeebabf5497517642690f0b238295c5f9f09396305832e4b067a3d788067bee9", "type": "query", - "version": 9 + "version": 11 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "min_stack_version": "8.13", @@ -1580,9 +1580,9 @@ }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "fb398cfee97e528fb36491eb57ae229eb51744020bc8ff818659bc74fdd08ecc", + "sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa", "type": "eql", - "version": 3 + "version": 5 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1618,9 +1618,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "8ac1d85c1a2ec7664798918bc56810136f6ac597b13a7b0eec0e9c033a6bcbdd", + "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -1797,9 +1797,9 @@ }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "rule_name": "Kernel Module Load via insmod", - "sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2", + "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", "type": "eql", - "version": 109 + "version": 110 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -1853,7 +1853,7 @@ "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb", "type": "query", - "version": 3 + "version": 5 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", @@ -1863,9 +1863,9 @@ }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", - "sha256": "910c6260475ac0d34a0354b97ff3c19f1b7ef26a8d78a053e3b1fb73f55c7323", + "sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b", "type": "new_terms", - "version": 5 + "version": 6 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", @@ -1920,15 +1920,15 @@ "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "5347550dec817bbf8a30b8cceeec4fb4c34039491a86e3cb7eb2a10b8afa6d1c", + "sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "6ade23c64deaeb89059e8ca68c53f0ee23843a4a561f5bb0c1a90c69d4d05b37", + "sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441", "type": "eql", - "version": 311 + "version": 312 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", @@ -1978,7 +1978,7 @@ "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "4a3e6bf68329d70f058be24f7904ce234a26b57c38972ad33ff103a9e00f78a9", "type": "query", - "version": 107 + "version": 109 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", @@ -2086,21 +2086,21 @@ }, "28d39238-0c01-420a-b77a-24e5a7378663": { "rule_name": "Sudo Command Enumeration Detected", - "sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320", + "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", "type": "eql", - "version": 5 + "version": 6 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "0a180c61b8aa35288abaa53efe0c157c6d37e5280e80b5e25ca9284d250d0be9", + "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", "type": "eql", - "version": 2 + "version": 3 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", - "sha256": "1bbc59664ea9b04b6617570b0dfb20792a323de2634050e653bd63ba8b1adcb4", + "sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6", "type": "eql", - "version": 4 + "version": 5 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", @@ -2175,7 +2175,7 @@ "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d", "type": "new_terms", - "version": 314 + "version": 316 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", @@ -2190,16 +2190,16 @@ "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { - "rule_name": "Potential Linux SSH X11 Forwarding", - "sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7", + "rule_name": "Linux SSH X11 Forwarding", + "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", "type": "eql", - "version": 3 + "version": 4 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", - "sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391", + "sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4", "type": "eql", - "version": 6 + "version": 7 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", @@ -2209,9 +2209,9 @@ }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", - "sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504", + "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", "type": "eql", - "version": 6 + "version": 7 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", @@ -2330,9 +2330,9 @@ }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e", + "sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c", "type": "new_terms", - "version": 209 + "version": 210 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.14", @@ -2405,13 +2405,13 @@ "rule_name": "Potential Process Injection via PowerShell", "sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855", "type": "query", - "version": 112 + "version": 114 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", - "sha256": "db4e19d7469dc91d1a4d9faafa87f33a0ffda20f60b7e829d7066ccfada6ef07", + "sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378", "type": "eql", - "version": 4 + "version": 6 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.13", @@ -2468,7 +2468,7 @@ "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8", "type": "query", - "version": 111 + "version": 113 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", @@ -2583,9 +2583,9 @@ }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "172d24bcf01cef30702ad2466f5b01b312a7b5b9b0420781b3f5d178dee2810e", + "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", "type": "eql", - "version": 2 + "version": 3 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", @@ -2605,9 +2605,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", - "sha256": "640ede499425561eafaace54b64271dc0c75b80d80fca0d8b82da0d2b58c30f3", + "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -2666,9 +2666,9 @@ }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "rule_name": "ESXI Discovery via Find", - "sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04", + "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", "type": "eql", - "version": 6 + "version": 7 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", @@ -2796,9 +2796,9 @@ "8.10": { "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "fefaa82ff180803dd05b6b0d43cfed6b9c836603ead4df9a42364585d37197e4", + "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, @@ -2875,7 +2875,7 @@ "rule_name": "Network Connection via Certutil", "sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071", "type": "eql", - "version": 114 + "version": 116 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", @@ -2944,9 +2944,9 @@ }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", - "sha256": "6830658a6c7df047562c77a035de9a3c72616c2c4cc3680ea3caead24a2675ba", + "sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b", "type": "eql", - "version": 2 + "version": 3 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.14", @@ -3088,9 +3088,9 @@ "8.10": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "43ef957c4841d72a0eed0eef915a2a434fba9e1bbfa8f9e969c7754d8236aca5", + "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, @@ -3119,7 +3119,7 @@ "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb", "type": "query", - "version": 107 + "version": 109 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -3227,9 +3227,9 @@ }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792", + "sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420", "type": "eql", - "version": 5 + "version": 6 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", @@ -3259,7 +3259,7 @@ "rule_name": "Unusual Process Spawned by a User", "sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e", "type": "machine_learning", - "version": 6 + "version": 8 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "rule_name": "GitHub User Blocked From Organization", @@ -3273,9 +3273,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "4f88e7a9112a07893f4b2c1849ef0d4959829a575d2ab8700ea6d9cb9e9aa3f5", + "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -3292,15 +3292,15 @@ }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", - "sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c", + "sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c", "type": "new_terms", - "version": 107 + "version": 108 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", - "sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22", + "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", "type": "eql", - "version": 2 + "version": 3 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", @@ -3398,9 +3398,9 @@ }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "rule_name": "Linux User Added to Privileged Group", - "sha256": "2dfb9575cc645fa50cebdb23d7ca0430deb31dd044ee4678db3517dbeeab236c", + "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", "type": "eql", - "version": 7 + "version": 8 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", @@ -3429,7 +3429,7 @@ "rule_name": "Unusual Windows Path Activity", "sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4", "type": "machine_learning", - "version": 106 + "version": 108 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -3475,7 +3475,7 @@ "rule_name": "Windows Event Logs Cleared", "sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f", "type": "query", - "version": 110 + "version": 112 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.14", @@ -3522,9 +3522,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "35db94e83082bb07447ac1233547dcfe629fb843d39c755861ace1e5e426a32a", + "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -3547,9 +3547,9 @@ }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", - "sha256": "0b73e5e62cae5d12fa9f1593413122fedb8a5dabb1a53d42be46c0cee2d4f35f", + "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", "type": "eql", - "version": 12 + "version": 13 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -3559,9 +3559,9 @@ }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "ea849a9461e38a2045fe127b98e787f05d95161ba0ae4008de1c4ce3a7c773dd", + "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", "type": "eql", - "version": 1 + "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", @@ -3686,9 +3686,9 @@ }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "aca87260b181359408cce6f76507de03da06ac49fa8815ca6587fbb18465b5ad", + "sha256": "24424c58a67a62f2464e7ce3c038697aeb561551b61ba5a2c8bf1cf001674ec1", "type": "eql", - "version": 5 + "version": 7 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -3782,13 +3782,13 @@ "rule_name": "PowerShell Share Enumeration Script", "sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c", "type": "query", - "version": 10 + "version": 12 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e", + "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", "type": "eql", - "version": 6 + "version": 7 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", @@ -3895,9 +3895,9 @@ "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", "rule_name": "Unusual High Confidence Misconduct Blocks Detected", - "sha256": "ec8018367ddae889657cf1cb6c99b9c0fb427d64de771d720364e8e10a5ddf6c", + "sha256": "3398bec154ac1a626c777596eca4d931feeb50eeaa61584cd602258d98b79e25", "type": "esql", - "version": 2 + "version": 3 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", @@ -3905,22 +3905,22 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "516db4cf8557eafd3460e28139da74d2c72f860f9905e30ab5a32a2022d2094d", + "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "0d6d4651b1ecb4c9d8f441529eaeec07303f9c3c334747c598732aab1906a13b", + "sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "a7ce39d7ca13ce9e8e59f3f06b1ed7ae1731bd3cecab9ac660fe44815d1f0e7c", + "sha256": "c18c0a517e014572b811a79c2427ada539292d70e5d70db5e1b5dab10c4e52f2", "type": "eql", - "version": 311 + "version": 312 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", @@ -3930,15 +3930,15 @@ }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "rule_name": "Windows System Information Discovery", - "sha256": "756e470e62e48f87fbad4a84a36227fae6cf096baea0cfbfd68eab516ca7ab0d", + "sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0", "type": "eql", - "version": 7 + "version": 9 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7", + "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", "type": "eql", - "version": 2 + "version": 3 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", @@ -4093,9 +4093,9 @@ }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "abbed0de67d7ae950dd29ebf82d8d832f7075ebdd3b1ff3841b33f154df5f96a", + "sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870", "type": "new_terms", - "version": 10 + "version": 11 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", @@ -4122,28 +4122,28 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "e987d5fe63d102c7bb7c668c0fc403ccdc02389130d9aed4ed25a1e85a1f52b4", + "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "83280bfbf6c14209cedb5b7a86f820170bd880a70b2b0a343536e9735032fc7d", + "sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "d56d39e789ec74fb9e36767e2af77e608728e0e3e9dce8f1737ab40fe74565d8", + "sha256": "756f5cf00ac9cb8da7bcb2c337c9b4e427f52c809e8846acfb481d18cf1e5683", "type": "eql", - "version": 311 + "version": 312 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "18ddc4eb7eda6120b2b7e59391fa204195a03dad284743b8a2d8405a64b3be18", + "sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a", "type": "eql", - "version": 5 + "version": 7 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", @@ -4151,15 +4151,15 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "1b77761f1f1b0914e1345e28a6c1d2b0c30453aa083758de07f18b9a79857ee3", + "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "1b77761f1f1b0914e1345e28a6c1d2b0c30453aa083758de07f18b9a79857ee3", + "sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef", "type": "eql", - "version": 210 + "version": 211 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", @@ -4175,7 +4175,7 @@ "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12", "type": "query", - "version": 109 + "version": 111 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.14", @@ -4183,15 +4183,15 @@ "8.10": { "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "b266d7cba5e3ee8a68a89a82582964b770cf9005aeaecc0127687672ede31ee1", + "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "b266d7cba5e3ee8a68a89a82582964b770cf9005aeaecc0127687672ede31ee1", + "sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e", "type": "eql", - "version": 212 + "version": 213 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.14", @@ -4235,7 +4235,7 @@ "rule_name": "Unusual Process Spawned by a Host", "sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b", "type": "machine_learning", - "version": 6 + "version": 8 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", @@ -4245,9 +4245,9 @@ }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "3e6a9752a3bdbffedad925a1b38a27845fc5d548f93785ad06147603e651e3e0", + "sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7", "type": "query", - "version": 106 + "version": 108 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", @@ -4291,7 +4291,7 @@ "rule_name": "PowerShell PSReflect Script", "sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1", "type": "query", - "version": 212 + "version": 214 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", @@ -4321,13 +4321,13 @@ "rule_name": "PowerShell MiniDump Script", "sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a", "type": "query", - "version": 109 + "version": 111 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "81da2322574ee19272135501b257cf847b0b854ac486336d75fd54970c66a1be", + "sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932", "type": "eql", - "version": 5 + "version": 7 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "min_stack_version": "8.14", @@ -4524,9 +4524,9 @@ }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "rule_name": "Suspicious which Enumeration", - "sha256": "c9fb7b1a40fb8a63342f9f814a8e100720fa02eea274c2aeb53db151bed3f581", + "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", "type": "eql", - "version": 6 + "version": 7 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", @@ -4538,7 +4538,7 @@ "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0", "type": "new_terms", - "version": 112 + "version": 115 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", @@ -4557,13 +4557,13 @@ "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6", "type": "query", - "version": 2 + "version": 4 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "68e3da7154a6582f7a0c8b621f055fb9c62464b39f4b3727ca0208ab9e47aa0e", + "sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8", "type": "new_terms", - "version": 12 + "version": 14 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", @@ -4672,15 +4672,15 @@ "8.10": { "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "8d7f07f9b154ad5aeed9d76695452e6470861400f810fc9a777d390eda0fb74c", + "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "8d7f07f9b154ad5aeed9d76695452e6470861400f810fc9a777d390eda0fb74c", + "sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c", "type": "eql", - "version": 102 + "version": 103 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", @@ -4812,7 +4812,7 @@ "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95", "type": "query", - "version": 215 + "version": 217 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4862,7 +4862,7 @@ "rule_name": "Account Configured with Never-Expiring Password", "sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6", "type": "query", - "version": 110 + "version": 112 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", @@ -4872,9 +4872,9 @@ }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "026a0ff9383f49a20b58463f40f14c0331889526d60ee9e89e1e8d14c0772894", + "sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c", "type": "eql", - "version": 2 + "version": 3 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", @@ -4918,9 +4918,9 @@ }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation or Modification", - "sha256": "bdf1b0f84e3bbc046df60ade86c8188ef57fbb45f7fc947f84d9011da4d6a60f", + "sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d", "type": "eql", - "version": 1 + "version": 2 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -4936,9 +4936,9 @@ }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b", + "sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac", "type": "eql", - "version": 5 + "version": 6 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -4997,7 +4997,7 @@ "rule_name": "WebServer Access Logs Deleted", "sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938", "type": "eql", - "version": 106 + "version": 108 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", @@ -5037,7 +5037,7 @@ "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b", "type": "query", - "version": 12 + "version": 14 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", @@ -5081,9 +5081,9 @@ "8.10": { "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", - "sha256": "c2b23662abc573f31a8ecd1f1a209ab092b6d28915dc38aaa16664af71c1545f", + "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, @@ -5230,9 +5230,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Modification of Boot Configuration", - "sha256": "8370613b240c6526b217457b239420a79efbdaad26b15203f4ec59b96e044971", + "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -5385,7 +5385,7 @@ "rule_name": "Unusual Process For a Windows Host", "sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da", "type": "machine_learning", - "version": 110 + "version": 112 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", @@ -5395,27 +5395,27 @@ }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", - "sha256": "1181d28604ebf265444f65fb2e0e91ed779f6557ac57a9aaa2425f073f9dbee8", + "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", "type": "eql", - "version": 1 + "version": 2 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "9d96edb2b383e25178813ce435566c0bfddaa9456a84a0dc55e26cdd61ce408e", + "sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9", "type": "new_terms", - "version": 7 + "version": 9 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", "sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9", "type": "machine_learning", - "version": 107 + "version": 109 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", "sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360", "type": "query", - "version": 109 + "version": 111 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", @@ -5441,9 +5441,9 @@ }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", - "sha256": "e367014765972ea19c75ae672a6fed0a0c7915901fbf3ae50868a9faf7e0f9dd", + "sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288", "type": "eql", - "version": 113 + "version": 115 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -5511,9 +5511,9 @@ }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846", + "sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4", "type": "eql", - "version": 2 + "version": 4 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", @@ -5696,9 +5696,9 @@ }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", - "sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8", + "sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1", "type": "new_terms", - "version": 107 + "version": 108 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", @@ -5774,29 +5774,29 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", + "sha256": "b7ab17057206897d65dcad5a62262f342860ce34ca6624af13a3e70326b99e47", "type": "eql", - "version": 110 + "version": 111 }, "8.11": { "max_allowable_version": 311, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435", + "sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a", "type": "eql", - "version": 212 + "version": 213 }, "8.13": { "max_allowable_version": 413, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "3d646c36cc0e84e7c619ac72a7eb01e5b77ea36e35acec05e07f5aa24755bd79", + "sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8", "type": "eql", - "version": 314 + "version": 315 } }, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "a1f2778c3089a6666380ca97ed61892329ff328b9f9518586d3a79497eadf9c1", + "sha256": "1a434a85ff5b56a152e0d0113a98ed1da564de86086c64c2935069b35d97a87d", "type": "eql", - "version": 414 + "version": 415 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.14", @@ -5829,9 +5829,9 @@ }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "cba8664ad751541036313bc6f39bf662a14e3ee4440c028dac9c4b089dd71780", + "sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30", "type": "new_terms", - "version": 3 + "version": 4 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", @@ -5875,29 +5875,29 @@ "8.10": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", + "sha256": "416dce868f1a4876765a41cddaba8d8860afac5cca30502daf254f8f45cb337a", "type": "eql", - "version": 1 + "version": 2 }, "8.11": { "max_allowable_version": 202, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c", + "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", "type": "eql", - "version": 103 + "version": 104 }, "8.13": { "max_allowable_version": 304, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "2cdef7164dd5efff7785fe8dd624222490599f9496bf2c1ae2652d0dab81dc9f", + "sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996", "type": "eql", - "version": 205 + "version": 206 } }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "54b0e619cd3f80d0144a009e63970baaa6f7b13db1e8853ed78bcd6dfd2a3d63", + "sha256": "1eaf3424c72feb184b48c48ad3da78cb7d02d08e49f2b3be6d1772122c378de4", "type": "eql", - "version": 305 + "version": 306 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -5962,7 +5962,7 @@ "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1", "type": "query", - "version": 111 + "version": 113 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -5984,9 +5984,9 @@ }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via XZBackdoor", - "sha256": "e0c591aeba61158c00765037cf3782c59e6577da6a93fca8720d47fe1b602867", + "sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564", "type": "eql", - "version": 3 + "version": 4 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -6004,7 +6004,7 @@ "rule_name": "Windows Network Enumeration", "sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f", "type": "eql", - "version": 113 + "version": 115 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { "rule_name": "SELinux Configuration Creation or Renaming", @@ -6036,9 +6036,9 @@ }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "55bc076a0afc6e5d4aeeb675d5ceac237bd0b6f1be950eda19669219fb3bdf6b", + "sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a", "type": "eql", - "version": 3 + "version": 4 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", @@ -6088,29 +6088,29 @@ "8.10": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49", + "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", "type": "eql", - "version": 3 + "version": 4 }, "8.12": { "max_allowable_version": 203, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49", + "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", "type": "eql", - "version": 104 + "version": 105 }, "8.13": { "max_allowable_version": 304, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "9f07ddc78490993b58486df4fc3d44fffd01697488bdc9523a3ee71b197662d4", + "sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043", "type": "eql", - "version": 205 + "version": 206 } }, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "b696ce99dbc3d3c4e3d25ea1ed05a27f867ee9358bae8fa0145cc89a006ffd7f", + "sha256": "09aa0b96928a0da988c7c455ed658d28a685def31b11dd104cab212d9ba3a979", "type": "eql", - "version": 305 + "version": 306 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", @@ -6136,9 +6136,9 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "22106370ef245153e940ad0c5577fa5492b2c1799353840dcf28c8ef4a7c564a", + "sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5", "type": "eql", - "version": 14 + "version": 15 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", @@ -6149,9 +6149,9 @@ }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587", + "sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a", "type": "new_terms", - "version": 106 + "version": 107 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "rule_name": "Unusual Process Extension", @@ -6163,7 +6163,7 @@ "rule_name": "Potential PowerShell Obfuscated Script", "sha256": "6e71b4ea552314b263198211bc6bc680d060453ac942fe0fe59499562f8ed834", "type": "query", - "version": 2 + "version": 4 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "SSM Session Started to EC2 Instance", @@ -6173,9 +6173,9 @@ }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "2f33fc4f7caa141d7d123cb9f3db0800102989bf888469014c091590af360155", + "sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608", "type": "eql", - "version": 3 + "version": 5 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", @@ -6238,7 +6238,7 @@ "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561", "type": "query", - "version": 213 + "version": 215 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.14", @@ -6274,9 +6274,9 @@ }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f", + "sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b", "type": "eql", - "version": 6 + "version": 7 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", @@ -6329,7 +6329,7 @@ "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb", "type": "query", - "version": 6 + "version": 8 }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", @@ -6397,9 +6397,9 @@ }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", - "sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76", + "sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78", "type": "eql", - "version": 109 + "version": 110 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.14", @@ -6436,10 +6436,10 @@ "version": 100 }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { - "rule_name": "Potential Suspicious Clipboard Activity Detected", - "sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839", + "rule_name": "Linux Clipboard Activity Detected", + "sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3", "type": "new_terms", - "version": 4 + "version": 5 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", @@ -6582,10 +6582,10 @@ "version": 207 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "rule_name": "Suspicious JAVA Child Process", - "sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75", + "rule_name": "Deprecated - Suspicious JAVA Child Process", + "sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693", "type": "new_terms", - "version": 208 + "version": 209 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", @@ -6622,9 +6622,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "071d89c4572134471756b34b80307bbb03d025c6ce054517a1789245187d0db8", + "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -6657,22 +6657,22 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "413cab0e2b9bc4a6210ad80d9dda7117b2bc1fbe8a5ed8fbc922dfea700529e8", + "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "918d4f6d345efaf52d079c3cb52fa771790a7777a86a818fdaa72a11aca5ffe0", + "sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "a339cd594e22f12930a187d07e676424f0c517d1782e02099541845fd5de7029", + "sha256": "b150ed721a6ec1116190ad1dcfb3db4e6c695a418fcd51fca09e3ab018d7ef3b", "type": "eql", - "version": 311 + "version": 312 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", @@ -6754,9 +6754,9 @@ }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", - "sha256": "c8759e5d38ff5b6b5ccbd5f3bbb2dfdc6e5c2496f6838fb16ad79eff6df49fb9", + "sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86", "type": "eql", - "version": 4 + "version": 6 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "min_stack_version": "8.14", @@ -6828,9 +6828,9 @@ }, "90babaa8-5216-4568-992d-d4a01a105d98": { "rule_name": "InstallUtil Activity", - "sha256": "b92f346d7d4452e75805ef5947e138d215676542d84f62585faca2bbbdc5985e", + "sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7", "type": "eql", - "version": 3 + "version": 5 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -6888,7 +6888,7 @@ "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4", "type": "query", - "version": 109 + "version": 111 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.14", @@ -6962,9 +6962,9 @@ "8.10": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", + "sha256": "e20bede2cf9f7765ae6d20ca1cf0c101e18b2cce36bd1404306fcfbdfc346d4c", "type": "eql", - "version": 107 + "version": 108 }, "8.11": { "max_allowable_version": 308, @@ -7016,9 +7016,9 @@ "8.10": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "1f336cac30c00c0a9d22ee5887d3b3fe79ca45615ac7a56079ac0fe826c75e30", + "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, @@ -7050,7 +7050,7 @@ "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746", "type": "query", - "version": 3 + "version": 5 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", @@ -7072,7 +7072,7 @@ "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753", "type": "query", - "version": 109 + "version": 111 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.13", @@ -7089,9 +7089,9 @@ }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "rule_name": "File made Immutable by Chattr", - "sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e", + "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", "type": "eql", - "version": 111 + "version": 112 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", @@ -7163,29 +7163,29 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", - "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", + "sha256": "caeba78c336bb935017ea2fa0a4a71a5d66c521649882281fff349ee6094c4da", "type": "eql", - "version": 110 + "version": 111 }, "8.11": { "max_allowable_version": 311, "rule_name": "Suspicious Zoom Child Process", - "sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6", + "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", "type": "eql", - "version": 212 + "version": 213 }, "8.13": { "max_allowable_version": 413, "rule_name": "Suspicious Zoom Child Process", - "sha256": "f7df58636dd0f5db7c616886cb0351669060903ff09f78b0e42e5bea9ef0c820", + "sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee", "type": "eql", - "version": 314 + "version": 315 } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "5405ae15a7c4c66cec53971ecfd6d17ba8647f25cced95b1c82df4fe7e5e660d", + "sha256": "9762b71fbc0bb8d0886f4b4c796d490d1e216a9cb3081ba46310edaa272fdf75", "type": "eql", - "version": 414 + "version": 415 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -7225,15 +7225,15 @@ }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "5712effbbe1f56916c81aa8c2fa4c30fe56da84d391d94c8f1fabfcc499a273f", + "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", "type": "eql", - "version": 1 + "version": 2 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "e660e1d232fba1ebc63af5c0809de741e16b48a216fc1e04333e400920a8a56f", + "sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa", "type": "eql", - "version": 3 + "version": 5 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", @@ -7269,7 +7269,7 @@ "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5", "type": "eql", - "version": 9 + "version": 11 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.14", @@ -7289,9 +7289,9 @@ }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "rule_name": "Access Control List Modification via setfacl", - "sha256": "2bdb21ef00ffe93f4747808c826b6427d6a409233ef39a8eb86825ceac929077", + "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", "type": "eql", - "version": 1 + "version": 2 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", @@ -7313,9 +7313,9 @@ }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780", + "sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5", "type": "new_terms", - "version": 208 + "version": 209 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.14", @@ -7402,15 +7402,15 @@ "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "869205c107b75f01fc84a1a4d7906b841d447e59fa886d66162a42cadd64c68e", + "sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59", "type": "eql", - "version": 3 + "version": 4 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", "sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b", "type": "eql", - "version": 109 + "version": 111 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.14", @@ -7473,7 +7473,7 @@ "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360", "type": "new_terms", - "version": 210 + "version": 212 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", @@ -7481,9 +7481,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "136ae03e8398626300b67d66ea323ef995153b5d73e05a4d97615fb9ccc4667f", + "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -7534,7 +7534,7 @@ "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772", "type": "new_terms", - "version": 213 + "version": 215 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", @@ -7594,9 +7594,9 @@ }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46", + "sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b", "type": "new_terms", - "version": 210 + "version": 211 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", @@ -7660,15 +7660,15 @@ "8.10": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "5e85d0964ffb23e46464866537bf77a32631a6719b54a4a2b2145594bc426af1", + "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "c27402a2b97ef38d57e1ca971362297737b43fc11bfbeba559dbb459a49a79de", + "sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc", "type": "eql", - "version": 207 + "version": 208 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", @@ -7750,7 +7750,7 @@ "rule_name": "PowerShell Mailbox Collection Script", "sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087", "type": "query", - "version": 8 + "version": 10 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.14", @@ -8040,7 +8040,7 @@ "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c", "type": "machine_learning", - "version": 105 + "version": 107 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", @@ -8080,9 +8080,9 @@ }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", - "sha256": "1a2154c53e400d0a4a40954d8b3bb8a81e9c72e8ea5339616287431599bbd96a", + "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", "type": "eql", - "version": 2 + "version": 3 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", @@ -8139,7 +8139,7 @@ "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0", "type": "query", - "version": 109 + "version": 111 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", @@ -8219,15 +8219,15 @@ }, "ad5a3757-c872-4719-8c72-12d3f08db655": { "rule_name": "Openssl Client or Server Activity", - "sha256": "eb60ed38bd81425874c7f966c9730433440964d537828399605c87d3e47a6ace", + "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", "type": "eql", - "version": 1 + "version": 2 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b", "type": "query", - "version": 111 + "version": 113 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", @@ -8284,9 +8284,9 @@ }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "2ea424f3dd8247a4393a0720f27cf711e88eeb3053ef0a9d566a12ccdbff9d2f", + "sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a", "type": "new_terms", - "version": 8 + "version": 9 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", @@ -8374,7 +8374,7 @@ "rule_name": "Potential Network Share Discovery", "sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e", "type": "eql", - "version": 5 + "version": 7 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", @@ -8438,9 +8438,9 @@ "8.10": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "7b41c9b34eb7756cea5d9ea21200350a5e85bf48b70549efb6bb1a05a8f336d9", + "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, @@ -8492,9 +8492,9 @@ }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "rule_name": "At.exe Command Lateral Movement", - "sha256": "596bc9757fd1b14354c88844abe003ea6c44c81e47e0c0e3eb676d0e18a37aa2", + "sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0", "type": "eql", - "version": 4 + "version": 6 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", @@ -8562,9 +8562,9 @@ }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671", + "sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d", "type": "eql", - "version": 106 + "version": 107 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.14", @@ -8655,7 +8655,7 @@ "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552", "type": "query", - "version": 7 + "version": 9 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.14", @@ -8709,9 +8709,9 @@ "8.10": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", - "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", + "sha256": "dac2e2c25e7dd1a182070fd822b152f0095457a92cc288cdb320b70210ac5506", "type": "eql", - "version": 5 + "version": 6 }, "8.11": { "max_allowable_version": 206, @@ -8758,9 +8758,9 @@ }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "rule_name": "Chkconfig Service Add", - "sha256": "49a38a189b45b8742927c27e0f3bc16b1f3b9ea5805a11c8eb6cb1abff49eeb8", + "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", "type": "eql", - "version": 112 + "version": 113 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", @@ -8792,9 +8792,9 @@ }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d", + "sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf", "type": "eql", - "version": 110 + "version": 111 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", @@ -8829,7 +8829,7 @@ "rule_name": "Unusual Windows Network Activity", "sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4", "type": "machine_learning", - "version": 105 + "version": 107 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", @@ -8916,9 +8916,9 @@ }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", + "sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42", "type": "eql", - "version": 5 + "version": 6 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "rule_name": "File and Directory Permissions Modification", @@ -8942,13 +8942,13 @@ "rule_name": "PowerShell Keylogging Script", "sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b", "type": "query", - "version": 114 + "version": 116 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "cf28ed994aa47d40b0d77d68da9785c3c07ff15ccd3ad79e7aec4b99bc0b90e2", + "sha256": "1b379c5cbede7bf2589191a432c64ff0cec22ff6311e672094cd7adfdb312095", "type": "eql", - "version": 4 + "version": 6 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.14", @@ -8956,21 +8956,21 @@ "8.10": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "724eec536f66fe8a03fe8cdef9a9cc126999a17e21ca4b456271a6dac6ac1e9a", + "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "724eec536f66fe8a03fe8cdef9a9cc126999a17e21ca4b456271a6dac6ac1e9a", + "sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f", "type": "eql", - "version": 207 + "version": 208 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe", + "sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5", "type": "eql", - "version": 7 + "version": 8 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.14", @@ -9008,7 +9008,7 @@ "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470", "type": "machine_learning", - "version": 6 + "version": 8 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "rule_name": "Unusual Remote File Directory", @@ -9022,22 +9022,22 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "d94f813f3adad813ecd430aca4ca81b77662ad2e1bf90576aded2e84b4e12f66", + "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "9aa835a42ccfb3fc6fd49f646d5cf9b6a9571de15990d420846c8337e15d4660", + "sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "871d6e23b0e77d32ac7d8e92be4a9861f61135565f0297109c30dbde7fa36a2f", + "sha256": "aa92d61a20988fcff096acb8bdefc175bc6a9106afea40c6075279a20c88a82c", "type": "eql", - "version": 310 + "version": 311 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", @@ -9118,7 +9118,7 @@ "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "e35fdfd50d3dc2bb04494da7e86463de8df7262df4dc0e66fda0ce85c0784cb4", "type": "query", - "version": 2 + "version": 4 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", @@ -9216,9 +9216,9 @@ }, "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", - "sha256": "48e762ddbceaf6256b8b4c9f5a0d0236f8b0a26eb64f33a8366908c1e39ecf03", + "sha256": "c056bd0c7ba6094f8c2e3dab39e877cd912116a95831c04b4dcd657055f001cb", "type": "new_terms", - "version": 1 + "version": 2 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.14", @@ -9262,9 +9262,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "ea6c245fc31ad66d45cb335f153b5b6cc1962313e4fc87ee3ad4890e4df9d4fc", + "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -9310,15 +9310,15 @@ }, "c55badd3-3e61-4292-836f-56209dc8a601": { "rule_name": "Attempted Private Key Access", - "sha256": "3f4bc3609acb832849bf3dfb8d0011e9101a62ddbb200980ef4c9c1c18105c16", + "sha256": "a4672a225e05abdfbd91924298f689eb56da9ff55c0db55ca1f87d7ca8bdd3d9", "type": "eql", - "version": 5 + "version": 7 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", - "sha256": "19481cd5f0061d0e9abb287e0056d90364099357f75b6d510e5daf24b03f7344", + "sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa", "type": "eql", - "version": 5 + "version": 7 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.14", @@ -9394,9 +9394,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "71713128fb40f765aa19577ca4c5ee2641efa56f6b05b76896c18d048f27a904", + "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -9553,9 +9553,9 @@ }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "370e2287e26fd37cab018216a50a46bdac348146f3ab718ff3a9d20dd6380f0e", + "sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9", "type": "eql", - "version": 9 + "version": 10 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", @@ -9563,9 +9563,9 @@ "8.10": { "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "fdeb8bd3bd36da8482aec51fe088238a05b01313fe6a03b6a96be73499e64c95", + "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, @@ -9586,9 +9586,9 @@ "8.10": { "max_allowable_version": 211, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "b6c3999e3b7038dd6d84f41e410f3f357f47f247ca63dab5d626eba35c8f1403", + "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, @@ -9635,9 +9635,9 @@ }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a", + "sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9", "type": "new_terms", - "version": 213 + "version": 214 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", @@ -9729,9 +9729,9 @@ }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f", + "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", "type": "eql", - "version": 109 + "version": 110 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", @@ -9741,9 +9741,9 @@ }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "fb512e2a04b7bf3b8549b73433d2f7f16c1fc0028ad3a8730030fc324bd23ee6", + "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", "type": "eql", - "version": 208 + "version": 209 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", @@ -9765,7 +9765,7 @@ "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c", "type": "query", - "version": 112 + "version": 114 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification", @@ -9785,9 +9785,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d5a932b4cde4b72560bcd708508421d4e1157cbdf147429ffc893e6f28d0ec3a", + "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -9896,9 +9896,9 @@ "8.10": { "max_allowable_version": 211, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "3732dc9625b63920eb195603fc132b4be43a8c17c19933f8e2f9ca1c08ed3606", + "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, @@ -10007,9 +10007,9 @@ }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "2ec39c980e8e040f091141e4bba068c7e2d9421b07a8d3a80a12f3410c234ad5", + "sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50", "type": "eql", - "version": 3 + "version": 5 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -10072,9 +10072,9 @@ "8.10": { "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "3811648f476d3fc838556af8d262a1088cd53f6ee50ae76a0e23637bb58c0ead", + "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, @@ -10113,9 +10113,9 @@ }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", - "sha256": "69340d5a5035b5a7afddb451f23b3a5ff02a53ac0e1d8d93bc331e92cccfde1b", + "sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891", "type": "eql", - "version": 1 + "version": 2 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", @@ -10137,9 +10137,9 @@ }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "d2b8477d5765b0980fbdb9f344b4ff035ec0cb0578b284a317b889b5e58ff032", + "sha256": "a509788cd40ec1f0f0af9c860a4dbb6f77a05421428008e91c1619cf410ee20e", "type": "eql", - "version": 13 + "version": 15 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", @@ -10194,9 +10194,9 @@ }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "rule_name": "Suspicious Memory grep Activity", - "sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165", + "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", "type": "eql", - "version": 2 + "version": 3 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", @@ -10364,7 +10364,7 @@ "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e", "type": "new_terms", - "version": 5 + "version": 7 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", @@ -10444,9 +10444,9 @@ }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7", + "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", "type": "eql", - "version": 8 + "version": 9 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", @@ -10454,22 +10454,22 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "6913e8fd7b9203ace2ef366cb24c06ff59a5c1908905f32042768f3590809916", + "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "cb144e1664eae2022a168bf937188f2f8f0498ea2c8f35164327b7ed8a553f03", + "sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "49d710901913160d828cd0fe69071b96efd4e943a03e70a95f1e579e09fb5bae", + "sha256": "fd5c86759b6948c95d8e08768f9293bd265a8dc55d2351badc0205d0b356c28a", "type": "eql", - "version": 311 + "version": 312 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -10541,9 +10541,9 @@ "8.10": { "max_allowable_version": 209, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "35578d34109317c67ca01f095e9d891323b630a65d9c3b4bb9fa61bb4ae51074", + "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, @@ -10571,22 +10571,22 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "1ea85895c1e9692b2144abd83a39f906efacd1dd15a7e0ea709d74bd772a29f1", + "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "08289b38793c4f025901e9d6568a91f4a5cadeb60603041c278622343e9ca486", + "sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "c764cc98731b767bd1daf51c93e2b175ceacda33748ac361e2a2faea9b5f8efc", + "sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a", "type": "eql", - "version": 311 + "version": 312 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", @@ -10610,7 +10610,7 @@ "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3", "type": "machine_learning", - "version": 105 + "version": 107 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", @@ -10696,9 +10696,9 @@ }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "722dc606baba2b7a20f5fa648810db4aff9da0019aa616b58dacbdcc0d003765", + "sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275", "type": "eql", - "version": 8 + "version": 10 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", @@ -10708,9 +10708,9 @@ }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a", + "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", "type": "eql", - "version": 4 + "version": 5 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -10774,14 +10774,14 @@ "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8", "type": "query", - "version": 215 + "version": 217 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "min_stack_version": "8.11", "rule_name": "Network Traffic Capture via CAP_NET_RAW", - "sha256": "0d493d54d6a9e9eb8b1f527d5c6ebdffc45744a26431e74cad009bc649787cd4", + "sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45", "type": "new_terms", - "version": 3 + "version": 4 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "min_stack_version": "8.12", @@ -10853,9 +10853,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "e854ef45e0b15bde6c824b68e085a4fa5f63ae2e6c35b648a7756ba04b22f351", + "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -10900,15 +10900,15 @@ }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "a12fc5ac4681febd200e96fa86740a7e2de167ef46d88241bac338e2664351a8", + "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", "type": "eql", - "version": 113 + "version": 114 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639", "type": "new_terms", - "version": 4 + "version": 6 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", @@ -10936,7 +10936,7 @@ "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb", "type": "query", - "version": 112 + "version": 114 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", @@ -11134,9 +11134,9 @@ }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "8357787656e3daed9dc3bd059a5ddbfe3135b2c8f5f60e19c0e6f21f35c60199", + "sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753", "type": "new_terms", - "version": 106 + "version": 107 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -11213,7 +11213,7 @@ "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336", "type": "machine_learning", - "version": 6 + "version": 8 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", @@ -11243,13 +11243,13 @@ "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a", "type": "query", - "version": 5 + "version": 7 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8", "type": "query", - "version": 112 + "version": 114 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", @@ -11322,22 +11322,22 @@ "8.10": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "7997ce4c4ea3c3ef0d1adec59cb16f13f15a066fbf0ce32911c176a9d52c6efe", + "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "3f2bd412d6cfb3cf1e423a19361cd64ce9df8fa5cbcf9b6137aa6844c7ab4773", + "sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "bbb273361c04bf542c7aef6dd6996e80dc4d87b34edf41bdbea421b7eea98136", + "sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2", "type": "eql", - "version": 312 + "version": 313 }, "ec604672-bed9-43e1-8871-cf591c052550": { "rule_name": "File Made Executable via Chmod Inside A Container", @@ -11353,9 +11353,9 @@ }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "4403a1b8cc3b6cf55887b3e1bb2c55edebd5d4110ed98095a7e4d74823fe5f11", + "sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1", "type": "eql", - "version": 1 + "version": 2 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", @@ -11585,9 +11585,9 @@ }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "rule_name": "Service Path Modification", - "sha256": "af6644977dc35574f5942430a311b670b041e7fce34a70a57fed46135b94c210", + "sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091", "type": "eql", - "version": 4 + "version": 6 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", @@ -11607,22 +11607,22 @@ "8.10": { "max_allowable_version": 208, "rule_name": "SIP Provider Modification", - "sha256": "4f2fa4f7ba18189f4ee2482c093526e503df9e2402510c43f392b820c072387e", + "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "SIP Provider Modification", - "sha256": "410120de8d4d9f8849234a383e2f8a0c99e6986e2c88487b30e9966af201d8d5", + "sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "SIP Provider Modification", - "sha256": "410120de8d4d9f8849234a383e2f8a0c99e6986e2c88487b30e9966af201d8d5", + "sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72", "type": "eql", - "version": 309 + "version": 310 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.14", @@ -11689,9 +11689,9 @@ }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", - "sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c", + "sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598", "type": "eql", - "version": 2 + "version": 3 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -11701,9 +11701,9 @@ }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808", + "sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4", "type": "eql", - "version": 5 + "version": 6 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", @@ -11738,7 +11738,7 @@ "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b", "type": "query", - "version": 112 + "version": 114 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "min_stack_version": "8.13", @@ -11799,37 +11799,37 @@ "rule_name": "Rare SMB Connection to the Internet", "sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289", "type": "new_terms", - "version": 6 + "version": 9 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da", "type": "query", - "version": 6 + "version": 8 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "rule_name": "WMIC Remote Command", - "sha256": "bde579fd6042b8f056a3c84c411c1b0a020840f712a7b40248674978d6d629aa", + "sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189", "type": "eql", - "version": 6 + "version": 8 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6", + "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", "type": "eql", - "version": 5 + "version": 6 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3", "type": "machine_learning", - "version": 6 + "version": 8 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", - "sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37", + "sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373", "type": "eql", - "version": 6 + "version": 7 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", @@ -11945,9 +11945,9 @@ "f7c70f2e-4616-439c-85ac-5b98415042fe": { "min_stack_version": "8.11", "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "39e51bf1355bc9d55908c45292191667d343c6e7e55bd924acc646c39149c813", + "sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255", "type": "new_terms", - "version": 2 + "version": 3 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.14", @@ -11980,9 +11980,9 @@ }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "8c82f7ae81e70899a3291b174c982e42800a293504f4224e5b966446845357bb", + "sha256": "6507c4745da0b0264ac93849eb4783ca11447050920d70c87be1c446f2206d74", "type": "eql", - "version": 1 + "version": 2 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", @@ -12012,7 +12012,7 @@ "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5", "type": "query", - "version": 3 + "version": 5 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", @@ -12099,9 +12099,9 @@ "8.10": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "047b8cd1964481be440c7186d72ce524d343cb9aef77ae92e9f48b47f18b27f0", + "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, @@ -12307,7 +12307,7 @@ "rule_name": "Svchost spawning Cmd", "sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83", "type": "new_terms", - "version": 216 + "version": 219 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -12317,21 +12317,21 @@ }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", - "sha256": "c86b28f11fe883a792c1f4a99ca24524597264470b2dc6d302b02795551ec614", + "sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39", "type": "eql", - "version": 12 + "version": 13 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1", "type": "query", - "version": 6 + "version": 8 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b", "type": "query", - "version": 6 + "version": 8 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.14", @@ -12405,9 +12405,9 @@ }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", - "sha256": "ed309e5ccb19be6d0cd66d8b65d8c4d28a0fd81f4d5dd3a10bb6a321632bf511", + "sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90", "type": "eql", - "version": 13 + "version": 14 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",