diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 218ffe28333..294048efba2 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -1,7 +1,7 @@ { "041d4d41-9589-43e2-ba13-5680af75ebc2": { "deprecation_date": "2023/09/25", - "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", + "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", "stack_version": "8.3" }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { @@ -99,6 +99,11 @@ "rule_name": "Setgid Bit Set via chmod", "stack_version": "7.13" }, + "3efee4f0-182a-40a8-a835-102c68a4175d": { + "deprecation_date": "2025/01/17", + "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", + "stack_version": "8.12" + }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "deprecation_date": "2022/09/13", "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -209,6 +214,11 @@ "rule_name": "Linux Restricted Shell Breakout via the vi command", "stack_version": "7.16" }, + "8acb7614-1d92-4359-bfcf-478b6d9de150": { + "deprecation_date": "2025/01/17", + "rule_name": "Deprecated - Suspicious JAVA Child Process", + "stack_version": "8.12" + }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 10d8ed9f1bb..0147e5f38a0 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -68,6 +68,12 @@ "type": "eql", "version": 415 }, + "0049cf71-fe13-4d79-b767-f7519921ffb5": { + "rule_name": "System Binary Path File Permission Modification", + "sha256": "f349feeacc158450a8c5f0668ae859afc19fd12c10c89d18b3f0f2ddd04215dd", + "type": "eql", + "version": 1 + }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee", @@ -210,10 +216,20 @@ "version": 3 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Suspicious Dynamic Linker Discovery via od", + "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", + "type": "eql", + "version": 2 + } + }, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", + "sha256": "5a89e9c9403463bc8cad9d70b104d352791bd9ba509e45e22ce425a5b8bdba4e", "type": "eql", - "version": 2 + "version": 102 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "SSH Process Launched From Inside A Container", @@ -415,10 +431,20 @@ "version": 210 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Dynamic Linker (ld.so) Creation", + "sha256": "d199c5e9dfd9aa2e6e54808f02b7c661ba51e4c78cc780b45d0e910dc09b0230", + "type": "eql", + "version": 1 + } + }, "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "d199c5e9dfd9aa2e6e54808f02b7c661ba51e4c78cc780b45d0e910dc09b0230", + "sha256": "25c134214022fe4919832996ce775387fbd9ee22fda14c49daaecb865d145206", "type": "eql", - "version": 1 + "version": 101 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", @@ -640,9 +666,9 @@ } }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "1a79fc397af3f12c7da606036342d1b41b7d2b17df4a446cd98e618b4e7e9891", + "sha256": "d48d0db0dcf2f0f427cffe2c1fc5c43f10abee34268e5d667453968fbde0f29d", "type": "query", - "version": 208 + "version": 209 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", @@ -682,6 +708,12 @@ "type": "query", "version": 213 }, + "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { + "rule_name": "Systemd Shell Execution During Boot", + "sha256": "22a959fc1ae4b5c978a6bb8e8fa8d2acd527c45d6f559981da7a7b185d3ce099", + "type": "eql", + "version": 1 + }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", "sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6", @@ -689,10 +721,20 @@ "version": 1 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 105, + "rule_name": "Potential Shell via Wildcard Injection Detected", + "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", + "type": "eql", + "version": 6 + } + }, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", + "sha256": "81734f1eb98d81af0ca26082b03fceb94a4883a4f849ace026fd8c1adbc3bd35", "type": "eql", - "version": 6 + "version": 106 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "min_stack_version": "8.14", @@ -717,10 +759,20 @@ "version": 2 }, "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Potential Hex Payload Execution", + "sha256": "b50ace78d817688a156f23beb890b4697291938d084ca42129f8ecf1dcb8b0b0", + "type": "eql", + "version": 1 + } + }, "rule_name": "Potential Hex Payload Execution", - "sha256": "b50ace78d817688a156f23beb890b4697291938d084ca42129f8ecf1dcb8b0b0", + "sha256": "2d0fa73ed28a53fba32e51085db7721c3da52a4443b249024ba095506e2997d7", "type": "eql", - "version": 1 + "version": 101 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -784,10 +836,20 @@ "version": 3 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 207, + "rule_name": "Nping Process Activity", + "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", + "type": "eql", + "version": 108 + } + }, "rule_name": "Nping Process Activity", - "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", + "sha256": "9e6ad0d56964a23df0d9728adfe7374b9829eb6b744d07e2139d35a8836e8ff3", "type": "eql", - "version": 108 + "version": 208 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", @@ -846,17 +908,40 @@ "type": "eql", "version": 210 }, + "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { + "min_stack_version": "8.14", + "rule_name": "Sensitive Audit Policy Sub-Category Disabled", + "sha256": "1bf144627669639eeaddc1fd3dacb1721c5a22b5bbd5c657d21a9ea80a9e7a98", + "type": "query", + "version": 1 + }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", "sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5", "type": "eql", "version": 114 }, + "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { + "rule_name": "Polkit Policy Creation", + "sha256": "c5b96e974b3fcfcec0a0363729ff3eaaa75d3eef6433dcfa417afba10d813e2a", + "type": "eql", + "version": 2 + }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Netcat Listener Established via rlwrap", + "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", + "type": "eql", + "version": 3 + } + }, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", + "sha256": "0925718d6acd18e0a768b91cd047c58843ab49c9db753e14eabcec5fed876a96", "type": "eql", - "version": 3 + "version": 103 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "min_stack_version": "8.16", @@ -1145,10 +1230,20 @@ "version": 411 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", + "sha256": "b6c89e8c3a97272346f423ebb217dd3b570a754d8cf3cc976707c2b412198fdc", + "type": "eql", + "version": 1 + } + }, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "b6c89e8c3a97272346f423ebb217dd3b570a754d8cf3cc976707c2b412198fdc", + "sha256": "c0225ffbf6f1c5644805b6540d4044e24bcb9f08e6af9d221853d008f463c7e5", "type": "eql", - "version": 1 + "version": 101 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", @@ -1489,6 +1584,13 @@ "type": "eql", "version": 15 }, + "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { + "min_stack_version": "8.13", + "rule_name": "Initramfs Extraction via CPIO", + "sha256": "88f6c3605792e48f97143dae8fefedd34a2b14b68960474ed089ba2db106e09f", + "type": "eql", + "version": 1 + }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", "previous": { @@ -1566,9 +1668,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "298ff5b48b9ea67a5f5b35141f71ede83fd8f9844fe8a4bccba0f987df0a6899", + "sha256": "f5cbfcaf9e6dd8e01c55fb2ed8afe33ef0b81e5007dc3743f0941ad9b58b7103", "type": "eql", - "version": 5 + "version": 6 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -1671,10 +1773,20 @@ "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 206, + "rule_name": "Connection to Internal Network via Telnet", + "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", + "type": "eql", + "version": 107 + } + }, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", + "sha256": "e19d71cafe597bc4b326785b8e8e725a53ba901c3bb0333928c1cb54799beb8c", "type": "eql", - "version": 107 + "version": 207 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", @@ -1857,10 +1969,20 @@ "version": 208 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "Potential Linux Hack Tool Launched", + "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", + "type": "eql", + "version": 4 + } + }, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", + "sha256": "49f49d62f770f10f10fdae98e3f6c03211715e12f5a072a26c1d0b22d1c275cc", "type": "eql", - "version": 4 + "version": 104 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", @@ -1874,9 +1996,9 @@ } }, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "54e718a88b4a68d227e6b66b126f993aa778b036deb6f8be5b61951c298f111f", + "sha256": "7efabb7cc18356aa60fe4c271bef0144b303a454cd4203ec421a5a679a75572e", "type": "query", - "version": 209 + "version": 210 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", @@ -1950,9 +2072,9 @@ } }, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "eeebabf5497517642690f0b238295c5f9f09396305832e4b067a3d788067bee9", + "sha256": "d57fd991da3d4f7b2a68dfa3e37deec177fe3b4f4977637a564c09c68949629c", "type": "query", - "version": 110 + "version": 111 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "min_stack_version": "8.13", @@ -2029,10 +2151,20 @@ "version": 312 }, "202829f6-0271-4e88-b882-11a655c590d4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Executable Masquerading as Kernel Process", + "sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46", + "type": "eql", + "version": 3 + } + }, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46", + "sha256": "dcccdcb3bc1e5b240f35cb216dd6c016c822cf4c7adb33f410aeb8a5f7c01f78", "type": "eql", - "version": 3 + "version": 103 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", @@ -2120,6 +2252,12 @@ "type": "eql", "version": 4 }, + "2112ecce-cd34-11ef-873f-f661ea17fbcd": { + "rule_name": "SNS Topic Message Publish by Rare User", + "sha256": "ec62c61349b96117c332b5fadac825476aa3265486a5bbb85288ddab4964f423", + "type": "new_terms", + "version": 1 + }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", "sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853", @@ -2179,10 +2317,20 @@ "version": 104 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Kernel Module Load via insmod", + "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", + "type": "eql", + "version": 110 + } + }, "rule_name": "Kernel Module Load via insmod", - "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", + "sha256": "9abb3eb385fa47087a7d19e819147ba24a8b793841f61aa0b3d6901aa880f106", "type": "eql", - "version": 110 + "version": 210 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2275,10 +2423,20 @@ "version": 104 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "Potential Reverse Shell via Background Process", + "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", + "type": "eql", + "version": 4 + } + }, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", + "sha256": "219e824eb630f41ee3e7b32a4960f77e8fbe50e1014a05e29acf3a988cf0fbc1", "type": "eql", - "version": 4 + "version": 104 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", @@ -2343,6 +2501,12 @@ "type": "query", "version": 102 }, + "264c641e-c202-11ef-993e-f661ea17fbce": { + "rule_name": "AWS EC2 Deprecated AMI Discovery", + "sha256": "984211ed55f8898b7321729d0d86c68d2e9df858d8707db16a873776a96bf7f8", + "type": "query", + "version": 1 + }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.14", "previous": { @@ -2374,10 +2538,20 @@ "version": 1 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Potential Defense Evasion via Doas", + "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", + "type": "eql", + "version": 1 + } + }, "rule_name": "Potential Defense Evasion via Doas", - "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", + "sha256": "1c3da01c4b351cf0ade023da9ee0f8c71f5d33cd9ec57d70d403045f8ee952eb", "type": "eql", - "version": 1 + "version": 101 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", @@ -2419,15 +2593,25 @@ } }, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "4a3e6bf68329d70f058be24f7904ce234a26b57c38972ad33ff103a9e00f78a9", + "sha256": "7968dcf6597d447a945c7445f46e60b9c60182148cddf51f04392d3a1650b46e", "type": "query", - "version": 208 + "version": 209 }, "2724808c-ba5d-48b2-86d2-0002103df753": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Attempt to Clear Kernel Ring Buffer", + "sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f", + "type": "eql", + "version": 5 + } + }, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f", + "sha256": "450d468c26a54a6c70c3b7980ebdd8b9885277c51b1b7847b6a9c6cad45d1de1", "type": "eql", - "version": 5 + "version": 105 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", @@ -2533,10 +2717,20 @@ "version": 2 }, "28d39238-0c01-420a-b77a-24e5a7378663": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 105, + "rule_name": "Sudo Command Enumeration Detected", + "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", + "type": "eql", + "version": 6 + } + }, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", + "sha256": "baf439993dc981bafad369990438f1d3377f8fed5bd3dc2eb66c2df021a7898e", "type": "eql", - "version": 6 + "version": 106 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "min_stack_version": "8.16", @@ -2658,10 +2852,20 @@ "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "Linux SSH X11 Forwarding", + "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", + "type": "eql", + "version": 4 + } + }, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", + "sha256": "61ef0630017ee5ecedc27ac198533afc92662fccf83af9e680976fb38d7b6245", "type": "eql", - "version": 4 + "version": 104 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", @@ -2676,10 +2880,20 @@ "version": 204 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "ESXI Discovery via Grep", + "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", + "type": "eql", + "version": 7 + } + }, "rule_name": "ESXI Discovery via Grep", - "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", + "sha256": "d38a739617452964c32555576678742890611cdb452ed76394bb7a4dbc5b1bc1", "type": "eql", - "version": 7 + "version": 107 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", @@ -2812,10 +3026,20 @@ "version": 311 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Potential SSH-IT SSH Worm Downloaded", + "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", + "sha256": "493174dd97f98d9dc2385620938cdd1b1fb3bac13fbaf6cefd5bba1d9d52fbba", "type": "eql", - "version": 3 + "version": 103 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", @@ -2976,10 +3200,20 @@ "version": 212 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Attempt to Disable Syslog Service", + "sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9", + "type": "eql", + "version": 110 + } + }, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9", + "sha256": "22a0fbb06dfda70d1adfd4babcfef821d608b27db689d38ad0a6da435108d146", "type": "eql", - "version": 110 + "version": 210 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", @@ -3028,10 +3262,20 @@ "version": 2 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 107, + "rule_name": "ESXI Timestomping using Touch Command", + "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", + "type": "eql", + "version": 8 + } + }, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", + "sha256": "696509a7cdb782460d36cfa3fa0aacd0526662d34d5b8104d0a5f75c0bdaeb93", "type": "eql", - "version": 8 + "version": 108 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Network Connection via Sudo Binary", @@ -3164,10 +3408,20 @@ "version": 416 }, "3302835b-0049-4004-a325-660b1fba1f67": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Directory Creation in /bin directory", + "sha256": "f412ce479acffee82949aed77160fece5ab382dbec5d754ae3c3fdf213e61712", + "type": "eql", + "version": 1 + } + }, "rule_name": "Directory Creation in /bin directory", - "sha256": "f412ce479acffee82949aed77160fece5ab382dbec5d754ae3c3fdf213e61712", + "sha256": "2c803e78bc8f8a94d576257db77fc5299f73a5e7365d61ee7d2ca6168f5f8a1e", "type": "eql", - "version": 1 + "version": 101 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -3176,10 +3430,20 @@ "version": 209 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "ESXI Discovery via Find", + "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", + "type": "eql", + "version": 7 + } + }, "rule_name": "ESXI Discovery via Find", - "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", + "sha256": "fc783c447a0efdf2dbb9749e4af9982fcfe4ca9c0a25e771675c110d1e56672b", "type": "eql", - "version": 7 + "version": 107 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", @@ -3300,9 +3564,9 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", + "sha256": "fe046a7846b79f672e4e7b8458d89a2e198eed687295bd94b48f0aa55d4e2d18", "type": "eql", - "version": 109 + "version": 110 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", @@ -3334,10 +3598,20 @@ "version": 4 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { - "rule_name": "Potential Suspicious File Edit", - "sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd", + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Potential Suspicious File Edit", + "sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Suspicious File Edit", + "sha256": "e3c28261518b3d09fe11ffba93334faea5c28a139351f3b8218907e2843ba3ee", "type": "eql", - "version": 5 + "version": 105 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", @@ -3616,6 +3890,18 @@ "type": "machine_learning", "version": 104 }, + "3c9f7901-01d8-465d-8dc0-5d46671035fa": { + "rule_name": "Kernel Seeking Activity", + "sha256": "26c46bd62ff0d516a55fc08e17a9f41f3409d3490f4e6eb2c8204567f91e39f1", + "type": "eql", + "version": 1 + }, + "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { + "rule_name": "Unusual Pkexec Execution", + "sha256": "f881f99cc51d27e19d500ed2de935f93246a9867a31fa8c9131db09d72eee2fa", + "type": "new_terms", + "version": 2 + }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.14", "previous": { @@ -3797,10 +4083,20 @@ "version": 1 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "DNF Package Manager Plugin File Creation", + "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", + "type": "eql", + "version": 3 + } + }, "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", + "sha256": "1aa2a1b1eca396c2a3f70bbc52d318ee9f31bda76398c543d78e25726cb02d3e", "type": "eql", - "version": 3 + "version": 103 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.14", @@ -3864,10 +4160,20 @@ "version": 108 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Unix Socket Connection", + "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", + "type": "eql", + "version": 3 + } + }, "rule_name": "Unix Socket Connection", - "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", + "sha256": "48a869a44950954d5f8f9e7e503bc71a3aef2f85baf249208f3562f525347ce9", "type": "eql", - "version": 3 + "version": 103 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", @@ -3916,10 +4222,10 @@ }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "min_stack_version": "8.13", - "rule_name": "AWS EC2 EBS Snapshot Shared with Another Account", - "sha256": "7f8925fab74497cb1c5a5be27e5fdd45c850feed6f57c4fd2e0f5997d9648c6f", + "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", + "sha256": "fe2c4a17447305354c8b9fb488d5c6fb13c563a31ab9baa5f8e4c630c4ab21dd", "type": "esql", - "version": 2 + "version": 3 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", @@ -3997,10 +4303,20 @@ "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 107, + "rule_name": "Linux User Added to Privileged Group", + "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", + "type": "eql", + "version": 8 + } + }, "rule_name": "Linux User Added to Privileged Group", - "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", + "sha256": "f1c6054713eb3ad3792dee7d6aea237da18cf74fab7306e92ee2065db3607361", "type": "eql", - "version": 8 + "version": 108 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", @@ -4166,10 +4482,20 @@ "version": 105 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 112, + "rule_name": "System V Init Script Created", + "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", + "type": "eql", + "version": 13 + } + }, "rule_name": "System V Init Script Created", - "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", + "sha256": "75707b6e1215c02b5b333be4caefad14917a87d8d0d5b38a18c346eb857ba622", "type": "eql", - "version": 13 + "version": 113 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -4178,10 +4504,20 @@ "version": 2 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Cupsd or Foomatic-rip Shell Execution", + "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", + "type": "eql", + "version": 2 + } + }, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", + "sha256": "ee6cc99ccb00b4e64d3f60240e0c12a4355d9c77cb1bbdc35e834683ff68f85a", "type": "eql", - "version": 2 + "version": 102 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", @@ -4287,10 +4623,20 @@ "version": 102 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 107, + "rule_name": "Potential Linux Backdoor User Account Creation", + "sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62", + "type": "eql", + "version": 8 + } + }, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62", + "sha256": "41858fb1b885aef0b0a2aee2353ba70f43841b18b6fab7efaa3f142a61b7db9f", "type": "eql", - "version": 8 + "version": 108 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", @@ -4316,9 +4662,9 @@ } }, "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "24424c58a67a62f2464e7ce3c038697aeb561551b61ba5a2c8bf1cf001674ec1", + "sha256": "3b1deb0f2c414f72a2ff2c171c83290554600ba4b5b4b8dc7eabcfcc34a7bb19", "type": "eql", - "version": 106 + "version": 107 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -4327,10 +4673,20 @@ "version": 106 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", + "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", + "type": "eql", + "version": 5 + } + }, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", + "sha256": "1a3a1dd2c62931e4f4219efcb21815a2873f452e37b5a43a99bc6c1097e5456c", "type": "eql", - "version": 5 + "version": 105 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -4374,10 +4730,20 @@ "version": 4 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "ProxyChains Activity", + "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", + "type": "eql", + "version": 4 + } + }, "rule_name": "ProxyChains Activity", - "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", + "sha256": "50873c947464e5b7e0f7bf3dc3cf714ad8cb4afc0b467858fac06331df2723f1", "type": "eql", - "version": 4 + "version": 104 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "rule_name": "Unusual Process Writing Data to an External Device", @@ -4431,10 +4797,20 @@ "version": 111 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Kernel Load or Unload via Kexec Detected", + "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", + "type": "eql", + "version": 7 + } + }, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", + "sha256": "9fac7bb1e34b314d0950b254edfbcb8b0035486525df4e2fc5b9e9cbb65785b1", "type": "eql", - "version": 7 + "version": 107 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", @@ -4488,10 +4864,20 @@ "version": 111 }, "4ec47004-b34a-42e6-8003-376a123ea447": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 109, + "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", + "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", + "type": "eql", + "version": 10 + } + }, "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", + "sha256": "37e55cdb7d8b2334bc54fc6a9a492d1dffe8309b0ee44811480a42ee01190bde", "type": "eql", - "version": 10 + "version": 110 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.14", @@ -4555,6 +4941,12 @@ "type": "query", "version": 410 }, + "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { + "rule_name": "Kernel Unpacking Activity", + "sha256": "20d605e52736db120b290b4b7629c450f6b3d0a127d68f5aea96d3002df522eb", + "type": "eql", + "version": 1 + }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", "rule_name": "Unusual High Confidence Content Filter Blocks Detected", @@ -4631,10 +5023,20 @@ "version": 108 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Hidden Files and Directories via Hidden Flag", + "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", + "type": "eql", + "version": 3 + } + }, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", + "sha256": "daf596f6901bee71cb114cdd3ba6d93425bf62553a144a91ea77214278402800", "type": "eql", - "version": 3 + "version": 103 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", @@ -5191,11 +5593,27 @@ "type": "machine_learning", "version": 105 }, + "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { + "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", + "sha256": "5faad18f6e8089e38382a04e3ef367fc94f03c5bb03e1aacbdfdae133891e860", + "type": "new_terms", + "version": 1 + }, "5a138e2e-aec3-4240-9843-56825d0bc569": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "IPv4/IPv6 Forwarding Activity", + "sha256": "0ac95528a079d01b7adeaa69e09a6ce000a6e52cd17f4fc7984edb24bf715c66", + "type": "eql", + "version": 1 + } + }, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "0ac95528a079d01b7adeaa69e09a6ce000a6e52cd17f4fc7984edb24bf715c66", + "sha256": "98b7c643f9f9b010293863a5a9e79452dd6bd16f72b18e1c8c847b1baf6edfd8", "type": "eql", - "version": 1 + "version": 101 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", @@ -5233,10 +5651,20 @@ "version": 1 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Potential Chroot Container Escape via Mount", + "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", + "sha256": "22f95e8aa96442f2aaab2baa40a03a32f9a71ab839f014a32f9f57c2bf68d6f2", "type": "eql", - "version": 2 + "version": 102 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", @@ -5280,16 +5708,26 @@ "version": 6 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Suspicious which Enumeration", + "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", + "type": "eql", + "version": 7 + } + }, "rule_name": "Suspicious which Enumeration", - "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", + "sha256": "73c8ca3902ddad43fb2ceb90daa245dc057f3c920067897050295d67a1394cbd", "type": "eql", - "version": 7 + "version": 107 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", - "sha256": "78ec9be84e9b6970a121017e012905d15e2e20158762c57da7f514ea4d07c5f2", + "sha256": "54ef71a878f44875c6c8792e51f8923f0cf6fc9dec2a549fbb841a11d2161f25", "type": "eql", - "version": 5 + "version": 6 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.14", @@ -5314,6 +5752,13 @@ "type": "new_terms", "version": 314 }, + "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { + "min_stack_version": "8.13", + "rule_name": "Boot File Copy", + "sha256": "30d90beef7fd3002ffb27eab0ea0dd20d3a7775ee4e6eb142d5351f9145fac50", + "type": "eql", + "version": 1 + }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", @@ -5322,9 +5767,9 @@ }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", - "sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a", + "sha256": "22e7a4474249251e7e0ff02b91956eefe3253c4dbffe219e41537c4fca33d8df", "type": "eql", - "version": 2 + "version": 3 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", @@ -5365,10 +5810,20 @@ "version": 1 }, "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", + "sha256": "c07bd3dc94f7395887a9d16a2c6986600519ec86ba8f4082f4c1c546be147907", + "type": "eql", + "version": 1 + } + }, "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "c07bd3dc94f7395887a9d16a2c6986600519ec86ba8f4082f4c1c546be147907", + "sha256": "58a78bbe94aa8e3ce22da6a4bbc47087b53a4e124ed72c30bb71e4c4ebfa89ed", "type": "eql", - "version": 1 + "version": 101 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", @@ -5383,10 +5838,20 @@ "version": 104 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Potential Defense Evasion via PRoot", + "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", + "type": "eql", + "version": 7 + } + }, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", + "sha256": "d3dc37d8bb5d0c604f5f739245d5529eada7a5b0873cbfd84c84f37337c57743", "type": "eql", - "version": 7 + "version": 107 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", @@ -5494,10 +5959,20 @@ "version": 107 }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Memory Swap Modification", + "sha256": "87f23ecd1afbe1e17093f0f1d038a49132d433f0e99f842a2c1ea2070422022a", + "type": "eql", + "version": 1 + } + }, "rule_name": "Memory Swap Modification", - "sha256": "87f23ecd1afbe1e17093f0f1d038a49132d433f0e99f842a2c1ea2070422022a", + "sha256": "923afd5486608e70492a648b58298dd6b5e3a6e9dfea406822d0139d7e84a6f5", "type": "eql", - "version": 1 + "version": 101 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", @@ -5691,10 +6166,20 @@ "version": 207 }, "627374ab-7080-4e4d-8316-bef1122444af": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Private Key Searching Activity", + "sha256": "cfb8fb1ac5550969ade51696c2cce707ef17cb2ba835b59dde324128fe49a3da", + "type": "eql", + "version": 1 + } + }, "rule_name": "Private Key Searching Activity", - "sha256": "cfb8fb1ac5550969ade51696c2cce707ef17cb2ba835b59dde324128fe49a3da", + "sha256": "6a4cafcee7a10b376ff76157de5011d5f20df6e1ffda15016ffb5030b599d4d2", "type": "eql", - "version": 1 + "version": 101 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", @@ -5887,10 +6372,20 @@ "version": 116 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Linux Process Hooking via GDB", + "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", + "type": "eql", + "version": 3 + } + }, "rule_name": "Linux Process Hooking via GDB", - "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", + "sha256": "233c3166926ca81a15eeadc2bbe25b0f37ced7d272398ae6ba062b5f21883786", "type": "eql", - "version": 3 + "version": 103 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", @@ -6180,10 +6675,20 @@ "version": 206 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Attempt to Disable Auditd Service", + "sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f", + "type": "eql", + "version": 1 + } + }, "rule_name": "Attempt to Disable Auditd Service", - "sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f", + "sha256": "825e810e08bb39ba58fd1dc50b36b28f4128e5448e6061670a62b7274acc3d4a", "type": "eql", - "version": 1 + "version": 101 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "EC2 AMI Shared with Another Account", @@ -6238,10 +6743,20 @@ "version": 417 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Suspicious Utility Launched via ProxyChains", + "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", + "type": "eql", + "version": 7 + } + }, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", + "sha256": "8bc0cdc7893a5a1bbedcaaed4829fcf58e1a1c074dba0e0572f917408f4012f5", "type": "eql", - "version": 7 + "version": 107 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -6310,6 +6825,12 @@ "type": "eql", "version": 204 }, + "6cf17149-a8e3-44ec-9ec9-fdc8535547a1": { + "rule_name": "Suspicious Outlook Child Process", + "sha256": "ccbb9744b4a8108d543d3dfed5c57e1c0ef457154ba3e50c9637f165f3345b7b", + "type": "eql", + "version": 1 + }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", "previous": { @@ -6333,10 +6854,20 @@ "version": 4 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Root Certificate Installation", + "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", + "type": "eql", + "version": 2 + } + }, "rule_name": "Root Certificate Installation", - "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", + "sha256": "7b3d5c33a80f686358b9a2c1e87a460372c73e2745f919fb3ea2bd8bf4a3ddb5", "type": "eql", - "version": 2 + "version": 102 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.14", @@ -6437,10 +6968,20 @@ "version": 100 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Potential Linux Tunneling and/or Port Forwarding", + "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", + "type": "eql", + "version": 7 + } + }, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", + "sha256": "a44f454d7d3b4ac3bda2f2ddfe43c1eb63f445a52c8cc6c7bb56d32440122ae2", "type": "eql", - "version": 7 + "version": 107 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", @@ -6773,10 +7314,20 @@ "version": 112 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Creation of Hidden Shared Object File", + "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", + "type": "eql", + "version": 110 + } + }, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", + "sha256": "7d8aba7675bdfd4210d9d2d6fb545a6626a13ccccaee4a669650fb3a6381aaac", "type": "eql", - "version": 110 + "version": 210 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", @@ -6871,10 +7422,20 @@ "version": 8 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Yum/DNF Plugin Status Discovery", + "sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a", + "type": "eql", + "version": 2 + } + }, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a", + "sha256": "af6cc4cbc5fc5b1750d6673473cc5143ed51bc71ded94a44bef658cd72bc3c90", "type": "eql", - "version": 2 + "version": 102 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", @@ -6930,10 +7491,10 @@ "version": 7 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { - "rule_name": "File Compressed or Archived into Common Format", - "sha256": "3d99ad9a8ea1ddbc2a184754459191a84dc56f918bf759be9a52d7649106e44e", + "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", + "sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845", "type": "eql", - "version": 5 + "version": 6 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", @@ -6942,10 +7503,20 @@ "version": 103 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "SSL Certificate Deletion", + "sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac", + "type": "eql", + "version": 1 + } + }, "rule_name": "SSL Certificate Deletion", - "sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac", + "sha256": "c081611ae197d81de6a8f032e4e35d9559ed5aa2edde95336b05822f6143e42f", "type": "eql", - "version": 1 + "version": 101 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", @@ -7045,10 +7616,20 @@ "version": 214 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { + "min_stack_version": "8.16", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "SELinux Configuration Creation or Renaming", + "sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40", + "type": "eql", + "version": 1 + } + }, "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40", + "sha256": "fb599d47e089dce25c3906b8a4fb854daf47b44c10decf2c631dea195e9ff4dc", "type": "eql", - "version": 1 + "version": 101 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.14", @@ -7085,10 +7666,20 @@ "version": 107 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Git Hook Child Process", + "sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052", + "type": "eql", + "version": 2 + } + }, "rule_name": "Git Hook Child Process", - "sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052", + "sha256": "bdd3376f6872ff5b5e3f17abeea43a6619585b2c7100c4a5626889edbabbc1a5", "type": "eql", - "version": 2 + "version": 102 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", @@ -7109,10 +7700,20 @@ "version": 100 }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "SSH Key Generated via ssh-keygen", + "sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc", + "type": "eql", + "version": 3 + } + }, "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc", + "sha256": "34dce1cb53174696ef9ea5a28676eccf92ecb0de0dc7a010aeaecf9c02a2b2c2", "type": "eql", - "version": 3 + "version": 103 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", @@ -7144,10 +7745,20 @@ "version": 307 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Security File Access via Common Utilities", + "sha256": "35fc8b548fcc1523cdea4fa29865704d65b15be3c7601e2a1f778dae2d006575", + "type": "eql", + "version": 1 + } + }, "rule_name": "Security File Access via Common Utilities", - "sha256": "35fc8b548fcc1523cdea4fa29865704d65b15be3c7601e2a1f778dae2d006575", + "sha256": "977a2e7491fde0d4fa3a5f2c80a9e93d7c2e5e0aed313fa99a0ec8328bb8b405", "type": "eql", - "version": 1 + "version": 101 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", @@ -7208,9 +7819,9 @@ } }, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "6e71b4ea552314b263198211bc6bc680d060453ac942fe0fe59499562f8ed834", + "sha256": "b0bfa7d73d6ccd6142283e63031f550eb9abbf5a4becfb93c6e5c1340752f2e1", "type": "query", - "version": 103 + "version": 104 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "SSM Session Started to EC2 Instance", @@ -7319,6 +7930,19 @@ "type": "eql", "version": 207 }, + "82f842c2-7c36-438c-b562-5afe54ab11f4": { + "rule_name": "Suspicious Path Invocation from Command Line", + "sha256": "ea85fe009c0baa447a0bfb2014f8b45d2f3ad35fb65a92097ef9e74c24bc5c78", + "type": "new_terms", + "version": 1 + }, + "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { + "min_stack_version": "8.13", + "rule_name": "Manual Dracut Execution", + "sha256": "293ca3a55dbbb8dfb51898fd8a165e50c1da1faf40482950e3af6498314478f7", + "type": "eql", + "version": 1 + }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", "sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b", @@ -7361,10 +7985,20 @@ "version": 202 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 108, + "rule_name": "Attempt to Disable IPTables or Firewall", + "sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691", + "type": "eql", + "version": 9 + } + }, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691", + "sha256": "883808e835acb845d8ff5cbd80647149a7076f8dea14f01e0b45b5927f744cc2", "type": "eql", - "version": 9 + "version": 109 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", @@ -7395,10 +8029,20 @@ "version": 2 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Potential Upgrade of Non-interactive Shell", + "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", + "sha256": "5164b099f1ea1a21b7b6e07b5f4d72e0e2d15a8ec2d03744d57b3590e96b6d0c", "type": "eql", - "version": 3 + "version": 103 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", @@ -7446,6 +8090,13 @@ "type": "query", "version": 206 }, + "86aa8579-1526-4dff-97cd-3635eb0e0545": { + "min_stack_version": "8.13", + "rule_name": "NetworkManager Dispatcher Script Creation", + "sha256": "cb638e8f75b4b1f3fec56d06aa0146d0f3870081db365cff4e0d2244b03f423a", + "type": "eql", + "version": 1 + }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", @@ -7476,9 +8127,9 @@ }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68", + "sha256": "3d33ca4d8cc8f50f00c2a6b7388013c9b1484a65207ad7bdc9dd221460387ad9", "type": "query", - "version": 1 + "version": 2 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", @@ -7689,10 +8340,20 @@ "version": 209 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", + "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", + "type": "eql", + "version": 4 + } + }, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", + "sha256": "9a0a3365ed112536df8300b00672c2dd8ef6fac49e7deadb783f732a60a102ee", "type": "eql", - "version": 4 + "version": 104 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", @@ -7812,10 +8473,20 @@ "version": 2 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 207, + "rule_name": "Potential Privilege Escalation via PKEXEC", + "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", + "type": "eql", + "version": 108 + } + }, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", + "sha256": "925c7e7ba202c46a58ef9ddf0845eb693f850d8f085c9c701af731a73d7dca0b", "type": "eql", - "version": 108 + "version": 208 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", @@ -7919,10 +8590,20 @@ "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 207, + "rule_name": "Hping Process Activity", + "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", + "type": "eql", + "version": 108 + } + }, "rule_name": "Hping Process Activity", - "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", + "sha256": "ecea8fb1997a8b5e997b809e522afb4a39b60365f534b0cc14be6897d0df2907", "type": "eql", - "version": 108 + "version": 208 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", @@ -7931,10 +8612,20 @@ "version": 206 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Simple HTTP Web Server Creation", + "sha256": "616c2c8d1ae0e869534ba6f3f7f497bdd72792f46de42e6c51d6bebcf3eebd99", + "type": "eql", + "version": 1 + } + }, "rule_name": "Simple HTTP Web Server Creation", - "sha256": "616c2c8d1ae0e869534ba6f3f7f497bdd72792f46de42e6c51d6bebcf3eebd99", + "sha256": "a8ecdc54a3793f8b6800533929726fab9b3f467cd74293c788c45f4706fcf60a", "type": "eql", - "version": 1 + "version": 101 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", @@ -7942,6 +8633,12 @@ "type": "eql", "version": 108 }, + "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { + "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", + "sha256": "8a707b2cfb834a2d23665ef675dd27767b712018c0644349a3554c04840138e3", + "type": "threshold", + "version": 1 + }, "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.14", "previous": { @@ -7964,6 +8661,12 @@ "type": "query", "version": 100 }, + "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { + "rule_name": "Linux System Information Discovery via Getconf", + "sha256": "68e536f0bf403b67ca5e6c131af272ded466e96597d6d4394eb00ccc60c05692", + "type": "eql", + "version": 1 + }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", @@ -8128,10 +8831,20 @@ "version": 204 }, "94418745-529f-4259-8d25-a713a6feb6ae": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "Executable Bit Set for Potential Persistence Script", + "sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0", + "type": "eql", + "version": 4 + } + }, "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0", + "sha256": "bc41244d94cc85db15513c451863fe2ca0b0a9340c5b8686813eee0609b3917e", "type": "eql", - "version": 4 + "version": 104 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", @@ -8207,6 +8920,13 @@ "type": "query", "version": 104 }, + "952c92af-d67f-4f01-8a9c-725efefa7e07": { + "min_stack_version": "8.13", + "rule_name": "D-Bus Service Created", + "sha256": "f153afa77c393c47714f3400013c4ee67412920ecc93b851d389d74b5f049040", + "type": "eql", + "version": 1 + }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", "previous": { @@ -8275,10 +8995,20 @@ "version": 2 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 211, + "rule_name": "File made Immutable by Chattr", + "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", + "type": "eql", + "version": 112 + } + }, "rule_name": "File made Immutable by Chattr", - "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", + "sha256": "86e3735f45437f53bd1261a8da6628e3dfcb6825b335f3447c39923c2c38690a", "type": "eql", - "version": 112 + "version": 212 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.15", @@ -8331,6 +9061,13 @@ "type": "eql", "version": 108 }, + "9705b458-689a-4ec6-afe8-b4648d090612": { + "min_stack_version": "8.13", + "rule_name": "Unusual D-Bus Daemon Child Process", + "sha256": "fbbfbd97ebae57de46748c99eeddc873d89daf60f1b8c8f95b9c1a99420d1285", + "type": "eql", + "version": 1 + }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", @@ -8438,10 +9175,20 @@ "version": 2 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", + "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", + "type": "eql", + "version": 2 + } + }, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", + "sha256": "bf30f1636a07e74463574f49efab7d6e8b0cb58dfdcbc00486a72ea8388c3439", "type": "eql", - "version": 2 + "version": 102 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", @@ -8522,16 +9269,36 @@ "version": 310 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Access Control List Modification via setfacl", + "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", + "type": "eql", + "version": 2 + } + }, "rule_name": "Access Control List Modification via setfacl", - "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", + "sha256": "5fabd6c9b8a348ecdbb6ccf61bd29115e1088e89d594036cb436531de8418315", "type": "eql", - "version": 2 + "version": 102 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Web Server Spawned via Python", + "sha256": "34fe21a4d673170b9d5de7326cc8f18a359a13a6b97d49085d89e96cf0f9952a", + "type": "eql", + "version": 1 + } + }, "rule_name": "Web Server Spawned via Python", - "sha256": "34fe21a4d673170b9d5de7326cc8f18a359a13a6b97d49085d89e96cf0f9952a", + "sha256": "20fb46e1ca6890605aa87f9c08a2190c217b23b3759cc7eca032edf59af64ec3", "type": "eql", - "version": 1 + "version": 101 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", @@ -8857,10 +9624,20 @@ "version": 2 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Potential Protocol Tunneling via EarthWorm", + "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", + "type": "eql", + "version": 110 + } + }, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", + "sha256": "ba184af85327ab0b30d44303e6f197aa3633bf956b71268bfb4c1cdb7ff0e0a0", "type": "eql", - "version": 110 + "version": 210 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", @@ -8935,10 +9712,20 @@ "version": 207 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 208, + "rule_name": "File Deletion via Shred", + "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", + "type": "eql", + "version": 109 + } + }, "rule_name": "File Deletion via Shred", - "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", + "sha256": "3d589003c93cc87bb316a3627d284b1a283da55956d2cc4761debccb078a0b8c", "type": "eql", - "version": 109 + "version": 209 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", @@ -9296,10 +10083,20 @@ "version": 104 }, "aa895aea-b69c-4411-b110-8d7599634b30": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 211, + "rule_name": "System Log File Deletion", + "sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350", + "type": "eql", + "version": 112 + } + }, "rule_name": "System Log File Deletion", - "sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350", + "sha256": "ada984096f2d14c711d004bdf03cf6f511a543fe021a46c40c89c501a6a2b6ed", "type": "eql", - "version": 112 + "version": 212 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", @@ -9329,6 +10126,13 @@ "type": "threat_match", "version": 8 }, + "aabdad51-51fb-4a66-9d82-3873e42accb8": { + "min_stack_version": "8.13", + "rule_name": "GRUB Configuration Generation through Built-in Utilities", + "sha256": "78ab7ba6d046b4901b164ee6e3fd63c4c9c277b9bd16337514274902f4322388", + "type": "eql", + "version": 1 + }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", "sha256": "d83d4d35e0bb8980567f6aed233e06d8bcb4824a6e438a8f8606f7318ce7f204", @@ -9388,10 +10192,20 @@ "version": 415 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Git Hook Created or Modified", + "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", + "type": "eql", + "version": 3 + } + }, "rule_name": "Git Hook Created or Modified", - "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", + "sha256": "f2f13e4195a1e04b1288a31c748ca8bad1eb7112fc9e77a2a5547b948f54a5d4", "type": "eql", - "version": 3 + "version": 103 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", @@ -9537,10 +10351,20 @@ "version": 206 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Openssl Client or Server Activity", + "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", + "type": "eql", + "version": 2 + } + }, "rule_name": "Openssl Client or Server Activity", - "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", + "sha256": "7f976d99bb3f172f171e5652c8cad18cbd56030f72633c4a5455b0c8f420a2f0", "type": "eql", - "version": 2 + "version": 102 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", @@ -9565,28 +10389,58 @@ "version": 106 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 103, + "rule_name": "Suspicious APT Package Manager Execution", + "sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a", + "type": "eql", + "version": 4 + } + }, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a", + "sha256": "a44fc3ff83a0e6aaabac522e599b8f92b95cce50059049fab47a1a16e41c5995", "type": "eql", - "version": 4 + "version": 104 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "File Transfer or Listener Established via Netcat", + "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", + "type": "eql", + "version": 110 + } + }, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", + "sha256": "fb1931f01dca4a44f26a9e4a4226b6ed2eb886d1ca2435600262bbdac2d279b0", "type": "eql", - "version": 110 + "version": 210 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "e8cf6343472cdfd3a91baaa7aed30214af872b0b163555edc8908ffd5d89a675", + "sha256": "1e6f2fd1e6f9b02629b2f190c0872668bcaaa1d2b3b8011b1798f1e6ebda905d", "type": "eql", - "version": 5 + "version": 6 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Suspicious File Creation via Kworker", + "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", + "sha256": "02ab7ea5b4914325e4e7cf18374acd1f9a35821031152a35fa098ed270466f3e", "type": "eql", - "version": 5 + "version": 105 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", @@ -9693,10 +10547,20 @@ "version": 202 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Hidden Directory Creation via Unusual Parent", + "sha256": "9775897dddd3d5ea2fa72deb33baef8f2737925ad1d5be0ea764df8986e49111", + "type": "eql", + "version": 1 + } + }, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "9775897dddd3d5ea2fa72deb33baef8f2737925ad1d5be0ea764df8986e49111", + "sha256": "801f1305ee382a5aa0d97a9fe784df8f025d7b4a31f0a0560ab3165dc7731fc9", "type": "eql", - "version": 1 + "version": 101 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "min_stack_version": "8.13", @@ -10165,10 +11029,20 @@ "version": 309 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 212, + "rule_name": "Chkconfig Service Add", + "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", + "type": "eql", + "version": 113 + } + }, "rule_name": "Chkconfig Service Add", - "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", + "sha256": "79b56443468b45ce575c9a254a235d16a81c2aa037b5f0b8468ab2ba1ee11c68", "type": "eql", - "version": 113 + "version": 213 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", @@ -10228,10 +11102,20 @@ "version": 311 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "File Creation by Cups or Foomatic-rip Child", + "sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4", + "type": "eql", + "version": 1 + } + }, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4", + "sha256": "7290db76baf9144af96253a9ce550a595a2a9f73702c03d611771e991ad38f20", "type": "eql", - "version": 1 + "version": 101 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", @@ -10277,6 +11161,12 @@ "type": "eql", "version": 209 }, + "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { + "rule_name": "AWS SQS Queue Purge", + "sha256": "8173c3edd7611e8e6ac7f67f431510c5f5f03b166aebaf51c63f23002e51efab", + "type": "query", + "version": 1 + }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", @@ -10296,10 +11186,10 @@ "version": 206 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { - "rule_name": "Potential SYN-Based Network Scan Detected", - "sha256": "682e1b59f8cf01d5dd254c5cab6e075ed621000c6059b31845117c2d16a2ba69", + "rule_name": "Potential SYN-Based Port Scan Detected", + "sha256": "0586e7ec163e6ee3f44ce1f67ad461e83904af39fd44217e236e606f06b3631b", "type": "threshold", - "version": 7 + "version": 8 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", @@ -10389,9 +11279,9 @@ } }, "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "1b379c5cbede7bf2589191a432c64ff0cec22ff6311e672094cd7adfdb312095", + "sha256": "f2c6e76e5fa6fe5da59e415f4cc032e5aaf06f2c593e87a084a824ba80b62548", "type": "eql", - "version": 105 + "version": 106 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.14", @@ -10586,9 +11476,9 @@ } }, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "e35fdfd50d3dc2bb04494da7e86463de8df7262df4dc0e66fda0ce85c0784cb4", + "sha256": "c69692ff49a09d554d7fc41a0fd751809ead60f0421d0cbc79902c7dd1b8350e", "type": "query", - "version": 103 + "version": 104 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", @@ -10602,6 +11492,12 @@ "type": "query", "version": 206 }, + "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { + "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", + "sha256": "09eddb777e0307dc89b213216a823e5738d30d3f32b0e08e3e15669b35ade078", + "type": "new_terms", + "version": 1 + }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", @@ -10782,9 +11678,9 @@ } }, "rule_name": "Attempted Private Key Access", - "sha256": "a4672a225e05abdfbd91924298f689eb56da9ff55c0db55ca1f87d7ca8bdd3d9", + "sha256": "67111e4bc078ef2f52e3170b75a2068f4df825c1c368432e246b5473474ab975", "type": "eql", - "version": 106 + "version": 107 }, "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.14", @@ -10899,6 +11795,13 @@ "type": "query", "version": 102 }, + "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { + "min_stack_version": "8.13", + "rule_name": "Initramfs Unpacking via unmkinitramfs", + "sha256": "4c57f2ddcfdb1ebc7a9fa5222aca8bbf15a1b5cd862dc64ee9bf4719eee56581", + "type": "eql", + "version": 1 + }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.14", "previous": { @@ -11131,6 +12034,13 @@ "type": "query", "version": 103 }, + "ca3bcacc-9285-4452-a742-5dae77538f61": { + "min_stack_version": "8.13", + "rule_name": "Polkit Version Discovery", + "sha256": "f71269394fd431ce68136702833ee5771eb6e4bb037e00776ecc9c7e4e4e6a28", + "type": "eql", + "version": 1 + }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", @@ -11292,10 +12202,20 @@ "version": 104 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Kernel Module Removal", + "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", + "type": "eql", + "version": 110 + } + }, "rule_name": "Kernel Module Removal", - "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", + "sha256": "184bbc37170d0bde143713a342eae3b1a1a6b6b01d294dbb267b6043fed984d7", "type": "eql", - "version": 110 + "version": 210 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", @@ -11387,6 +12307,13 @@ "type": "new_terms", "version": 204 }, + "ce4a32e5-32aa-47e6-80da-ced6d234387d": { + "min_stack_version": "8.13", + "rule_name": "GRUB Configuration File Creation", + "sha256": "64ec1097b715394beab2e75a36a9208a2ea026844e9af45605c73a09a0de896f", + "type": "eql", + "version": 1 + }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", "previous": { @@ -11464,10 +12391,20 @@ "version": 2 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 108, + "rule_name": "Namespace Manipulation Using Unshare", + "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", + "type": "eql", + "version": 9 + } + }, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", + "sha256": "239b829877d333ed75985a7eab0c2a2871778d3d0e8c4fea043f8a5f4157955e", "type": "eql", - "version": 9 + "version": 109 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "rule_name": "AWS Credentials Searched For Inside A Container", @@ -11683,16 +12620,26 @@ "version": 104 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 105, + "rule_name": "Linux init (PID 1) Secret Dump via GDB", + "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", + "type": "eql", + "version": 6 + } + }, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", + "sha256": "a75a1c1f4f8d7379bddad6e879bb080e101d602e3a08c9e102a3af15d389b70e", "type": "eql", - "version": 6 + "version": 106 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", + "sha256": "aa8a522f28deb9884ad3020ca10c320a35f2efecbaa26d0aae94519585b590cf", "type": "eql", - "version": 5 + "version": 6 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", @@ -11798,9 +12745,9 @@ } }, "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "a509788cd40ec1f0f0af9c860a4dbb6f77a05421428008e91c1619cf410ee20e", + "sha256": "2a52d9f39f0bdb9a5b2e617864be31ade499082777e54548585639125a49dc8e", "type": "eql", - "version": 114 + "version": 115 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", @@ -11854,10 +12801,20 @@ "version": 206 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Suspicious Memory grep Activity", + "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", + "type": "eql", + "version": 3 + } + }, "rule_name": "Suspicious Memory grep Activity", - "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", + "sha256": "f153c6dee45aea70187e026f52bda5867a4d86ac55deeab921bd0b98f1386ea1", "type": "eql", - "version": 3 + "version": 103 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", @@ -11866,16 +12823,26 @@ "version": 206 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Interactive Terminal Spawned via Python", + "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", + "type": "eql", + "version": 110 + } + }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", + "sha256": "e74a4d15744de9d351b31df43db4c14a3c027cb74eba3f0342dabc2b9d4ae03a", "type": "eql", - "version": 110 + "version": 210 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", - "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", + "sha256": "346cc434526ad0dc7188a5077b3493b8499b644cfa218fe758d584d9f9e9074a", "type": "query", - "version": 103 + "version": 104 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", @@ -12096,16 +13063,36 @@ "version": 103 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", + "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", + "type": "eql", + "version": 5 + } + }, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", + "sha256": "bad0d95c6a8551468b0c035ca98e1d1f47ec295b1d544833a75c04ae31f18d44", "type": "eql", - "version": 5 + "version": 105 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 101, + "rule_name": "Git Hook Command Execution", + "sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6", + "type": "eql", + "version": 2 + } + }, "rule_name": "Git Hook Command Execution", - "sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6", + "sha256": "3bac5605f2f7f71fbee8e939fdc4662424cab31681bb8fc5e2dd50983610fdf6", "type": "eql", - "version": 2 + "version": 102 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -12114,10 +13101,27 @@ "version": 100 }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 108, + "rule_name": "Potential Hidden Process via Mount Hidepid", + "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", + "type": "eql", + "version": 9 + } + }, "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", + "sha256": "4ec4efd8bc14d050cda2446ffa046c47cab81bedbea602f51c64f53582b57fa0", "type": "eql", - "version": 9 + "version": 109 + }, + "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { + "min_stack_version": "8.13", + "rule_name": "Dracut Module Creation", + "sha256": "51f31e2decacb917b2045e791f5b03e17de861b13042f271441c3df1a71461dc", + "type": "eql", + "version": 1 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", @@ -12260,10 +13264,20 @@ "version": 312 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Base16 or Base32 Encoding/Decoding Activity", + "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", + "type": "eql", + "version": 110 + } + }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", + "sha256": "46f4ce8dd188feabf7a2bb0fb7aca87218ea33ea2fbd8f82ed35ca46faf70489", "type": "eql", - "version": 110 + "version": 210 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", @@ -12300,10 +13314,20 @@ "version": 102 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 208, + "rule_name": "Dynamic Linker Copy", + "sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f", + "type": "eql", + "version": 109 + } + }, "rule_name": "Dynamic Linker Copy", - "sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f", + "sha256": "15a7a2d4be9e298988ff4d281539bbae818f22ccc5f95a1423e09fdb21f76bd2", "type": "eql", - "version": 109 + "version": 209 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", @@ -12415,10 +13439,20 @@ "version": 412 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Potentially Suspicious Process Started via tmux or screen", + "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", + "type": "eql", + "version": 5 + } + }, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", + "sha256": "a94c98d17b9a4ba79fbd2db8a440aabe9f52a55a651464571a9bf18937b49a4e", "type": "eql", - "version": 5 + "version": 105 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -12445,10 +13479,20 @@ "version": 206 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 206, + "rule_name": "Connection to External Network via Telnet", + "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", + "type": "eql", + "version": 107 + } + }, "rule_name": "Connection to External Network via Telnet", - "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", + "sha256": "eb720eb1df39451162379dd73ebb8021f2d6d061f11536dd6890358652908bc0", "type": "eql", - "version": 107 + "version": 207 }, "e1db8899-97c1-4851-8993-3a3265353601": { "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", @@ -12457,10 +13501,20 @@ "version": 4 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 105, + "rule_name": "Suspicious Mining Process Creation Event", + "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", + "type": "eql", + "version": 6 + } + }, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", + "sha256": "a9d9a985224bb2c25aae53626c351423299271473fb94800bbec865b77549cad", "type": "eql", - "version": 6 + "version": 106 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", @@ -12554,10 +13608,20 @@ "version": 104 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Potential Data Splitting Detected", + "sha256": "e9c73adb2c1f6cce1863d61a9079baab27593eb754bed9dfb7462a2a0e757dfa", + "type": "eql", + "version": 1 + } + }, "rule_name": "Potential Data Splitting Detected", - "sha256": "e9c73adb2c1f6cce1863d61a9079baab27593eb754bed9dfb7462a2a0e757dfa", + "sha256": "c08a0ecf0d3956e8250d8f80883239a461489dd8a2b1a3f25bf3ddee0e528d5f", "type": "eql", - "version": 1 + "version": 101 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", @@ -12611,10 +13675,20 @@ "version": 207 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 213, + "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", + "type": "eql", + "version": 114 + } + }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", + "sha256": "8af95982bc5bf6ac79c1640581bac78450e3467512b7640c60b0ecf139a19a45", "type": "eql", - "version": 114 + "version": 214 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", @@ -12748,9 +13822,9 @@ }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", - "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", + "sha256": "27987be0e2d175b6af6648f0f13ae6c921ecc1ef5198b7ec704a9e12b91cb3cf", "type": "eql", - "version": 3 + "version": 4 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.14", @@ -12827,10 +13901,20 @@ "version": 201 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 107, + "rule_name": "Potential Linux Credential Dumping via Unshadow", + "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", + "type": "eql", + "version": 8 + } + }, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", + "sha256": "33f6b8d02db10f4facbc48d16e77be33e52f39438aef54bf79c28fac85947e83", "type": "eql", - "version": 8 + "version": 108 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS Route Table Modified or Deleted", @@ -13085,10 +14169,20 @@ "version": 1 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Potential Disabling of SELinux", + "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", + "type": "eql", + "version": 110 + } + }, "rule_name": "Potential Disabling of SELinux", - "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", + "sha256": "7c9c059e8f30a4e218760af3d2ca27b7b63469eee383e2e939b224fa3db2c470", "type": "eql", - "version": 110 + "version": 210 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", @@ -13328,16 +14422,36 @@ "version": 107 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 207, + "rule_name": "BPF filter applied using TC", + "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", + "type": "eql", + "version": 108 + } + }, "rule_name": "BPF filter applied using TC", - "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", + "sha256": "6084cde353a59189dfa571e84e654b91e3ede46be8519e25dbf59b69aab4724d", "type": "eql", - "version": 108 + "version": 208 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", + "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", + "type": "eql", + "version": 7 + } + }, "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", + "sha256": "207a4a55c909e48b5ef7acf11d3790c83f34a5e398cc4094eeb9346d2dd39c97", "type": "eql", - "version": 7 + "version": 107 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "rule_name": "Potential Container Escape via Modified notify_on_release File", @@ -13431,16 +14545,36 @@ "version": 106 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Potential Remote Code Execution via Web Server", + "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", + "type": "eql", + "version": 7 + } + }, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", + "sha256": "8067c8aa2719fd9d74fa030a8d363993b52cd2f7157cfd90c33082869504b004", "type": "eql", - "version": 7 + "version": 107 }, "f18a474c-3632-427f-bcf5-363c994309ee": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "Process Capability Set via setcap Utility", + "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", + "type": "eql", + "version": 1 + } + }, "rule_name": "Process Capability Set via setcap Utility", - "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", + "sha256": "d5f6b2267222943dbe00ff7f33af89e030ceabde1cadb4e0ee50680d0305a6b2", "type": "eql", - "version": 1 + "version": 101 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", @@ -13477,10 +14611,20 @@ "version": 108 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 209, + "rule_name": "Potential OpenSSH Backdoor Logging Activity", + "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", + "type": "eql", + "version": 110 + } + }, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", + "sha256": "809020a2abcd5cbc4905175fa9c340ce4d03a5badb092749e5582d500fe84741", "type": "eql", - "version": 110 + "version": 210 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", @@ -13652,6 +14796,13 @@ "type": "query", "version": 213 }, + "f4b857b3-faef-430d-b420-90be48647f00": { + "min_stack_version": "8.13", + "rule_name": "OpenSSL Password Hash Generation", + "sha256": "effca7dd9c856bc18468aeecb9135470738b7c71ceceb60943c78cbeeb3f8f8c", + "type": "eql", + "version": 1 + }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", @@ -13762,10 +14913,20 @@ "version": 107 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 105, + "rule_name": "Setcap setuid/setgid Capability Set", + "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", + "type": "eql", + "version": 6 + } + }, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", + "sha256": "01204cf3f85db104581872555673b018a1419abdbcce249e52f10ae764026cf8", "type": "eql", - "version": 6 + "version": 106 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", @@ -13949,9 +15110,9 @@ }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "6507c4745da0b0264ac93849eb4783ca11447050920d70c87be1c446f2206d74", + "sha256": "187045fe170ec5d73a01ae484c2beb785ba6d685cf6973c52d6dd63393600eaa", "type": "eql", - "version": 2 + "version": 3 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", @@ -14164,10 +15325,20 @@ "version": 314 }, "fac52c69-2646-4e79-89c0-fd7653461010": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Potential Disabling of AppArmor", + "sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e", + "type": "eql", + "version": 7 + } + }, "rule_name": "Potential Disabling of AppArmor", - "sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e", + "sha256": "01508640f0055cb89a305cbdf1ef43cd6f104545bfdc21eea76eaaf2e7e7909d", "type": "eql", - "version": 7 + "version": 107 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", @@ -14219,6 +15390,12 @@ "type": "query", "version": 206 }, + "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { + "rule_name": "Process Started with Executable Stack", + "sha256": "817c1bcd002aee4e4e20b0ec867435b39e734957b1032925a405161c91e1ff2d", + "type": "query", + "version": 1 + }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.14", "previous": { @@ -14463,6 +15640,12 @@ "type": "eql", "version": 308 }, + "fef62ecf-0260-4b71-848b-a8624b304828": { + "rule_name": "Potential Process Name Stomping with Prctl", + "sha256": "6d66bac41360553f30a7ec77711cac7525469a4649853c093e54807182e05880", + "type": "eql", + "version": 1 + }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b", diff --git a/pyproject.toml b/pyproject.toml index e13d047b79a..445d493f7a8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.1" +version = "0.4.2" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"