From 3cc76c318bc5050ffa61c2892b8c409e03a2f453 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 17:59:01 +0530 Subject: [PATCH] Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615) (cherry picked from commit 374f21fbc46e0bc75fbc606f24bd8381b438d329) --- detection_rules/etc/version.lock.json | 736 +++++++++++++------------- 1 file changed, 376 insertions(+), 360 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 426d47b61e6..2b6b8f3a9ec 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -64,9 +64,9 @@ } }, "rule_name": "AWS Redshift Cluster Creation", - "sha256": "b1c8e121fb4363f74d0c8928f3335aa2f374919f5257a9f4b17483773c49f348", + "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", "type": "query", - "version": 205 + "version": 206 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "min_stack_version": "8.3", @@ -243,16 +243,16 @@ "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", - "sha256": "3d344eb978705ac0e25885898c67ade3ea3a02d52dcb020ec9eb4b253f2a0ef2", + "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", "type": "eql", - "version": 111 + "version": 112 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", "rule_name": "System Time Discovery", - "sha256": "d5237e35b753d923902ad797bb8384e1f6c0cb0ba658c922501345f214656ad0", + "sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9", "type": "eql", - "version": 6 + "version": 7 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "8.9", @@ -350,9 +350,9 @@ "089db1af-740d-4d84-9a5b-babd6de143b0": { "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", - "sha256": "bb76e59c53a0b50ac513121a9591fecea2eac83851584542c8860bb511c0785f", + "sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb", "type": "eql", - "version": 3 + "version": 4 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -370,9 +370,9 @@ "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", - "sha256": "ee3f7d78630d4adbddf7402565e30e9e5b09adbfb02eaed22e884dfd5429bc8e", + "sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad", "type": "eql", - "version": 108 + "version": 109 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { "min_stack_version": "8.3", @@ -522,9 +522,9 @@ "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "35d7c86905c491f7aaa616dc6addc861d534b1c4fc511bb07efc6b60d2bd8086", + "sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb", "type": "eql", - "version": 109 + "version": 110 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "min_stack_version": "8.8", @@ -559,9 +559,9 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.3", "rule_name": "MsBuild Making Network Connections", - "sha256": "701a943332292d3362c7d6526d2424e65e81768d57a45e983232712722f31a98", + "sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880", "type": "eql", - "version": 108 + "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "min_stack_version": "8.6", @@ -661,9 +661,9 @@ } }, "rule_name": "AWS RDS Snapshot Export", - "sha256": "8ad9d6381bc6ad8046516f5f50cdc304ccb0958161af21a171928b95088b6b17", + "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", "type": "query", - "version": 205 + "version": 206 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -697,9 +697,9 @@ } }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "ee7d0fde7179ecae486163263d6baf71e90dd5e6048b4db1674a4d4eff6f2975", + "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", "type": "query", - "version": 205 + "version": 206 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -771,9 +771,9 @@ "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.3", "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "6a69ca21111665ced0b0cc269c53ac00d37ac29fccb5d3e5d04abe8e0de046d6", + "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", "type": "eql", - "version": 2 + "version": 3 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", @@ -826,9 +826,9 @@ "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", - "sha256": "dfc7bc44c6f6d34fee6331a065d25992ba9f2cb18ddddf1d91a9c581eb4f15b8", + "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", "type": "eql", - "version": 2 + "version": 3 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", @@ -856,9 +856,9 @@ "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "min_stack_version": "8.3", "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "59fddcae552c2d4781435a2f28a96e640148621b9b484f76e9ac48786281e4bc", + "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", "type": "eql", - "version": 2 + "version": 3 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", @@ -921,9 +921,9 @@ } }, "rule_name": "AWS IAM Group Creation", - "sha256": "b97182b40fec27cf6728746f838be74ee2cf5ebee183fc5d0f6eaf338b7d90a3", + "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", "type": "query", - "version": 205 + "version": 206 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", @@ -1078,9 +1078,9 @@ } }, "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "dd01a147a8898a4f6c696c83a4c436bf0325ab7552a03039d7cd71ff0b6c00dc", + "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", "type": "query", - "version": 208 + "version": 209 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", @@ -1115,30 +1115,39 @@ } }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "95e2cb6322ef7b2d7bc2fc96460cbfcb4c76f0eb17351a134c783936996adab0", + "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", "type": "query", - "version": 205 + "version": 206 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "adb03450ce940d93270413ee4211f33bcbefbc94ec549c6de5d858270806b036", + "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", "type": "eql", - "version": 10 + "version": 11 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "min_stack_version": "8.3", "rule_name": "Potential Process Injection from Malicious Document", - "sha256": "585cc415f1c54e220db615a5f052321909100ebc7b9e63b944e6b19a6a4e6404", + "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", "type": "eql", - "version": 1 + "version": 2 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { - "min_stack_version": "8.3", + "min_stack_version": "8.8", + "previous": { + "8.3": { + "max_allowable_version": 211, + "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", + "sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45", + "type": "query", + "version": 112 + } + }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", "type": "query", - "version": 111 + "version": 212 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", @@ -1164,9 +1173,9 @@ "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "60a215ef5aa075a861936f82ee97680319d20350b0ea4856cbea6c57fb9d2a51", + "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", "type": "eql", - "version": 107 + "version": 108 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.10", @@ -1178,16 +1187,16 @@ "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", - "sha256": "832060e257db6ee9888b735d2c5547f3a6f1f10f262604b9222ddd3ea1c16ccf", + "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", "type": "eql", - "version": 109 + "version": 110 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "d08e975b8630d786933967d9de847dfbdd6fc6a5447715691a1a27ee3b22198a", + "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", "type": "eql", - "version": 107 + "version": 108 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.3", @@ -1213,9 +1222,9 @@ "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "9a227ba0760d3b8989f89767b53f66fd4968b5f2e9b34006af48b1e5d9b7cb32", + "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", "type": "eql", - "version": 107 + "version": 108 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "min_stack_version": "8.3", @@ -1236,9 +1245,9 @@ } }, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "e88e967f368a84359155555ed5b6de403b41fba8223ea19c9b7449a06e834192", + "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", "type": "query", - "version": 106 + "version": 107 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1257,9 +1266,9 @@ "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.3", "rule_name": "Creation of SettingContent-ms Files", - "sha256": "c4d1ee33d81051c5ff7f08405dd13f19bbce0e914ff0b347df5862b2f40d568d", + "sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed", "type": "eql", - "version": 2 + "version": 3 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "min_stack_version": "8.8", @@ -1285,9 +1294,9 @@ "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966", + "sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de", "type": "eql", - "version": 1 + "version": 2 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", @@ -1299,9 +1308,9 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "81d0001b73c9d80fde270c788e6a904cc6c3b79db4c4aed85323e65d2440ef94", + "sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e", "type": "eql", - "version": 110 + "version": 111 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -1343,9 +1352,9 @@ } }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "7512cf97f8885a42febe293ecc8c04d77f6369d4ba87372fcd3ef38a204f9af3", + "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", "type": "query", - "version": 205 + "version": 206 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", @@ -1357,9 +1366,9 @@ "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.3", "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "6178ac16e7a1b92253a4eae0123a253627554a9bb2d28ac941328fb97f5250dc", + "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", "type": "eql", - "version": 1 + "version": 2 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.3", @@ -1377,9 +1386,9 @@ "210d4430-b371-470e-b879-80b7182aa75e": { "min_stack_version": "8.3", "rule_name": "Mofcomp Activity", - "sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a", + "sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45", "type": "eql", - "version": 1 + "version": 2 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "min_stack_version": "8.3", @@ -1437,9 +1446,9 @@ } }, "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "7804226b0da1b8d6dde3bbfed024feab1da6c23e091dfa55852b50309f4dd9fe", + "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", "type": "query", - "version": 206 + "version": 207 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "min_stack_version": "8.3", @@ -1604,9 +1613,9 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "f282273c006e841c6c64f909e05053110d210e1205f0a504977cd4e701a175a7", + "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", "type": "eql", - "version": 108 + "version": 109 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1634,9 +1643,9 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", - "sha256": "bd56a7406f9eb92ed5ae5f56f3b907b56ac2f13892cb6f81d1fc8810651fbedb", + "sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7", "type": "eql", - "version": 113 + "version": 114 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", @@ -1691,9 +1700,9 @@ } }, "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "f057a319aa5b049290fa8416727ae3ef64bb9ac7779901a61713efe9acef57da", + "sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c", "type": "query", - "version": 205 + "version": 206 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", @@ -1883,9 +1892,9 @@ "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.3", "rule_name": "Accessing Outlook Data Files", - "sha256": "143b6346fd2ca02b863de7457499fe60da116e99bc385dce6d07aa870d1e2054", + "sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d", "type": "eql", - "version": 1 + "version": 2 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.10", @@ -1939,9 +1948,9 @@ "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "c77de421e7a60ec97356465d4a834fc49fed6b0b7ae28debbac3786b07459d62", + "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", "type": "eql", - "version": 108 + "version": 109 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", @@ -2053,9 +2062,9 @@ } }, "rule_name": "AWS IAM User Addition to Group", - "sha256": "e6dc79527703135b1ce027a5d88baa39dd4c3512d0a5f56a036b8a27eab4ee81", + "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", "type": "query", - "version": 208 + "version": 209 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", @@ -2067,9 +2076,9 @@ "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", "rule_name": "Remote File Download via PowerShell", - "sha256": "0843453e23fff6268308485d859e6668867b85c5cf0ed912c931d28d040ca4f7", + "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", "type": "eql", - "version": 109 + "version": 110 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "8.8", @@ -2173,9 +2182,9 @@ } }, "rule_name": "AWS RDS Security Group Creation", - "sha256": "6ed9dc7097e846293dbf822a322406b46fcbd9d6642245a4dfbc73aabd62537b", + "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", "type": "query", - "version": 205 + "version": 206 }, "37994bca-0611-4500-ab67-5588afe73b77": { "min_stack_version": "8.3", @@ -2202,9 +2211,9 @@ } }, "rule_name": "AWS Execution via System Manager", - "sha256": "f01c87073629652bd0f1abe3f300881145bb533a262308717ffcc0bab17a3dd0", + "sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e", "type": "query", - "version": 208 + "version": 209 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", @@ -2232,9 +2241,9 @@ "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Certutil", - "sha256": "5414bbe55d4a1b7968cdfe547ef66a16e2ea14fb2d57b9e982376fececd8c951", + "sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612", "type": "eql", - "version": 110 + "version": 111 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", @@ -2269,16 +2278,16 @@ } }, "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "ad7864116d4d41fba90af76f8325d2a86358ed55b0b9be7204d8983cc62b2614", + "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", "type": "query", - "version": 205 + "version": 206 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "min_stack_version": "8.3", "rule_name": "Downloaded Shortcut Files", - "sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d", + "sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc", "type": "eql", - "version": 1 + "version": 2 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", @@ -2391,9 +2400,9 @@ } }, "rule_name": "AWS CloudTrail Log Updated", - "sha256": "889bfc3e221a4919949c2b2fab1b12ee9a96a75c27e1e249c243318f7bd81063", + "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", "type": "query", - "version": 208 + "version": 209 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "8.9", @@ -2426,9 +2435,9 @@ "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "min_stack_version": "8.3", "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "0fb96a14a8d3a0b8997c74edf2be7897a1b81413fae271d17d5fda854048013e", + "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", "type": "eql", - "version": 2 + "version": 3 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", @@ -2651,9 +2660,9 @@ "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", - "sha256": "ed65c5d1379b83e560f4fa24ff1f51887de783c7e8f3fc329b717a14700a859c", + "sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb", "type": "eql", - "version": 2 + "version": 3 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", @@ -2792,9 +2801,9 @@ "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "min_stack_version": "8.3", "rule_name": "Remote XSL Script Execution via COM", - "sha256": "d4882ff69ab688f9fca0f0a882c05bf12a3ff514316d6e48ea51e1083291d3d3", + "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", "type": "eql", - "version": 2 + "version": 3 }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "8.3", @@ -2836,9 +2845,9 @@ "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "37099aca1b1bdce63f77e75103ff60a0d61898af8036c43eaa2f4d672bd326dd", + "sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52", "type": "eql", - "version": 3 + "version": 4 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", @@ -2929,9 +2938,9 @@ } }, "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "4d3e2e99bc3f1b8cc5fc76a37bc23ff9e7a01b972e0c6ae67f78d0df8e43fedb", + "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", "type": "threshold", - "version": 206 + "version": 207 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", @@ -3008,9 +3017,9 @@ "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", - "sha256": "2c0c54011671e9e99d2654529520c137188a4bbcf8feb0beb28c196f0525d88e", + "sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273", "type": "eql", - "version": 3 + "version": 4 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "min_stack_version": "8.3", @@ -3059,9 +3068,9 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "3bb0daad18a9bb9f1c5014056a849623263d9a097b91b0a8e5d52ea4d636131a", + "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", "type": "eql", - "version": 107 + "version": 108 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", @@ -3082,9 +3091,9 @@ } }, "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "238e31f86ad8ffd8ec077358374a122a8c7bbee39ce994f761ad3441be820a9c", + "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", "type": "query", - "version": 205 + "version": 206 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", @@ -3103,9 +3112,9 @@ "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "40ece191efd016ebfb044b7230e0f376d6a8aa416a6e0fde39cbee724c7bef0f", + "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", "type": "eql", - "version": 108 + "version": 109 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", @@ -3152,9 +3161,9 @@ } }, "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "28f9744c81cfffbf8417f66ee1911ac9da89e9e352c5db4f0af9d725cd73c907", + "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", "type": "query", - "version": 205 + "version": 206 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "min_stack_version": "8.3", @@ -3180,9 +3189,9 @@ "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "8ece78d3d804106f87c006fdd8a027648880338a3a56c52e28a393d8f18aff40", + "sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43", "type": "eql", - "version": 2 + "version": 3 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", @@ -3224,9 +3233,9 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", - "sha256": "9027e8682b8b7ad7e0aaf6ae8383aab2fe403067262c1ff87cfcd7606334fcf0", + "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", "type": "eql", - "version": 108 + "version": 109 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "min_stack_version": "8.3", @@ -3305,9 +3314,9 @@ } }, "rule_name": "Execution of an Unsigned Service", - "sha256": "67ac84282d2bc8987b76b1e8952870cc1ca8a5f6e785c58287418e2891195912", + "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", "type": "new_terms", - "version": 104 + "version": 105 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", @@ -3340,9 +3349,9 @@ "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "88ae25fb6df6c66c976902e4f17c39a5af63c217bb4aa298e7f898b003fa484d", + "sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408", "type": "eql", - "version": 2 + "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", @@ -3368,9 +3377,9 @@ "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "a9ada00d22041e1fc97021dfb923cb62dfcafe5849324b04534f7c53a65903d4", + "sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08", "type": "eql", - "version": 107 + "version": 108 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", @@ -3382,9 +3391,9 @@ "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", "rule_name": "File or Directory Deletion Command", - "sha256": "f9ebc148c3faecff5518d839295aa1dbefa51d7ba038dc12a382d2c27dff3458", + "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", "type": "eql", - "version": 2 + "version": 3 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "min_stack_version": "8.8", @@ -3414,9 +3423,9 @@ } }, "rule_name": "AWS CloudTrail Log Created", - "sha256": "84221ea6d1d7084ea241331b852a80ca276abc757430ea68253a3add4daca7a4", + "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", "type": "query", - "version": 206 + "version": 207 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", @@ -3484,9 +3493,9 @@ "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", - "sha256": "2d94e33407ad1d25db5a4b56b151dc596b9c6ea33d2cba827569ae0b97f87ca1", + "sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5", "type": "eql", - "version": 3 + "version": 4 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", @@ -3507,9 +3516,9 @@ } }, "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "333f27913815c1e4ec223cb266bc34cfadb31ac1a598d1fac7a8de01ac3abd9b", + "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", "type": "query", - "version": 205 + "version": 206 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "min_stack_version": "8.11", @@ -3563,9 +3572,9 @@ "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "347fd2258a98937fc06440446d38f771f9d3df4b733661fc32c8df5a556b2c76", + "sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef", "type": "eql", - "version": 107 + "version": 108 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", @@ -3673,9 +3682,9 @@ "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.3", "rule_name": "Unusual Process Network Connection", - "sha256": "4a08fcb6969163f3185960eff8e6f857bccc8b6b58bb4012c974122f821c8433", + "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", "type": "eql", - "version": 107 + "version": 108 }, "61336fe6-c043-4743-ab6e-41292f439603": { "min_stack_version": "8.3", @@ -3730,9 +3739,9 @@ "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "9aeb2b172981c284928fcafa5ba3a36cf1ad533f528d660525e3565ab131fe7a", + "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", "type": "eql", - "version": 106 + "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.3", @@ -3772,9 +3781,9 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", - "sha256": "938d227bdd5dac89d120e5dc8e065081e1a1a3b549923b3897447a2293306f15", + "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", "type": "eql", - "version": 107 + "version": 108 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", @@ -3850,9 +3859,9 @@ "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "8e989fcdb846e7c3c657728af8bbcfd54fd55209fe4cea539ff6aa9eaad2360e", + "sha256": "e84ba56d6d8e91ca39c85b7d46288b10add00a1a5c9fffae67a1f5212410be6b", "type": "eql", - "version": 111 + "version": 112 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -4007,9 +4016,9 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "7c8ed46851e8daee3bb76f18182fe1a8fdd9ab9833804cc6172b5d8641cd8438", + "sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c", "type": "eql", - "version": 106 + "version": 107 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "min_stack_version": "8.9", @@ -4023,9 +4032,9 @@ } }, "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "6c4325ced0b53d29535ee5afd746cd09fd120823f660b5bd3518ca50fadca146", + "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", "type": "query", - "version": 208 + "version": 209 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "min_stack_version": "8.3", @@ -4053,9 +4062,9 @@ } }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "62a819dfff5aff4d9a71c1af4dbee137aa6d96683a906088769effac0fdbd8b1", + "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", "type": "query", - "version": 105 + "version": 106 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.5", @@ -4092,9 +4101,9 @@ } }, "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "31f084b4192870ca6c93d341a1f9e6d9eecaaefe046fcf6687209ec23866edf3", + "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", "type": "query", - "version": 205 + "version": 206 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", @@ -4206,16 +4215,16 @@ "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "cb67e6c4131d3fc5f1752e2baee22974dcdc21c1583a9c159732462b3d7f074f", + "sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3", "type": "eql", - "version": 107 + "version": 108 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "dc54aa513d06e0bce6794ccd0fff26f4918902cd8733faed3f9752ecb27d5f3a", + "sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89", "type": "eql", - "version": 110 + "version": 111 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -4277,9 +4286,9 @@ } }, "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "6eb194ad10e7ea8d3c8547593a150c60eda885a07be0a3dc57dab3dc0d993314", + "sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9", "type": "query", - "version": 208 + "version": 209 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "min_stack_version": "8.9", @@ -4293,16 +4302,16 @@ } }, "rule_name": "AWS Config Resource Deletion", - "sha256": "16521ebadcb6ecd1ffe3b12756c604b96cf8b5daedd95eeec1e1fd2eef096dd9", + "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", "type": "query", - "version": 208 + "version": 209 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "934721c56a14fb6b1ea672f4cedb14eae9cdafb81a8e9bf35230f542a602740f", + "sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846", "type": "eql", - "version": 1 + "version": 2 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", @@ -4461,9 +4470,9 @@ "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", "rule_name": "Service Disabled via Registry Modification", - "sha256": "c653ba7a8ebd99c0b7c04528b1b96f4449c827220889523a00d2f33355290e21", + "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", "type": "eql", - "version": 2 + "version": 3 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "min_stack_version": "8.3", @@ -4621,9 +4630,9 @@ "79124edf-30a8-4d48-95c4-11522cad94b1": { "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", - "sha256": "be9ac3680ee5c8c008e6e5def969d5d0bebc37f8c3be3d8e1cc2cc215cc3e33b", + "sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555", "type": "eql", - "version": 3 + "version": 4 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", @@ -4635,9 +4644,9 @@ "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "1943ef42d3d41a9bb7d30423c06e9e6f16b6f75bb01a8658560bbae4295466fa", + "sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912", "type": "eql", - "version": 3 + "version": 4 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", @@ -4691,16 +4700,16 @@ } }, "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "05d7545eb5be8c088900939645d5a75858e48029b72b2926c878627697576a85", + "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", "type": "query", - "version": 205 + "version": 206 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "73a7d70a9efe2589929e776414b415cf7f3b9baf7d9fd4340955d09517d930a7", + "sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855", "type": "eql", - "version": 110 + "version": 111 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -4764,9 +4773,9 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "8f53ee79caceff82b54ee596c4fd3e6377d1ddb889f1ff41a0b6e2c0ce1c37dc", + "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", "type": "eql", - "version": 108 + "version": 109 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "min_stack_version": "8.6", @@ -4810,16 +4819,16 @@ "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", - "sha256": "849158b9fff15cf3e795600d5fe440fb36196a94c269e1824b18a91c2981e613", + "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", "type": "eql", - "version": 3 + "version": 4 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.3", "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "e07fdca00c03cede7dcd07d161752b6a5fa31a5987779dde490803e67071a0f7", + "sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4", "type": "eql", - "version": 1 + "version": 2 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.9", @@ -4924,9 +4933,9 @@ "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "4383cbf7c18295b3e2ac4e14842000dc2ceae22523d545c4d807d0ad1e41d2db", + "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", "type": "query", - "version": 4 + "version": 5 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "min_stack_version": "8.3", @@ -4977,9 +4986,9 @@ } }, "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "f9a3ba3b45d5b33b1e73c806495b984233a6b2bc200082fc945fa31d8fea41be", + "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", "type": "query", - "version": 205 + "version": 206 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "min_stack_version": "8.9", @@ -4993,9 +5002,9 @@ } }, "rule_name": "AWS RDS Security Group Deletion", - "sha256": "0c9d4de210e608efca7e588b59eeb71ca5f96b5b20c083daee0e8d4035f0cd32", + "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", "type": "query", - "version": 205 + "version": 206 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "min_stack_version": "8.9", @@ -5009,9 +5018,9 @@ } }, "rule_name": "AWS IAM Group Deletion", - "sha256": "f4898405685170f2b55f69bcde2b41a0cb8b861ef6040f86e3257bf0abf93383", + "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", "type": "query", - "version": 205 + "version": 206 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "min_stack_version": "8.3", @@ -5046,9 +5055,9 @@ } }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "bf5d21e0ace96205fd8f8db491ac9d75625ef089e4f5b3499d4a4209268f9719", + "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", "type": "query", - "version": 205 + "version": 206 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -5125,9 +5134,9 @@ "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", "rule_name": "Command Prompt Network Connection", - "sha256": "1b88c2b79976a9550252e384b74a0b8301dc8ac07eee5df05231dfe40e6181b7", + "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", "type": "eql", - "version": 107 + "version": 108 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "min_stack_version": "8.3", @@ -5248,9 +5257,9 @@ "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", "rule_name": "Potential SharpRDP Behavior", - "sha256": "b6a8ffcc1a8ee2a11059084442b0318bebe5bc120cfafa14f65b4e1d7b321062", + "sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda", "type": "eql", - "version": 105 + "version": 106 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "min_stack_version": "8.3", @@ -5262,16 +5271,16 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "1fa94ce682e693433be3558f19ee8c0d0122db6f6970169bb1cf5775d97f9002", + "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", "type": "eql", - "version": 10 + "version": 11 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "min_stack_version": "8.3", "rule_name": "File with Suspicious Extension Downloaded", - "sha256": "e41fc833a05de05b304b09e2ec0982c3dd204b76ba262d05796e49162ea088ef", + "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", "type": "eql", - "version": 2 + "version": 3 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "8.8", @@ -5297,16 +5306,16 @@ "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "min_stack_version": "8.3", "rule_name": "Potential Outgoing RDP Connection by Unusual Process", - "sha256": "4d2494baa6fceb73dd108e6e1c5f1584cb2577a49f8edea428ac9b6d5f49ae88", + "sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459", "type": "eql", - "version": 2 + "version": 3 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "min_stack_version": "8.3", "rule_name": "Bitsadmin Activity", - "sha256": "c07d18b1bad6186dd2af856dbf2362d78f773b50369e7044b1e1329cc0f23cce", + "sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b", "type": "eql", - "version": 1 + "version": 2 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "min_stack_version": "8.3", @@ -5325,9 +5334,9 @@ "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "255640fff5ed7925f70536c53d8938bf0533206a892d48e893a058e93a20b979", + "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", "type": "eql", - "version": 106 + "version": 107 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "min_stack_version": "8.3", @@ -5361,9 +5370,9 @@ } }, "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "52ad2c61bc4217845afa6a13fe3e23cd405324f6bc6779b2ed3a21ecda615e14", + "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", "type": "query", - "version": 205 + "version": 206 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", @@ -5375,9 +5384,9 @@ "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.3", "rule_name": "InstallUtil Activity", - "sha256": "c1312553a07dda6fa6995c57f31922c18dbb00fe5becd831c6d1bb4246bad8c0", + "sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9", "type": "eql", - "version": 1 + "version": 2 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", @@ -5404,9 +5413,9 @@ } }, "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "ecd61bd19c50c09347fdf33fed3a2f8ec9fc77dec053398a5b62f534e297ebdb", + "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", "type": "query", - "version": 205 + "version": 206 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "8.3", @@ -5478,9 +5487,9 @@ } }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "b0edd6d0742b92fa2ebe2c3d5ea02c63f8a1edffe0b0f53320b86ed419ab8fb8", + "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", "type": "query", - "version": 205 + "version": 206 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "min_stack_version": "8.6", @@ -5510,9 +5519,9 @@ } }, "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "408b41a86252884a996ece1031334c7b73d4870202ad4a65c1a74d5392ad3454", + "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", "type": "query", - "version": 208 + "version": 209 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", @@ -5600,9 +5609,9 @@ "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation", - "sha256": "13fe787d37ebef87d8d7877e4cfa4ff487b7a7929a8ab437a22dd341c40db27a", + "sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80", "type": "eql", - "version": 107 + "version": 108 }, "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.3", @@ -5704,9 +5713,9 @@ } }, "rule_name": "AWS SAML Activity", - "sha256": "6205667e0b3ffc035feaf7ed17e089eb50ab5ff04926b74e65bb83f73d79af8d", + "sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d", "type": "query", - "version": 205 + "version": 206 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.10", @@ -5767,9 +5776,9 @@ "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.3", "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "c01ebbcea37de715c7c123e6eac64a6049906339a0d60bf1f146d677061bbea5", + "sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416", "type": "eql", - "version": 1 + "version": 2 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "min_stack_version": "8.3", @@ -5806,9 +5815,9 @@ } }, "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "3c5613df7cc89e9a173b0632a5db11d02b917f05f3c24cb3d44c416a679a4056", + "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", "type": "query", - "version": 208 + "version": 209 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", @@ -5864,9 +5873,9 @@ "9a3884d0-282d-45ea-86ce-b9c81100f026": { "min_stack_version": "8.3", "rule_name": "Unsigned BITS Service Client Process", - "sha256": "095fc86e65f65030c66df81f286788b89fcf9160e7970ddbb409cc824fc40fd2", + "sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf", "type": "eql", - "version": 1 + "version": 2 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "min_stack_version": "8.6", @@ -5943,9 +5952,9 @@ "9c951837-7d13-4b0c-be7a-f346623c8795": { "min_stack_version": "8.3", "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "17ac2376542784780fa798b0756416f6c54757e2d72dab6b2ddd28dfd165d3b3", + "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", "type": "eql", - "version": 1 + "version": 2 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", @@ -6009,9 +6018,9 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "62bfa3320a728b9d22e217c934dfbfe064bfd12070d28fd4111d641cdc7c66c8", + "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", "type": "eql", - "version": 109 + "version": 110 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.6", @@ -6099,9 +6108,9 @@ } }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "ef816e620eb5e1c235c15a867cc0e00fcdb617192bd0f3bd48b5bde3c920230a", + "sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e", "type": "new_terms", - "version": 309 + "version": 310 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", @@ -6127,9 +6136,9 @@ "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.3", "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "e5c1b36f03917a30397453769b11a6d01559d9007fd76710654f23e9d0422ac1", + "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", "type": "eql", - "version": 106 + "version": 107 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", @@ -6176,9 +6185,9 @@ "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "min_stack_version": "8.3", "rule_name": "Linux Group Creation", - "sha256": "85d788ae6caafcb45540c9a97804b5cd443104831fdd74e17fdf1526979f6fc2", + "sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7", "type": "eql", - "version": 4 + "version": 5 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", @@ -6270,9 +6279,9 @@ } }, "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "10f0e0afc0e8f51f1c37dc1a9885a33dd37e56c43f029b3c5865e4983baefb3a", + "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", "type": "query", - "version": 208 + "version": 209 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "min_stack_version": "8.3", @@ -6413,9 +6422,9 @@ "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", "rule_name": "Remotely Started Services via RPC", - "sha256": "a1bf5a848d6b73efd9cf627fe30e5f4f04215c6bb8bdd5f29b9e4749d22f7e6c", + "sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8", "type": "eql", - "version": 111 + "version": 112 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "min_stack_version": "8.3", @@ -6434,9 +6443,9 @@ "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", - "sha256": "9d9d197ea4f0b08c172e8d6c9ebbf5dd1ce90db4d68c73badd25410b2187b17b", + "sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050", "type": "eql", - "version": 110 + "version": 111 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", @@ -6508,9 +6517,9 @@ "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "min_stack_version": "8.3", "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "b640ecd8355b7fa8945ad7ac3bb3f0a0d80b32741613c7f79c3ed6cfe566f67d", + "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", "type": "eql", - "version": 105 + "version": 106 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "min_stack_version": "8.3", @@ -6586,9 +6595,9 @@ "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", - "sha256": "21910b480ebd6a0ef74d410a04cc389bf6624c492e88f2c65a46efd0138a2592", + "sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c", "type": "eql", - "version": 3 + "version": 4 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "min_stack_version": "8.3", @@ -6656,9 +6665,9 @@ "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.3", "rule_name": "Netsh Helper DLL", - "sha256": "a6bceece7403f9bb47478cdb04702271892ebffa4ae4251220da5abbdae44f2b", + "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", "type": "eql", - "version": 1 + "version": 2 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -6669,9 +6678,9 @@ "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", - "sha256": "eb213dc86c103363dad386e08221252c0d865f53b002b17fe09c36adb6631ec5", + "sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f", "type": "eql", - "version": 2 + "version": 3 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "min_stack_version": "8.3", @@ -6706,9 +6715,9 @@ "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.3", "rule_name": "Network Connection via Compiled HTML File", - "sha256": "5c31d3ee5a1f3110f563ae65789deccfa6e2606645333b1227a8a143988b46e5", + "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", "type": "eql", - "version": 107 + "version": 108 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "8.3", @@ -6750,16 +6759,16 @@ } }, "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "1382976ef19290c1857b535d15facff537acd5d5a33e5575372bef70ba4c9090", + "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", "type": "query", - "version": 205 + "version": 206 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", - "sha256": "dd7f70787fff06dbfcdc2556f504ad62feda00ed2e1fa5d7effab3a1be31482f", + "sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a", "type": "eql", - "version": 2 + "version": 3 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.10", @@ -6808,9 +6817,9 @@ "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "c5c19121debb9cac2f24c3fbf25c74adaa63b84384b8ff4dddc802e7f737f263", + "sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae", "type": "eql", - "version": 108 + "version": 109 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "min_stack_version": "8.3", @@ -6889,9 +6898,9 @@ "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", "rule_name": "Network Connection via MsXsl", - "sha256": "3f7d50df91793a78c4c8ebc2a8ee1ee1a99dcbd61338345383e52abce0b51f1d", + "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", "type": "eql", - "version": 105 + "version": 106 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.3", @@ -6989,9 +6998,9 @@ } }, "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "60c1a7d5d2cd24c909689b37015df4508b993bdd925b050e1b45df21a23479ba", + "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", "type": "query", - "version": 205 + "version": 206 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "min_stack_version": "8.8", @@ -7044,9 +7053,9 @@ } }, "rule_name": "AWS Root Login Without MFA", - "sha256": "8f967af66ccd21f236403f460e274db15d0dab8e769626d091f26ddba123de07", + "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", "type": "query", - "version": 208 + "version": 209 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "min_stack_version": "8.3", @@ -7086,9 +7095,9 @@ "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "min_stack_version": "8.3", "rule_name": "File and Directory Permissions Modification", - "sha256": "cd8d1d1e784ddc62a5db564994d9192996555133c9273a6f1b4384a76249ec0e", + "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", "type": "eql", - "version": 1 + "version": 2 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "min_stack_version": "8.3", @@ -7114,9 +7123,9 @@ "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "b31ac8c754822d3baf70384a75f0a66fc861ddb3ce0a3f8c40474fb161ea8306", + "sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b", "type": "eql", - "version": 1 + "version": 2 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", @@ -7172,9 +7181,9 @@ } }, "rule_name": "AWS RDS Snapshot Restored", - "sha256": "31690f503f33025d8d634b7c33d01adff504c8c0cdfbeab6519116149937669e", + "sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f", "type": "query", - "version": 205 + "version": 206 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "min_stack_version": "8.3", @@ -7214,9 +7223,9 @@ "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "min_stack_version": "8.3", "rule_name": "Memory Dump File with Unusual Extension", - "sha256": "d6064fcc8c3a68d8ecb16d376fef04353be367b0f897433bc82b46a6569f0eb5", + "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", "type": "eql", - "version": 1 + "version": 2 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "min_stack_version": "8.3", @@ -7244,9 +7253,9 @@ } }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "53d6e6b5dc3942bb911622ffd2582ed4e8a3bff445df0e269aba07ed320f34e8", + "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", "type": "query", - "version": 205 + "version": 206 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "min_stack_version": "8.4", @@ -7260,9 +7269,9 @@ } }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", + "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", "type": "eql", - "version": 101 + "version": 102 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", @@ -7295,9 +7304,9 @@ "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.3", "rule_name": "Mshta Making Network Connections", - "sha256": "c3f61a5354e0122350afca10c2552cf9d657bb9f056b48d165a1401820d7ceff", + "sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5", "type": "eql", - "version": 106 + "version": 107 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "min_stack_version": "8.3", @@ -7337,30 +7346,30 @@ "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", - "sha256": "16cd4b39c59281f69407d88a2f0bbadab7ac9d1408c9e0c6e5400a92f25898d9", + "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", "type": "eql", - "version": 3 + "version": 4 }, "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.3", "rule_name": "Attempted Private Key Access", - "sha256": "5381a29dcefb0cee21b24a6b62d7d0d3e2a287eea7433b36fe1c6851204841a8", + "sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c", "type": "eql", - "version": 2 + "version": 3 }, "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.3", "rule_name": "Service Path Modification via sc.exe", - "sha256": "7caa1e811b55ed98053fe152b172e60b4cd16b518423dd231768da1dafb2af8d", + "sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862", "type": "eql", - "version": 2 + "version": 3 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "c9fb9f5a4348ebdf5017702511017d62bed61f46499299e4abd56602815228e3", + "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", "type": "eql", - "version": 108 + "version": 109 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -7445,9 +7454,9 @@ "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Connection via DllHost", - "sha256": "f54fee3b089a5de904d42af0584c381e9c2061bc3467251f0da4fb74dafe891a", + "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", "type": "eql", - "version": 106 + "version": 107 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "min_stack_version": "8.4", @@ -7496,9 +7505,9 @@ "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "min_stack_version": "8.3", "rule_name": "Direct Outbound SMB Connection", - "sha256": "2aae80db3c5ce4330cf16e46ae51d5f30f8b1f6daf03d46e89140bd829f2a83b", + "sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d", "type": "eql", - "version": 109 + "version": 110 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", @@ -7735,9 +7744,9 @@ "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "min_stack_version": "8.3", "rule_name": "Downloaded URL Files", - "sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938", + "sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0", "type": "eql", - "version": 1 + "version": 2 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.10", @@ -7848,9 +7857,9 @@ "cffbaf47-9391-4e09-a83c-1f27d7474826": { "min_stack_version": "8.3", "rule_name": "Archive File with Unusual Extension", - "sha256": "6fc1f60a466fb9cafbd52086ffba78f59d5ba996e6301563a12e09205b193e84", + "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", "type": "eql", - "version": 1 + "version": 2 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", @@ -7890,9 +7899,9 @@ "d197478e-39f0-4347-a22f-ba654718b148": { "min_stack_version": "8.3", "rule_name": "Compression DLL Loaded by Unusual Process", - "sha256": "8ec13c2f3c6784d7cfe3f314135c8c4c8afe0087deb18c62bcdf5b41db55f5f2", + "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", "type": "eql", - "version": 2 + "version": 3 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -7931,9 +7940,9 @@ "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.3", "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76", + "sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4", "type": "eql", - "version": 1 + "version": 2 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", @@ -8026,9 +8035,9 @@ "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", "rule_name": "Service Command Lateral Movement", - "sha256": "b00b67bc85c0c677343773dfaa0854b7446ae708afc4f763af9dc2ff9b7af24e", + "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", "type": "eql", - "version": 106 + "version": 107 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "min_stack_version": "8.9", @@ -8042,9 +8051,9 @@ } }, "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "5bc55e01a217a6d8069b08e636d1e12080f2a96b645cc68f8f33806d04a820ee", + "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", "type": "query", - "version": 208 + "version": 209 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "min_stack_version": "8.3", @@ -8062,9 +8071,9 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "d6f6ee5a3f017bfc82533f80fc4c74894dc3a406cae5a4f48f246b31511dfa75", + "sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641", "type": "eql", - "version": 9 + "version": 10 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.8", @@ -8157,9 +8166,9 @@ "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", - "sha256": "2caaa3d2f80549be9ff1f1641f9f9f202ecdadf6b83b01fa9486affa8bdb566f", + "sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8", "type": "eql", - "version": 7 + "version": 8 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "min_stack_version": "8.9", @@ -8173,9 +8182,9 @@ } }, "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "7e7bcfe14adab55f0ac9ab6478a826ff0dff7b31efe686b94a1bbf30d730bdd6", + "sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906", "type": "query", - "version": 208 + "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", @@ -8228,9 +8237,9 @@ "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "f4edf52a98e83ab010153cdffb7067610814b7fcc0414bb5e8dcee5bf8d0d3ff", + "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", "type": "eql", - "version": 2 + "version": 3 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.3", @@ -8343,9 +8352,9 @@ } }, "rule_name": "Query Registry using Built-in Tools", - "sha256": "4f92c23c30b19e9208d921b84d709ec2775f026b2fe995a4ca3644cdf56c2d4f", + "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", "type": "new_terms", - "version": 104 + "version": 105 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", @@ -8400,9 +8409,9 @@ "e00b8d49-632f-4dc6-94a5-76153a481915": { "min_stack_version": "8.3", "rule_name": "Delayed Execution via Ping", - "sha256": "dea7cf4add6220cd27ddb9f1a641b95436204b87ca0fca1c18dc903d50ce57a4", + "sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71", "type": "eql", - "version": 1 + "version": 2 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "min_stack_version": "8.3", @@ -8421,9 +8430,9 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "5b07769d45f5a33fcbe539609647986809d75daea1b8aa5874d0ae7f0e6a8892", + "sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b", "type": "eql", - "version": 5 + "version": 6 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.10", @@ -8474,9 +8483,9 @@ } }, "rule_name": "AWS Route Table Created", - "sha256": "a1d7f30f2d264fc6fdb0fb5064f0607217c5a23f4310abcf3ed37bbde3c6de43", + "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", "type": "query", - "version": 206 + "version": 207 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "min_stack_version": "8.9", @@ -8490,9 +8499,9 @@ } }, "rule_name": "AWS RDS Cluster Creation", - "sha256": "064737df50105c6e8c5336eb8537b218f80ef6e29e079214fe8dca37dc5bda32", + "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", "type": "query", - "version": 205 + "version": 206 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", @@ -8557,9 +8566,9 @@ } }, "rule_name": "AWS Management Console Root Login", - "sha256": "c4f8568aee037cc76372958fdfc1556649341e70f4d8ffc9a8a3f8c1e5fbe0e6", + "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", "type": "query", - "version": 208 + "version": 209 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "min_stack_version": "8.3", @@ -8608,9 +8617,9 @@ } }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "58bf1f2fc9acd22be3c161424a77c2a213cf1401372313a2272d73d6af866d41", + "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", "type": "query", - "version": 205 + "version": 206 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "min_stack_version": "8.3", @@ -8739,9 +8748,9 @@ "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Memory Dump File Creation", - "sha256": "8e637f03a8f8eb325e7801996c5641dcd8972185da239d2786d603ce93786836", + "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", "type": "eql", - "version": 2 + "version": 3 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", @@ -8766,12 +8775,19 @@ "type": "eql", "version": 106 }, + "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { + "min_stack_version": "8.3", + "rule_name": "Potential Windows Session Hijacking via CcmExec", + "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", + "type": "eql", + "version": 1 + }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "cdb82fbb668c46c37e97ed4485ecc44f5e15ee31cc32e28105e7294c0540d5fb", + "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", "type": "eql", - "version": 3 + "version": 4 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", @@ -8792,9 +8808,9 @@ } }, "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "b11f9cf36b13141493f83a145f1b5fb0cd4f6358fbb7fdd5bfe039e8c1a7ccdd", + "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", "type": "query", - "version": 206 + "version": 207 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", @@ -8813,9 +8829,9 @@ "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "11efd3f1317d2a58d6a23697ca3bc3e97915a9f61722e9e6d165309b4235e670", + "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", "type": "eql", - "version": 6 + "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "min_stack_version": "8.6", @@ -8861,9 +8877,9 @@ } }, "rule_name": "AWS EC2 VM Export Failure", - "sha256": "3d6439c0aa3958b93a6dddcf1bd5a4bd85a8a42ea1de077784cbcddffa9842dd", + "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", "type": "query", - "version": 205 + "version": 206 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "min_stack_version": "8.9", @@ -8931,9 +8947,9 @@ } }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "9483354a3f2036153d547ffd891d4d16c6e0bf7ca283943e90aa19c54a8d8282", + "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", "type": "threshold", - "version": 209 + "version": 210 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", @@ -9031,9 +9047,9 @@ "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "min_stack_version": "8.3", "rule_name": "Executable File with Unusual Extension", - "sha256": "d740eda69b10b688372f488feab1a6e9af2a26122ee1f6af6de7612aa33706e8", + "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", "type": "eql", - "version": 1 + "version": 2 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "min_stack_version": "8.9", @@ -9047,9 +9063,9 @@ } }, "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "ac0a0d9ae3dd952d42b9953594ccbb2e820c3b3754a613810c6568a3fb3205bc", + "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", "type": "query", - "version": 205 + "version": 206 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "min_stack_version": "8.3", @@ -9091,9 +9107,9 @@ "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", "rule_name": "Linux User Account Creation", - "sha256": "8c333e1755bb44dd4a24738d80d65fd67a504f1950f8efd1546acee9a50bb0d3", + "sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08", "type": "eql", - "version": 4 + "version": 5 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.10", @@ -9121,9 +9137,9 @@ "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "min_stack_version": "8.3", "rule_name": "Shortcut File Written or Modified on Startup Folder", - "sha256": "0d2db57efc137fb2c937163b2d094d9504f0f8ef15c3c7805ad1b83d14ed8ee0", + "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", "type": "eql", - "version": 1 + "version": 2 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", @@ -9183,9 +9199,9 @@ "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", "rule_name": "Suspicious HTML File Creation", - "sha256": "e736532f89f364ec30f47b2f1c7016d26c11d011ecf3aba3ec6609ad1d18f324", + "sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d", "type": "eql", - "version": 106 + "version": 107 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.10", @@ -9241,9 +9257,9 @@ "f243fe39-83a4-46f3-a3b6-707557a102df": { "min_stack_version": "8.3", "rule_name": "Service Path Modification", - "sha256": "790cb59192049129174ca88a5027bbc545f0d19ab6d4278e4bd826f2aaedcfc4", + "sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9", "type": "eql", - "version": 1 + "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", @@ -9285,9 +9301,9 @@ } }, "rule_name": "AWS RDS Instance Creation", - "sha256": "25aeaebf372fd4e468e990590efe81685706f45ab5eb44bb246d187a16a8b6e0", + "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", "type": "query", - "version": 205 + "version": 206 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "min_stack_version": "8.4", @@ -9306,9 +9322,9 @@ "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", - "sha256": "883630b3f6c3b96cccb79a36ebc7a8390525e3bce7cd70274b7f66666bffa25f", + "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", "type": "eql", - "version": 109 + "version": 110 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", @@ -9389,16 +9405,16 @@ "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "af58671d98fd5dc17bf1d2f0cf469070084cecd6da4017d0572ca1fcfb6a5b7f", + "sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124", "type": "query", - "version": 3 + "version": 4 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", - "sha256": "42d6b84b3a8696b0bf6bf486d60aab97b24df9b1e2f726ff15bf8b3c0159f746", + "sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f", "type": "eql", - "version": 3 + "version": 4 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "min_stack_version": "8.3", @@ -9475,9 +9491,9 @@ } }, "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "c58352df4a9adcf9259a2e3656fddae07215b10995a31acba7684366f084e0a9", + "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", "type": "query", - "version": 208 + "version": 209 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "8.8", @@ -9545,9 +9561,9 @@ "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.3", "rule_name": "Browser Extension Install", - "sha256": "6079caeac5bb8aaf376eca68eabd0a6470f809ea118a564a2bff36d9612b7e65", + "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", "type": "eql", - "version": 1 + "version": 2 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.3", @@ -9582,9 +9598,9 @@ "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "976d63084190e20f320e0106f4ad4bc08619d00ea326d685796c9693902a3d7c", + "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", "type": "eql", - "version": 6 + "version": 7 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", @@ -9619,16 +9635,16 @@ } }, "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "2e04de492ae2b8608ce4404506cff8d8216450e3eac0292441ce1ca740d506cf", + "sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc", "type": "eql", - "version": 103 + "version": 104 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", - "sha256": "72b6d24fbb5b42bb6bc82d00ec7a7b880b9cf1894cbbd762f64cbca9e5c45d41", + "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", "type": "eql", - "version": 107 + "version": 108 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "min_stack_version": "8.8", @@ -9655,9 +9671,9 @@ } }, "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "e2cf9c3a12bd9ec52910d1a412e540d1f76113ddae474ae4fe22f81ed3aafb15", + "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", "type": "query", - "version": 205 + "version": 206 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", @@ -9712,16 +9728,16 @@ } }, "rule_name": "Svchost spawning Cmd", - "sha256": "c2e725e9eb19e33d6be3fc8161e3923a7db648a6233feb31e68837e724c7800c", + "sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91", "type": "new_terms", - "version": 211 + "version": 212 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "min_stack_version": "8.3", "rule_name": "Image Loaded with Invalid Signature", - "sha256": "cc47fed45ee058e096104f4c1d2e2068a516895cf8a9e85ab1511686b49de1ee", + "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", "type": "eql", - "version": 1 + "version": 2 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", @@ -9761,9 +9777,9 @@ "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "min_stack_version": "8.3", "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", - "sha256": "2d4dac5ee69aa01095329c1850ad5569f1d4d34fe06d5a73ef0f4fb93b1d98b7", + "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", "type": "eql", - "version": 1 + "version": 2 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.3",