diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 4fa6fc29482..c9a4ab333d3 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -70,9 +70,9 @@ }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", - "sha256": "110f1d5ec2ca1f18a3743314973ced9654ea4260ae861e092afd16c9f929ecd4", + "sha256": "9e9b47bac87abaaf02aeaf05eedd8f1a653fc1029c4f02a0045c900af6fa03a6", "type": "eql", - "version": 2 + "version": 3 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", @@ -94,16 +94,16 @@ }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", - "sha256": "c1b9eadbd36d57badf096a96ee583481a92a6e1de6d1e40b428fb368591eff60", + "sha256": "34e2dab204ed0dfc0784ed2fa9de784ec3368627b54a2052bb170264f47c7b05", "type": "threshold", - "version": 8 + "version": 9 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Detected - Elastic Defend", - "sha256": "a6477740d6012e55a9333f32ef516a7b656ca22dba1362371129cc6f75da54ab", + "sha256": "8c608745f949a23f1981034b99641bc9f149c2fab5f595f6c8df610e22a011ad", "type": "query", - "version": 2 + "version": 3 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "min_stack_version": "8.13", @@ -227,9 +227,9 @@ } }, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "7be24103e80b488ec59b95552a069f1c357d42f5fec529c19402f290b74e282c", + "sha256": "bd5bbad719e965a90859b0a4bdedba465855590236e80fa2f05be1b1943c969e", "type": "eql", - "version": 103 + "version": 104 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "SSH Process Launched From Inside A Container", @@ -465,9 +465,9 @@ "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Prevented- Elastic Defend", - "sha256": "96b6afa2ed123a001168eaaafe269a572393ee32c8248cd27a29182040b5dbcc", + "sha256": "40d0e6bf90bb885b5bedb92204b324ea0899096734b6a33c10fcbf76f6ae8266", "type": "query", - "version": 2 + "version": 3 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", @@ -545,15 +545,15 @@ }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", - "sha256": "a43d168f61e8163581d0687f0304f03e2ddae74d1116c478f933178625133b7d", + "sha256": "ae0e822932b3d3a4abbd15f6ff61bd9086207d22ea05cfc9cc59eeca918294b9", "type": "eql", - "version": 108 + "version": 109 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "c267399fea2ab4ee01b5424d01dc5ca68f6fbcb529f4f0c022cde54d6f87b25e", + "sha256": "2b0a0ede15789e0b7a7554ac68cafe6384e235975fcfec67debe968db0c4c318", "type": "eql", - "version": 107 + "version": 108 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", @@ -598,9 +598,9 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "df3311bb176bf73432fcbf38549d153c5d42b0a2dc86764c6daa86fc9db5903f", + "sha256": "0e3d828631e0a83196eea6787fc18de515f9e27764d93909572b5cc61b7ddc61", "type": "eql", - "version": 108 + "version": 109 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", @@ -632,9 +632,9 @@ }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "c8115f0fe38df7a874ae8c9073dfe093a940fc49c4e0f9ae6c7e317213b43120", + "sha256": "7040132674395ed77ee5b703d59cfbefe989b32ac76e3f85c8f03862f368df3e", "type": "eql", - "version": 6 + "version": 7 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", @@ -732,9 +732,9 @@ } }, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "9e2c7511c3657f8026a9d0e6444662c80eb57012a8d38efa6e23d9c3814ef567", + "sha256": "7fc4e84759a2af54a9511e0a595038dfb7f5e4cded7427859e3081ac8d7ff641", "type": "eql", - "version": 107 + "version": 108 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "min_stack_version": "8.14", @@ -783,9 +783,9 @@ "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Detected - Elastic Defend", - "sha256": "bdb55dbd118fb03d8e90db6727cb7c17fdf199dc7aab3fad8d6a9c783bd05f4e", + "sha256": "8c9fd34f4f30b211e680a28ab5e00352770c9972db08cf8a11fd6809a97edbf9", "type": "query", - "version": 2 + "version": 3 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", @@ -847,9 +847,9 @@ } }, "rule_name": "Nping Process Activity", - "sha256": "9e4865a109815afb06442ed8b43a911844889487f3b85f1621ef70b5400b71c7", + "sha256": "1ecfdf114395bc4eb70a3fb066620a04c60f99884612e0f29066015950dbd8dc", "type": "eql", - "version": 209 + "version": 210 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", @@ -917,9 +917,9 @@ }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", - "sha256": "a58f936fd70ead1323075c2db07bdc08ae6fcf158dc76d3e3f8ee000206c8907", + "sha256": "9d1acfe268c50abdd645663c36152672c58badfb78f109529fc5cf7392c38aca", "type": "eql", - "version": 115 + "version": 116 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { "min_stack_version": "8.13", @@ -949,16 +949,16 @@ } }, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "43a81f7c9afb83eccece14a9be3e1ea2f6a731c8417ac2503e6ccae6a6db44af", + "sha256": "4b9e8dd7f874cd95eb91b79ea9ff20499a9372b785b00b28508b0ce941af417e", "type": "eql", - "version": 104 + "version": 105 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Detected - Elastic Defend", - "sha256": "1b61e930271caf4b24683fcdcd5d779d2a0f082e6b215464af1895be281398c9", + "sha256": "84214be4565dee7f618d414cd2599619e3b5a008b2e5acfb397c79d2c6020732", "type": "query", - "version": 2 + "version": 3 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -1009,9 +1009,9 @@ "10f3d520-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Prevented - Elastic Defend", - "sha256": "f5b721e962c74dd5fefb7ed7ed924c02a88684947c35f6d8dc29286c755143f9", + "sha256": "7ad9cd5a7ed6933679d180d53ba468c0afbf17789887c8086eeabdbd30f751c8", "type": "query", - "version": 2 + "version": 3 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", @@ -1251,9 +1251,9 @@ } }, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "bdade28ec6aad91e8926504e30173907dc1309924ed35deef6fcedb8d5fd3f91", + "sha256": "8abcc3f4f205afae84358660b95a2527d10a1f5a33fb6aa904c0c1280d8b6805", "type": "eql", - "version": 102 + "version": 103 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", @@ -1429,9 +1429,9 @@ }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "b852f838beb12b31ac0857a95bfdd281593b4bbcb010dc1e2a32c159d2349b09", + "sha256": "0b2ebcc224d55592d6f4b75e83df6d80460d48ba25c8b07d71ddeb2e16fee539", "type": "eql", - "version": 108 + "version": 109 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "rule_name": "Potential Container Escape via Modified release_agent File", @@ -1684,9 +1684,9 @@ }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "50d50eff9038dd625531b68413c95b8a5ff3357a9369c17508d6769ab15e953f", + "sha256": "d831a2c4ab5f21f7320a3fc66d048b0b77a969c59eab238e78a8e1ca5d3c7d59", "type": "eql", - "version": 5 + "version": 6 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", @@ -1794,9 +1794,9 @@ } }, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "be9f9df9dab4218b1aee0e1a6cb799712ac359f1a3282a5bed0d5872ac0928f2", + "sha256": "577e427fc64582ac236a077a7655689420ac05895657991b9b10c235df191853", "type": "eql", - "version": 208 + "version": 209 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", @@ -1824,9 +1824,9 @@ }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", - "sha256": "9abe49370597003f6dc75e766e6b82486a26d1616b162ec5d2057028895d5ea9", + "sha256": "a216a3ce8647e67413fe83b87ca92054c13d98146ee4c740fbc79435459adb1e", "type": "eql", - "version": 117 + "version": 118 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", @@ -1990,9 +1990,9 @@ } }, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "9fb2dbcc6cef8cc07dbeebd0d80481cd0482fb7b26c7ea593610b44081afb982", + "sha256": "98f03ae22b61103956c3dcf4c477d3dd6c5da89a7c24f1e69a4a6f5f96573033", "type": "eql", - "version": 105 + "version": 106 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", @@ -2172,9 +2172,9 @@ } }, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "e6a93a82d6ff821825f36acf2e6b37d99c68712acf3ab5f2a522d288de604dc7", + "sha256": "5349e739a994b977cd138844e8e7e85da55971fb9e45fb3131eb92be33d3f123", "type": "eql", - "version": 104 + "version": 105 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", @@ -2270,9 +2270,9 @@ }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", - "sha256": "60b1fc8e258630c37d46106e04ddc92ee630843e73a695ff7697480d76438d79", + "sha256": "0f97f4ad5936052c4dd01aa0c3132de5f06f7a36be6192e1714f2732da113bc2", "type": "eql", - "version": 4 + "version": 5 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", @@ -2338,9 +2338,9 @@ } }, "rule_name": "Kernel Module Load via insmod", - "sha256": "34839afc89c7b63c7e306377524879c547688d939a3f78e14a6ab5cf5b7ac210", + "sha256": "f32774ffb6275cc6e21892bde0346fec8649a7b12e62823bc9c28ecb5f7291b4", "type": "eql", - "version": 211 + "version": 212 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2444,9 +2444,9 @@ } }, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "6ae28a9f2bb3480636a6b4ed317a06aa8278b5aeffa859e7279b2d41a85a12af", + "sha256": "5539b5852223d4f71fb0ca5aca8622d8933016111d08f98d0bed0b9f804ddf7e", "type": "eql", - "version": 105 + "version": 106 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", @@ -2485,9 +2485,9 @@ }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "cd4778bc5d33895772be26bc4a6ecf28ef907e39c922c263758d2eed3f7c94a9", + "sha256": "5ac2632c3e48650d883c521af7ddf3ee85933ed2b90dbb2a8785db3e62378ad5", "type": "eql", - "version": 7 + "version": 8 }, "263481c8-1e9b-492e-912d-d1760707f810": { "min_stack_version": "8.14", @@ -2619,9 +2619,9 @@ } }, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "ac8b44ec148a457414e9ec3e058a6bc9ca8419eeb1df29a3108f4470cf55f9b7", + "sha256": "0940ad2254d8e550d0c01bf6a647edcd02990c8bbae6b9ca4b17522ae43f803d", "type": "eql", - "version": 106 + "version": 107 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", @@ -2722,9 +2722,9 @@ }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "8e540cba7b904b32d6b84add9bbcc2611190e0acc86307c9b1808f95efcc53af", + "sha256": "ae10c2c01b91c5fc780ab3a9bbbfbc1435107aaee26f7bc8fec595151488c706", "type": "eql", - "version": 3 + "version": 4 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.13", @@ -2738,9 +2738,9 @@ } }, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "ca3c91b710e64c16368c525e5853a28d7c78cd266645365f5365dc149a48b72b", + "sha256": "84fc475479d15e3bc80b09e99dfac0c0b49c2a5edcfc3219f1ab09100b7d1555", "type": "eql", - "version": 107 + "version": 108 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "min_stack_version": "8.16", @@ -2754,9 +2754,9 @@ } }, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c7cea47065a3505125b65ea6912a9eb94cc3960f40931a96702b6d941aada582", + "sha256": "797faad25f8c06e7e0d08b4a64fc573c931a70e7298ba5e64dc73d3a765a59c6", "type": "eql", - "version": 106 + "version": 107 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", @@ -2873,15 +2873,15 @@ } }, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "00e2bb957fa4242ec45b9b70e37c642d9e2a9fda94bd439e3be93f136118c283", + "sha256": "2b3d08f13e7043638c0bb3415d9ada4726d3dd2aa56b93a318ed3b135d0723d2", "type": "eql", - "version": 105 + "version": 106 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", - "sha256": "c40db65118e9a93fd6d8e9b520bbce17da234a91ebb79cd1b51352c4215c0127", + "sha256": "842f9893108098c4b68db05cfdc942016d86cd6880aad8c93c94aca02133b0e5", "type": "eql", - "version": 8 + "version": 9 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", @@ -2901,9 +2901,9 @@ } }, "rule_name": "ESXI Discovery via Grep", - "sha256": "17186c1c0c162dc0877b0ee69ac30a87d0a2ab108b22eaa116c9df0c9a840578", + "sha256": "8a0b201a019a813afef3eb6ad8931c76409acb49bfb1000a7e441fab4f19f9ba", "type": "eql", - "version": 108 + "version": 109 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", @@ -3047,9 +3047,9 @@ } }, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "54a054dded59179d223df5711dfe78e54de51c2d8c7f3fd91d4eb0b7cda1aa0c", + "sha256": "cd015724526c5fd95611fd542dcd3bf3ae7cf0f17b78feaf63025db570b62459", "type": "eql", - "version": 104 + "version": 105 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", @@ -3228,15 +3228,15 @@ } }, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "06b9e45618193c5102c36edb26ebfcf648ece1120ef3a26f650915c43b5881b2", + "sha256": "64eabeec581d6804bbb7ed7f4fd9a7792413294be3c0f6b2045dd0e0fe5d0c09", "type": "eql", - "version": 211 + "version": 212 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", - "sha256": "5316ada4014d2c9a7930574d4566f9b686174872e4fe5ceb6aadf5aa70ea9f33", + "sha256": "6e7e3a5b5658ebe94a6acbd227efca852aa9553c7e58a257f13b2e46c357055c", "type": "eql", - "version": 3 + "version": 4 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", @@ -3290,15 +3290,15 @@ } }, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "fde62451dcbc2aa7269cb18d276d8552cd6e745cb2f47292fcf56451ef9fdfec", + "sha256": "9f0737cd4b53c31a9412db6fe279689258d74cd0462413dbf350f2a1f520f5b9", "type": "eql", - "version": 109 + "version": 110 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Network Connection via Sudo Binary", - "sha256": "78f4f52284b8ea5c871846b90d949f540c2cf40216301247c3589ad6e31e8aca", + "sha256": "a497b8c3ad9c185407effba08b476ec636ae48f34d72a78ebe4c33554301e425", "type": "eql", - "version": 4 + "version": 5 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", @@ -3356,9 +3356,9 @@ }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "a75544c3aa79d018caa2133ae6cea5c8ad25a63e3287613ed0a491e21ea8db90", + "sha256": "81b1ef2dce9bdf05c543f720116a273b1b28f4fcc5f3f06993027b6c522d1613", "type": "eql", - "version": 4 + "version": 5 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", @@ -3436,9 +3436,9 @@ } }, "rule_name": "Directory Creation in /bin directory", - "sha256": "b5fec392950d06c2eed32e7b773c1586b1664272bd889de75bf44e04bae6395a", + "sha256": "bb642177d5cb1e1bc0f9a0c4cf899a157c7980be76dc66f26d4ba3d13f82b8d6", "type": "eql", - "version": 102 + "version": 103 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -3458,9 +3458,9 @@ } }, "rule_name": "ESXI Discovery via Find", - "sha256": "3ce260f07de51346b47a66b5297226e6450cd3bb3e57a902ac1a06fb9bffbae9", + "sha256": "ca86b5108a30b8e67c15162b0055562e937ab308d0406d129bc9ad4e2148f2e4", "type": "eql", - "version": 108 + "version": 109 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", @@ -3581,9 +3581,9 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "2c9b76f51b6b60aac35cbe7fe3bc6458f23d91c76c8cab96a30d6148b94b3d74", + "sha256": "f8a2d53db2c5e3651899228d2e535106845b0cdfa6f926feab75424975c566f9", "type": "eql", - "version": 111 + "version": 112 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", @@ -3626,9 +3626,9 @@ } }, "rule_name": "Potential Suspicious File Edit", - "sha256": "cdff182cf2a97fd9ff3c7d14e95a5a79e3462d548eeef0db8a2367e2af77e5d3", + "sha256": "31e966ef88fd66e843c9134cfc92578f0c0ef1ff0b8af97d7c96049d2a31ef5b", "type": "eql", - "version": 106 + "version": 107 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", @@ -3656,9 +3656,9 @@ }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "5f573869ccc59acdcce25fd3eb2fc8e2c968f0706d244c11c7ca14753b018257", + "sha256": "07c83ef04668d1bdbd5e1cdf83b4d25f717a72d4984f78fbb7bf40d3c9973386", "type": "eql", - "version": 207 + "version": 208 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.15", @@ -3701,9 +3701,9 @@ }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "97d4337cd351104a3925d2dee5c322200ea4f2f58aa5b199d556deee79d05105", + "sha256": "747ae073e6f03ec1932651971bc68d7027e59a836270303d10e85ed668e15563", "type": "eql", - "version": 209 + "version": 210 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", @@ -3909,9 +3909,9 @@ }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", - "sha256": "647988b210c60c004ffe25efb4cce91136936f1cd83245f9f2b502058e6a2f02", + "sha256": "83cd6048f2f8d9427ced895179a1e5738b897021229fdedc39298f70b8fd527e", "type": "eql", - "version": 2 + "version": 3 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { "min_stack_version": "8.13", @@ -4017,9 +4017,9 @@ }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", - "sha256": "3cebf88aa246878db291a8148f143b3c0a07f8319cfd99c30942934db57c8a0f", + "sha256": "cc6f26cacff5fe4dacddeb8cb12eb8a140c4db55aed0d450c18d7175dab3f260", "type": "eql", - "version": 108 + "version": 109 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", @@ -4080,15 +4080,15 @@ }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "e3e1a89317aac3d3163e762c015186ff6195e391a1d3c206d9ed54926a2cc6d0", + "sha256": "1d1f416f81da795677d9450e9bca8918c099440231a9d8129ff100cca36e03c3", "type": "eql", - "version": 7 + "version": 8 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "ec3773996957cf55b8cd5ac6098d1fcd503543308d70f1848e13577fa9dafef3", + "sha256": "ac26f5075bc208ba1b094437f5908ca1879c9b0bd6c5ba6a85a2de0e3dee8f17", "type": "eql", - "version": 111 + "version": 112 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", @@ -4205,9 +4205,9 @@ } }, "rule_name": "Unix Socket Connection", - "sha256": "4e6ed5c689e74843dfe8eb79179c061375fa76071e31e878a498eb81896a3be0", + "sha256": "afdba8db5676ef375dc06883ea62a82b9410044f332d00db802aaaa84b3793e3", "type": "eql", - "version": 104 + "version": 105 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", @@ -4348,9 +4348,9 @@ } }, "rule_name": "Linux User Added to Privileged Group", - "sha256": "aed1e55bff87f141c5ea1dd5d2bd5453a61f1e0d72d2c26f2e961a0107d1be5e", + "sha256": "dfd9d0ca4de23654268f056431b3427be368d9c063d5991111ed78363645dc4f", "type": "eql", - "version": 109 + "version": 110 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", @@ -4527,9 +4527,9 @@ } }, "rule_name": "System V Init Script Created", - "sha256": "30cfadc148e90c2cfc4382b7c085885ddc67f47211258ad9e8c35e63fb80d117", + "sha256": "f1873f6d75f651d8a741c68aeb9b215cc2750c45bc137afd9a6110af092219a1", "type": "eql", - "version": 114 + "version": 115 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -4549,9 +4549,9 @@ } }, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "f31488d82e4159063e7e92fa484c6c5f2b0d7c8287a8fb02adb790ef55d6242e", + "sha256": "eb912e24c46ec2f35d9be99c411eb107c6f6cd1ad27b962d4130668320e98388", "type": "eql", - "version": 103 + "version": 104 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", @@ -4577,9 +4577,9 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "27d113fc9dd74c3da88815021fbd3a91cad66fb4959ca57d5033e135ddf75d69", + "sha256": "c7d8db1796112e5e9d32eb1200a16f602a143d55b376da98b030dd7980b792b5", "type": "eql", - "version": 107 + "version": 108 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.14", @@ -4612,9 +4612,9 @@ }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", - "sha256": "fdc6ca399ab1cfd315850c7822e7120a2710979cfbe329ca647b659fcf62ddb4", + "sha256": "60acdaeb7bdfa3879ac2b58f7e1f303bc1cb6ead52bc7e45ad1bd340aacd352a", "type": "eql", - "version": 10 + "version": 11 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.14", @@ -4634,9 +4634,9 @@ }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "4be8032dbbeecc1497aff05372e2139e72011b598bc146763878eaee2be2a499", + "sha256": "52f6b93c3cc0d5c1fb4f6e6db6ed931e29c49ee0e908a1561e09af98dba2acad", "type": "eql", - "version": 108 + "version": 109 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", @@ -4668,9 +4668,9 @@ } }, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "bffeae97a26ace150963159905c7c1cb2d3dd3aa299db431b4b0844567c257b9", + "sha256": "691cfec23b704e2589edfb62980284fec4ac438776a1a88edb7605ee5e54698f", "type": "eql", - "version": 109 + "version": 110 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", @@ -4718,9 +4718,9 @@ } }, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "fbc9b003a74a72df517c09f83f2629428a29346428ee3311faa27da6614488d3", + "sha256": "6496b33df954b86a762df6202f068d413cf231e273ca8e1a2c0ceefa6e1d127a", "type": "eql", - "version": 106 + "version": 107 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -4775,9 +4775,9 @@ } }, "rule_name": "ProxyChains Activity", - "sha256": "7b6c538ea2e93784ce64d2a04dbb00ddbc28aac92ab6008312821b65a46d8717", + "sha256": "3ddce01b59f5987dd1a83755af79e6e993de5f67f97b960b4b2b544be9e1609a", "type": "eql", - "version": 105 + "version": 106 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "rule_name": "Unusual Process Writing Data to an External Device", @@ -4842,9 +4842,9 @@ } }, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "276e07ad6386011b5ba83107e7f863831a18b2c1b755a679005768a02b1d9f6d", + "sha256": "f8166b3c126f6350077c04381eff45f180452c93b70be54c18aa91ff15e512f0", "type": "eql", - "version": 108 + "version": 109 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", @@ -4977,9 +4977,9 @@ }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", - "sha256": "d10bf82f2f2925d3893f3170c4824f6e0cd1c812c901dc8fc256f113e735498e", + "sha256": "30f4f5ada6d77e11118ecf139bb7106bc0df3031341b3e5ce0f55fd20221aa09", "type": "eql", - "version": 2 + "version": 3 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", @@ -5068,9 +5068,9 @@ } }, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "b73939a26aed301cde9d16fd437a77e325a4393d91a96a981d2fb92dedb61b74", + "sha256": "b33bbf177156fd682cccd98b3b5e214c494c17ac29770c3ef6e211cd2b8f26f9", "type": "eql", - "version": 104 + "version": 105 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", @@ -5166,9 +5166,9 @@ }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "94dbbc192b8f9c9fb802a3785bc420e0f318b461c50fb90a879eca803aa6d523", + "sha256": "d68914fa075b88195665f82a00fa3b28e4743eed50f9e3588de8c565793841b1", "type": "eql", - "version": 114 + "version": 115 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", @@ -5212,9 +5212,9 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "c30eb96fc6194d443c353229802bba9be8aaebc4e8abc78d2734cc5612fd49f1", + "sha256": "a4364fe5d4b4e0e056536d4580cf884b56e49248ee1f3a84812426da1bcaf590", "type": "eql", - "version": 107 + "version": 108 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", @@ -5434,9 +5434,9 @@ }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "a12b24ae6304c80c777dd5b7e120916781b2e76b2f09848e292a453d76cd5056", + "sha256": "a9bd29a0b1111a010696c79f5347c1e5e60dd3a903452b06964302229c7bfb2c", "type": "eql", - "version": 108 + "version": 109 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", @@ -5645,9 +5645,9 @@ } }, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "1cf2ab43dc77c7b8e03becd52f2882b3dc1844085e26351dda5f6b31bb609722", + "sha256": "8396ecbd7798a0b4e17254a7e80dffd7b731859eb3d11dbb07f51ddbfdad095e", "type": "eql", - "version": 102 + "version": 103 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", @@ -5674,9 +5674,9 @@ }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", - "sha256": "9f4687f96c022e624c6f5414ecb77f6d8b9148dceb9137d3bf0bb37c294bd2e9", + "sha256": "d34a8290b7fcc098f29ce0d6bb50b467f7bee1c71201258899338916a3019e66", "type": "eql", - "version": 9 + "version": 10 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", @@ -5696,9 +5696,9 @@ } }, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "efa24aa4e360509d77a32ce3f80aa988c50b5849bf0f3c2e8600efd49b6a384d", + "sha256": "135b3d3e2b3be70b8da8cfd2806556b9b14bc02f669d6789237a56b36d345398", "type": "eql", - "version": 103 + "version": 104 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", @@ -5737,9 +5737,9 @@ }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "579398f581b46a408dd3248aa0e706c28ce608e3fcecb9296abc9d328e024c92", + "sha256": "91750adfc2612e0725d0e74eb5c05c29dec1b7871b12e1e2ec38f409cd0f1e08", "type": "eql", - "version": 7 + "version": 8 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.13", @@ -5753,9 +5753,9 @@ } }, "rule_name": "Suspicious which Enumeration", - "sha256": "31644856f49ffea6104635840c58566a40fbe5a81da84366f5eb33be25efe892", + "sha256": "8c27bb4dfd65956ad41dd52d71f7c946aaf21e52ea1956d82fe54231ac8a17f1", "type": "eql", - "version": 108 + "version": 109 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", @@ -5801,9 +5801,9 @@ }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", - "sha256": "b59cc8bfab61d96bcdff86bcf5c7a1b13b64354d821ae475efcf40a35b332a19", + "sha256": "e030a36c06a00dbb591951c1c87280a6f2afc1b155d67ecb00fd451bd084cce6", "type": "eql", - "version": 4 + "version": 5 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", @@ -5883,9 +5883,9 @@ } }, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "20eb77ba6a8a8323188fa6281186aa530803e86930af2a51cb2fb2140ad57fcf", + "sha256": "c5995d0265ad4c7e35124856effd41c95caad3e3178a67f3c5bc6122df89e317", "type": "eql", - "version": 108 + "version": 109 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", @@ -5944,9 +5944,9 @@ }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "b8a59cdd32843855c38fac2f200184b85c2d6530489e471b8a4130406e8ec85b", + "sha256": "3bd77e64972d14a4d804669114ba09690953c6f7e3ecc837457651ea6a58dbf2", "type": "eql", - "version": 108 + "version": 109 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.14", @@ -5982,9 +5982,9 @@ }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "a1c17423de6e19c6f7cf178290eafc3cd6146dbbb850b2c6ac92c5826af80f6b", + "sha256": "cf8318ce83d960276ef1ade7a60d590ea666e5f242ecdabd0a9a6c7daeb32e1b", "type": "eql", - "version": 107 + "version": 108 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", @@ -6004,9 +6004,9 @@ } }, "rule_name": "Memory Swap Modification", - "sha256": "5583dee02ed10b698537738686fdd5974f461d686e6b36f456a6eaf52a661fc2", + "sha256": "9b2b90fcdbd4c8d61fb415c8648a5fbb45acf0f721bc6639adae981cb9d9ce1c", "type": "eql", - "version": 102 + "version": 103 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", @@ -6211,9 +6211,9 @@ } }, "rule_name": "Private Key Searching Activity", - "sha256": "5519c882a79e550a82c6cdf78d433feb500b6bd32ef8f72913f9df44a00f8a9f", + "sha256": "ac4b591b30cbfb1cecd4fab9a4c521aa12bf95897eab976edf79d520b5eeedfc", "type": "eql", - "version": 102 + "version": 103 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", @@ -6246,9 +6246,9 @@ }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "9bc024ebd7d20dd7d23abc9dbe71bf043edaab5d7afc79551d0da709c4fe821e", + "sha256": "886e2ce498e9e513fd0cbb827b2670aecc14f0622b71977c7d5a5bbaa36f7faa", "type": "eql", - "version": 4 + "version": 5 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", @@ -6292,9 +6292,9 @@ }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation or Modification", - "sha256": "9d1158eb547e4cbef8792d8e21f04e26ed8f8e6a4205bc87f557901520583a3d", + "sha256": "14d6857ca9bf0ec373fc9399d4434a2ab8bdeb8dcf682ae5b097bdf43ba2f501", "type": "eql", - "version": 3 + "version": 4 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -6310,9 +6310,9 @@ }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "2077b595953101f3fa176295f9adac0453ae759f4adfda777ee54f9285fb893b", + "sha256": "1af56461ac06d32d603787c924153d4f2d4a4db5112a2fd3ddf2d2ecfd214686", "type": "eql", - "version": 7 + "version": 8 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -6351,15 +6351,15 @@ }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "6883edba26e4283cdfdd6ae341ed445cd67e51d20dc15f1fe106514a29c07af3", + "sha256": "31e21bde793c13880466715c3089dbc5f61ad8f8d76e83c06f4081ca257d27d3", "type": "eql", - "version": 108 + "version": 109 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "12e2cdafd4870927e64b1a906bbd4a927ea681570396c184a54f119486371411", + "sha256": "e9b5bd05f304afdfc0d3dcad377c1c58b53eff1df8f63974f81a2a09fba0819e", "type": "eql", - "version": 7 + "version": 8 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "min_stack_version": "8.15", @@ -6424,15 +6424,15 @@ } }, "rule_name": "Linux Process Hooking via GDB", - "sha256": "102f289cddaa0bfdaa48642008df6ac4c7ffe2be9cc0d5ab335ec0647d841c6d", + "sha256": "6124499edac0ee53fc52e4a4b588db2d5747ae4fb3770c91307fd25814704939", "type": "eql", - "version": 104 + "version": 105 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "e35261396a28f58844455d18ffd0bcc2c385ca3960845c6db9f87949bc561fb3", + "sha256": "e459e7757af9cf9495f5f49a390b8b7ed17f7d4152b90f74cbae4e4e70c21084", "type": "eql", - "version": 208 + "version": 209 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.14", @@ -6795,9 +6795,9 @@ } }, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "4b44cff5ea71dfe44a694925ca874673be82adc62e7000b867108002baa8c6ba", + "sha256": "7ed5babe4ccddd47a42992b6b092c794c17adfe49c0418a399fb645487d38e68", "type": "eql", - "version": 108 + "version": 109 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -6890,9 +6890,9 @@ }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "f9612a6680c21d0e7472c260b412d0ce245e770722ae4ce351d2724843c22512", + "sha256": "731a803c9a47cb0804d071217c48070afb14657b649da32fe8e6b1c19f24731f", "type": "eql", - "version": 5 + "version": 6 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "min_stack_version": "8.13", @@ -6966,9 +6966,9 @@ }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "3603dc2b2c4d67886879719f5bf7a3028418d0fd6b68942c48a0266e237f5200", + "sha256": "b756d838cee35d2d74c87c1eb59757651ef01aea7dbb08271cf1d89133465583", "type": "eql", - "version": 208 + "version": 209 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.14", @@ -7020,9 +7020,9 @@ } }, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "a2bb01debfece4938dd4811b68b388aad80362fd4005573222fab19ba5b3f6da", + "sha256": "a1f2cd2fc7257d7c204df51ffec3d086f341240896b38551b8acc005408ce357", "type": "eql", - "version": 108 + "version": 109 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", @@ -7174,9 +7174,9 @@ }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", - "sha256": "9c5e49e4ec3d86b7a5b7018df29cbbaafcaa6bc37f325409687ef18528d09109", + "sha256": "609588d90dbd2835f5c9b04e8df9212c06789c253c51493efddb47a5ca0cc201", "type": "eql", - "version": 4 + "version": 5 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", @@ -7263,9 +7263,9 @@ }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", - "sha256": "c1f5f6023527e8ad1b084703495bc9a930c88144a67ab419027b598476b0565c", + "sha256": "be9bce91fdc93b4d4d344a66eeafad8e5ea7f5d9bd1b0fdea2aed5b7ba6844a8", "type": "eql", - "version": 2 + "version": 3 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.14", @@ -7366,9 +7366,9 @@ } }, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "4ca005023766d02d784784bb7849d0cc16327545a1864fcca200f297ab249851", + "sha256": "1a48028da247ad699969d0714a5b03ca294e28d99adad7b3fb9ada639aca982c", "type": "eql", - "version": 211 + "version": 212 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", @@ -7388,9 +7388,9 @@ }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "84f537c4a2c1c856bfe6d666e3571345b696959542bcca59883abd23143ece1e", + "sha256": "6a73b9f5864bb0ea366a745a9af576e7bfaf493b276693b044f5b5cd267ea68f", "type": "eql", - "version": 10 + "version": 11 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.14", @@ -7458,9 +7458,9 @@ }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", - "sha256": "2cd6f77377a3d577ab8065dba895a7e2180b5a2c9e63cf70c3c343a2e869befb", + "sha256": "4ceee9e70e8a80b75777d30ad1e8c71d873d3e5672bd2ab984e40111c6505c38", "type": "threshold", - "version": 9 + "version": 10 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "min_stack_version": "8.13", @@ -7474,9 +7474,9 @@ } }, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "18285a5b5c95fc7dda5307e71045134c595f4fc27ce61967134e85c88eb12f35", + "sha256": "b945c19be36ede477ceb6eb65ff7fa6d2271d7458820139d0bdd9ad8b8633143", "type": "eql", - "version": 103 + "version": 104 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", @@ -7546,9 +7546,9 @@ "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "8.15", "rule_name": "Execution of a Downloaded Windows Script", - "sha256": "bd592841bf0b6ad530aa3d406b9a9eab1967356532a3378b75aa5fbb032ce9ea", + "sha256": "df935e831f7d3a8b986c24cc07232817bd2044240140b7536cd4bf61cb96811e", "type": "eql", - "version": 1 + "version": 2 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "min_stack_version": "8.13", @@ -7625,15 +7625,15 @@ }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "f59cd7ace12ad2dc5977115a2a36eafbd45b5f549085525dd8a9e4a84885f089", + "sha256": "820246c1236dd2cdd3601e1dd0c74c5f936f40ed580c2ac2884e7170b3df6d97", "type": "eql", - "version": 6 + "version": 7 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via XZBackdoor", - "sha256": "5757f1a3f917b887d146a792807c7a05c1495134c028e8a489a70611899aa636", + "sha256": "f4ad3bfdce432ca539259b7d6fb645dbb26546156be5e35d397775fdb01408ba", "type": "eql", - "version": 5 + "version": 6 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -7765,9 +7765,9 @@ }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "f0d040485bd01c51e2c8f158dd600fb222395c139e0268bbbcfde6b0c4be3bc0", + "sha256": "b8c749e5ff7bf1d9f8abc6fb1344b7c34c95ed51c530c12986e3176da636d219", "type": "eql", - "version": 3 + "version": 4 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.14", @@ -7811,9 +7811,9 @@ } }, "rule_name": "Security File Access via Common Utilities", - "sha256": "3b40fd7e087f2c301a1f5742e48c632df6fe05921c88d4cdcaf67053bcc5975e", + "sha256": "6ba9893d93ba8852cad33b67e46d3ffda3bb3282cf04264efb77ba683e837231", "type": "eql", - "version": 102 + "version": 103 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", @@ -7981,9 +7981,9 @@ }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "663d1f8ba0fee571a5dcfb323c0f2b66e1b356104fda2cb7d213cd33a51c6f65", + "sha256": "2f5d6142cc013635d4920ad40fbfb096e1071868dd0938460579946ebaa120b8", "type": "eql", - "version": 208 + "version": 209 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", @@ -7994,15 +7994,15 @@ "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "min_stack_version": "8.13", "rule_name": "Manual Dracut Execution", - "sha256": "7aacc11b5e41f9a6ee5bb11cc2825d1361cd44bcf69a8fb3d6599be1e9e65c8f", + "sha256": "dbd9afc54fc7a771ed98faffa779d382c2b1962cedf84ec2dd45606550e37857", "type": "eql", - "version": 2 + "version": 3 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "ed8904ed52554b72e3d4db4b4954ce47beef9e99a0ce76a3106d1cf6c0e89123", + "sha256": "04a9b7b77bc56377bc4686132f269a31dfa92ec833decf61aeb4cee3277ae5d6", "type": "eql", - "version": 8 + "version": 9 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", @@ -8051,9 +8051,9 @@ } }, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "6ffa831c31c4b214a52ff08f056a860da877e2c2a926988622839bc3111d7185", + "sha256": "549c19f864332988b6fb45817a74e1dab49339388224f5b36cdaf30d80d21bda", "type": "eql", - "version": 110 + "version": 111 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", @@ -8095,9 +8095,9 @@ } }, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "151e0853d12af096c8290858df71ee81fd2ed9a318fca88206295da8a3cb6646", + "sha256": "559158e7c30d5871bbf29e70aef9a1d8def80199a6ab18a0f76d1363c713891c", "type": "eql", - "version": 104 + "version": 105 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", @@ -8212,9 +8212,9 @@ }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "99a91041952f318c45cf4a8f2aa5ea27a2b4d57079dd6844d7ccdb85e88c708f", + "sha256": "8ac86f893c189972849c3353f5d53331a7a306c28b6f10c8bec469d634c86757", "type": "eql", - "version": 109 + "version": 110 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", @@ -8300,9 +8300,9 @@ }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", - "sha256": "222d4530ad568937c4a1e40fefcfd3cc4761ff0cbf227edae0193e631274505e", + "sha256": "01e31da74d8f38ddf237a4320f398fef3afaf986bbf7a614926c91d52717f21a", "type": "eql", - "version": 7 + "version": 8 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.15", @@ -8406,9 +8406,9 @@ } }, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "61b0dd506782ed3d2c0be8ec13e04db7aa0b88f80d4e4900bec06089bba27de4", + "sha256": "f2b61c3ff7a9e998f71f19335af6dfe69db48ae9d7098fcf270a3dc44ec4fb48", "type": "eql", - "version": 105 + "version": 106 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", @@ -8539,9 +8539,9 @@ } }, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "bffefdf6a83bf3a802805b5c6129038b3804ed28da89fb014230a8483be07d8a", + "sha256": "5c75901a24944ea9bb7731dfa441ca4c2e49cba2cc2cf98c4bf84dc0fb10506d", "type": "eql", - "version": 209 + "version": 210 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", @@ -8656,9 +8656,9 @@ } }, "rule_name": "Hping Process Activity", - "sha256": "a60128d77de2c0eca6003d227982fc4c5c80c8c95e0da69ba91713797060a25d", + "sha256": "fe079acfbd59f33d0829da92c4e2e587c3f846c53a875510463da0438f0c4a0b", "type": "eql", - "version": 209 + "version": 210 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", @@ -8684,9 +8684,9 @@ }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "e2adf962cb1b1cfaa01850f2abc72f2b56fb3c131551c98f605640ab10025952", + "sha256": "fb943bd48a4626d7013516e753159b40fdaad0d3f64f572bd223b2716a934d3a", "type": "eql", - "version": 109 + "version": 110 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", @@ -9061,9 +9061,9 @@ } }, "rule_name": "File made Immutable by Chattr", - "sha256": "2cccc89db8fd4c8b5997d76d60b9d16e04ad9016804c886fefb7be5155c551e4", + "sha256": "38909ad9aefb85b3686d7ce1ad51131ea6f34ac9a0f3636eff945237ca572566", "type": "eql", - "version": 213 + "version": 214 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.15", @@ -9096,9 +9096,9 @@ }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", - "sha256": "a58b0877159c33e555ae1f66edde525a759a987fcc04a91aabbd2a35aa5cd863", + "sha256": "c3a49d1a72ee8b083f42d9a80d3bcf96dad353cf2f1d2f4b1167a6236afc8780", "type": "eql", - "version": 208 + "version": 209 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.14", @@ -9201,9 +9201,9 @@ }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "4ca383b998699336db64bc99ee8c2a7b52c0fe6e2e57a2a424262b1656f15539", + "sha256": "d48ba745542ab8f019a9ce68e2eaab1e0710585d16c354744c59767f24e825ee", "type": "eql", - "version": 7 + "version": 8 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -9241,9 +9241,9 @@ } }, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "0c916283ee1f0d1637c62ca43d6d9d0ecedc506d586db6f76fbb4760f241bca3", + "sha256": "701bf23c547307a946220bd3957b0adca6d9935dc5ddd0a2d59e97125e3cbd06", "type": "eql", - "version": 103 + "version": 104 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", @@ -9287,9 +9287,9 @@ }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "d58c1f45d74532cc49086f3fc2b1694098a7286463f0cea3fe7512d6b681a085", + "sha256": "bd112fd50317c61508bf7617e01f08695c64588de6801c39f7c6bb6155cdbebd", "type": "eql", - "version": 108 + "version": 109 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.14", @@ -9335,9 +9335,9 @@ } }, "rule_name": "Access Control List Modification via setfacl", - "sha256": "fd3dc1350984a9b8467d555f148ef21d43fb04f913791ca642896a5a39069f55", + "sha256": "265d70cfdc84fddd988dbe3b110c25de72fe374209a1e78e667c309c70c3b13e", "type": "eql", - "version": 103 + "version": 104 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "min_stack_version": "8.13", @@ -9351,9 +9351,9 @@ } }, "rule_name": "Web Server Spawned via Python", - "sha256": "177d077650fa0b0c0a8d232ffd7f502d9de98c9d95e244261e6accf6e9f047bd", + "sha256": "e40443f15069a79c93f3af2ef411178ce68866881149524dbc2a1822cecdc3ee", "type": "eql", - "version": 102 + "version": 103 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", @@ -9364,9 +9364,9 @@ "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.12", "rule_name": "Endpoint Security (Elastic Defend)", - "sha256": "fe3e81fc1a5dd73c6932676c7b09d087a3b3848733fa74eb5a2b18f068972549", + "sha256": "30950c93c8eddc61c365791e8c2b74e80d7890fcc2f73f740c5eb9d5481f3b4a", "type": "query", - "version": 105 + "version": 106 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", @@ -9474,9 +9474,9 @@ }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "cb064b54fbccc8e07affaf57e4d14856f67f6918ff0c44205cd1c23aa4dcf427", + "sha256": "c58dfc5733f3e65bb9059316a9300d38db530be0527fd7e64e37af99dfd2d521", "type": "eql", - "version": 5 + "version": 6 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.14", @@ -9662,9 +9662,9 @@ }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "ee6fd1c193ca3176b28e1944ae22027cdbe34e8151a5571d2c9571ae0970960a", + "sha256": "bb77fb9e3e5e133ea5abdc232b19de4477bc18cba743881e80f0c4be6ac96c42", "type": "eql", - "version": 107 + "version": 108 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", @@ -9690,9 +9690,9 @@ } }, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "e49d72b63706bac64f750445fb8273899588eb0881286ee1c15f8cbf3d4b495f", + "sha256": "41e4276d49f03093af17d2254ee773f8643d1c0aa8b8ac61d01ccefd7bdc22e8", "type": "eql", - "version": 211 + "version": 212 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", @@ -9740,9 +9740,9 @@ }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "4fb0c2f13b78a878839b6ca5deae3f3256aad7e97fd364c5e60139f495f526ad", + "sha256": "fde760cc52775ecdc228f7f4fc26b42a1d1040d4732aa51f2942e21d16c00820", "type": "eql", - "version": 4 + "version": 5 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", @@ -9778,9 +9778,9 @@ } }, "rule_name": "File Deletion via Shred", - "sha256": "88cad104e97ca755480aafaa4a712b418afbe8b9eab3dc5b3a7f41b78982ad6a", + "sha256": "6cf3281eed4a567e7fadf7e7a60a25d32be3683088852fd6cac2b340214c17d3", "type": "eql", - "version": 210 + "version": 211 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", @@ -10016,9 +10016,9 @@ }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "cbdf047624c4be0c4e5064b465f23c279737467edb36c6a8f0f51d8081900042", + "sha256": "3ca5c9a41990306c9c1425b02dec89fd7cf7f677abf7544f50a0a7f6d894e9f6", "type": "eql", - "version": 108 + "version": 109 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "rule_name": "High Mean of RDP Session Duration", @@ -10149,9 +10149,9 @@ } }, "rule_name": "System Log File Deletion", - "sha256": "90cddbc10f4f4760da203311ee1ccaaffddec3e97369b36fa049935b55906f94", + "sha256": "af1173cc43f540a885c1fe5ff3ca083ca2e96ae5d484216e8cafe707ef9ef2b3", "type": "eql", - "version": 213 + "version": 214 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", @@ -10190,9 +10190,9 @@ }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "8969379383985fd2ccf5010b8b1c8c4e72e6c2508b920cfb65101ab13bfaa620", + "sha256": "78d447b3cd6a49ab7ac62b483ff04bd68e29310b28aacad89af526962847b961", "type": "eql", - "version": 116 + "version": 117 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "min_stack_version": "8.13", @@ -10309,9 +10309,9 @@ }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "244086ab4aa98317bccdb56cbe25ee1911c6c8b1b5d6b56e5da66e969e9a1aa2", + "sha256": "989c58058784588cd22c236d0cc58394fe67e6f8df10a6f446381d5f6301083e", "type": "eql", - "version": 7 + "version": 8 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.14", @@ -10417,9 +10417,9 @@ } }, "rule_name": "Openssl Client or Server Activity", - "sha256": "1b7199791c6d84167d236ea1e7b0d434bbd215be6509536b9d943c0be646d2a6", + "sha256": "075631e1ef46d21f816f96cd248fbd08db4840dda4f701989973b31ee3dc8dcb", "type": "eql", - "version": 103 + "version": 104 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", @@ -10455,9 +10455,9 @@ } }, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "746d0a429f9ff030e458664ae3eaa0292ccbc3c15e7f707921cde5fa37659e91", + "sha256": "290226c3c245c0651561503b7e5851aa8176ccbb1907d504d82489d72d110b36", "type": "eql", - "version": 105 + "version": 106 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.13", @@ -10471,9 +10471,9 @@ } }, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "1da815d35ec17c8073f83a5113a2ecc2ed46bc4ea6694beafe243f8bba9f4f43", + "sha256": "c88c77cee5c1ccbc6718afa7c168a3a9e42405d8647f11cde44e6f0355fd5399", "type": "eql", - "version": 211 + "version": 212 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", @@ -10493,9 +10493,9 @@ } }, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "638df02131a857a0c394365561637358f6a3ffb4aaa634e28f95a56dc649878a", + "sha256": "946a500a38cf03cc2200ba5c9f94b883db01f72d046965428ba893157a5c0fb1", "type": "eql", - "version": 106 + "version": 107 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", @@ -10534,9 +10534,9 @@ }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "3b1d96fdac5914fb91eecbc97fa8f38bc40a93377e7b9b291e2521e0d62884e8", + "sha256": "dd77a39284b7f0fa3cdc5ce8819ff01ed6f11bec568d524431c32708f700d5a5", "type": "eql", - "version": 5 + "version": 6 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.14", @@ -10556,15 +10556,15 @@ }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", - "sha256": "7be4987e791da9dfabee670a6146bc8feecdc79d6116df0d953a8ba12d281ac5", + "sha256": "945c79177caedcb32dc2e02903d14ac7208bc61607529c0123e9e3e044a4d555", "type": "eql", - "version": 7 + "version": 8 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "9f17380d50e88b7451dd13c376b322d5597ee174ee532322e00728ddd30236e4", + "sha256": "fae9c44d21f8e3be93ff74c05bb6b9d9484396579b5e29cb81402bd3ee84fa2d", "type": "eql", - "version": 6 + "version": 7 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", @@ -10613,9 +10613,9 @@ } }, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "354b847a7f132052a3849af3c53e5def5104dd2dd73db94eca1fed67cfd83e8e", + "sha256": "cf1573124222ea0894d4b604d5b227b43a2853f0b399f63d080624ef5a1144c8", "type": "eql", - "version": 102 + "version": 103 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "min_stack_version": "8.13", @@ -10801,9 +10801,9 @@ }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "e577352f4e85cfd958d5873c0804e639b7b3bf1f869e7ccc0f203e6d2492672d", + "sha256": "d954b504b99dc10781bdb03b7b51829bd53063c410c19a509612b52841275d54", "type": "eql", - "version": 6 + "version": 7 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.14", @@ -11095,9 +11095,9 @@ } }, "rule_name": "Chkconfig Service Add", - "sha256": "21e5aa78000484a6ec71a88a5576fdb6b587b05dcf7dfce464c4f80c2acb36cc", + "sha256": "8be542194e5f7b449a76977f17589bb7036a11db9dd64f5714117a25453d652a", "type": "eql", - "version": 214 + "version": 215 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", @@ -11129,9 +11129,9 @@ }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "6eb78e4e68db04a09adf0fdb65a67e357d7241e22256f53fa3efe38323d47515", + "sha256": "f57cf744c08b2c30cfaf68b8eab90b66771b4e188cc2fc6eb0f59f7e9a12ff6d", "type": "eql", - "version": 112 + "version": 113 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", @@ -11168,9 +11168,9 @@ } }, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "bf75ba62f1105bfb5b0c1a6818eb8027febd42efb55d134e7d5d25f967e06369", + "sha256": "9e1dc7c6029f13f97226975ccefeaa350760e8b64f53830c0dc035cc458248e9", "type": "eql", - "version": 102 + "version": 103 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", @@ -11242,9 +11242,9 @@ }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", - "sha256": "05243ad8bcf1c489dda20542d41494fe6641f590a7c9163823244bca9ef5e080", + "sha256": "0ffdbbf812a677f1dd016ce2e7d9d185f7c0273ae4a7874f2b06728137c60cb5", "type": "threshold", - "version": 9 + "version": 10 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", @@ -11266,9 +11266,9 @@ }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "c495eca6bcb598a318fb77f1671382014e7772f5465284d0f6c25913744e6e5d", + "sha256": "7251fa979518f7ad95fffc7dee8b43ef1241f223f154ca62644fd6a9a03d5d82", "type": "eql", - "version": 3 + "version": 4 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", @@ -11473,9 +11473,9 @@ }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "d1081bdf15942c3ead0b673aca3c61da00f6a80d02751edf2450107ee01283ad", + "sha256": "efccc933a855ee7479813c356075dc5067945c868f9705b24f4d1f0c726ee2d8", "type": "eql", - "version": 108 + "version": 109 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.14", @@ -11537,9 +11537,9 @@ }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "7bfc1be6cb1b3f2bc6acd909ac81053d7da40a859ce32f301f7448b76a17d4fe", + "sha256": "78b79becec80ebf3f377fa653549e66e920fe229147831d6c1d1b2951472e9f3", "type": "eql", - "version": 7 + "version": 8 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", @@ -11602,15 +11602,15 @@ }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "aebb2d6e14deb297e5776a1b9acbd4365a9ca16d04e7f180425a7d9f597c79e4", + "sha256": "1e3d55ef91312f613f82e6c75780f14ca18d2bbefc4be9a309ed5bbfe21c3d15", "type": "eql", - "version": 108 + "version": 109 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "c56c5fbae20de71b0b2282d5c481c2ae900325075c2feb25b32907fb7565593e", + "sha256": "1dfc00c13d00b5a4452a22ec0f06ef4b2f0689891e18550018c35a8059f89e88", "type": "eql", - "version": 3 + "version": 4 }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.14", @@ -11947,9 +11947,9 @@ }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", - "sha256": "bd9585b91a7e002b9713af6ecd82da4971298f71e200464b58abff6e760480cc", + "sha256": "ae093385db6c5f2043d8896e3231bad2eb9b222c41d58547015b4fea67e75a0a", "type": "eql", - "version": 2 + "version": 3 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", @@ -12009,9 +12009,9 @@ }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", - "sha256": "43cde79e14c795e66c93f424bb5109e68b3c837ecaa1139fd6031167225af203", + "sha256": "0f889695cd8a152f7eee793851dc230ce7399798cd8ef6c49709ef3924b049f0", "type": "eql", - "version": 113 + "version": 114 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", @@ -12033,9 +12033,9 @@ }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "1c866f4e679c1ff78ef5ea91bd349d56335ecec0516fd39e16fa829dc5b0caa4", + "sha256": "97321613219e385f7acbb0881364252165707eac788a1480b73ddad510b2c2d4", "type": "eql", - "version": 11 + "version": 12 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", @@ -12098,9 +12098,9 @@ "ca3bcacc-9285-4452-a742-5dae77538f61": { "min_stack_version": "8.13", "rule_name": "Polkit Version Discovery", - "sha256": "9b78faf57a8b5d10a2f71d6ab2ab00366515792348714943ad1aa1ee2d303d00", + "sha256": "1daa21e6f3922e8216a3796c9b65d303920190bb2ffd847324cb55eff3517452", "type": "eql", - "version": 2 + "version": 3 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", @@ -12274,9 +12274,9 @@ } }, "rule_name": "Kernel Module Removal", - "sha256": "0d900e5572e3000cc32b07c35ac1201dca0eaa32fb23af0b0a837bd4a66af0ba", + "sha256": "838080c3b478f8de7d167a575f607f38e06a9411041e29d5a0f3c8be72f1f054", "type": "eql", - "version": 211 + "version": 212 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", @@ -12463,9 +12463,9 @@ } }, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "a34a38a2bd69b76b11a281c127669096bb54a71939d3a68397b3b21f872b0401", + "sha256": "e0b9b778b8c39963c3189778b579a80dba4ae66cc8cd73cf01120c8b0ffe0d27", "type": "eql", - "version": 110 + "version": 111 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "rule_name": "AWS Credentials Searched For Inside A Container", @@ -12629,9 +12629,9 @@ }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", - "sha256": "200625c2fbf06bb29f0c8238d440907deefa32e29cfc3982a544f408d9b7fdd3", + "sha256": "d3c22e7edad44df7543bfb8c0d84839b41b82786b1de1ee5c05819890a61a13e", "type": "eql", - "version": 108 + "version": 109 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", @@ -12692,21 +12692,21 @@ } }, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "ae69c61f5dab3f5ba9b70f690911dca4cb31c94c9b851172f3093c18ea67a459", + "sha256": "12f7f9d6ea55e9ff587c8130acae50e3081e10e1ee41b58149e1a4cb74d2eb85", "type": "eql", - "version": 107 + "version": 108 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "6362b1916a2b6791294870b918126ed2b46b5a96f795bd03409f2948502d95a3", + "sha256": "c72111177dc1c97186e853f7c03b41f573c7cfb81a533dc0f9156381a00a5cb5", "type": "eql", - "version": 7 + "version": 8 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "c49807873cce90e54f6113c815e7c5772bf5e8273efeb370a5cb2812efcf171a", + "sha256": "17e9577dfbf339f5aa680ffac330813882588c59f8cc0f4d73bdc1865b72df9f", "type": "eql", - "version": 4 + "version": 5 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.14", @@ -12772,9 +12772,9 @@ }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", - "sha256": "895b0b421e83d0c19bb678d6d2924fd5fabe2fe53d4b1c5bf1ba548d6ffa65ac", + "sha256": "6649690e0d48f4463fd9ea9af37d65f589e1c88723ac705b63965957e8021ebf", "type": "eql", - "version": 3 + "version": 4 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", @@ -12873,9 +12873,9 @@ } }, "rule_name": "Suspicious Memory grep Activity", - "sha256": "ec4ccab9d3dd84614e45cc02c3ca638790f46ac21b6b52ea32b08885e416649f", + "sha256": "b32fe770424c2bb1f42c024250666ed6908c7309fc3bb52716853793ca7deb49", "type": "eql", - "version": 104 + "version": 105 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", @@ -12895,9 +12895,9 @@ } }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "f2c6a851be425812db9800238f821905d9956db9ec85937da8ce5b2d78f563b4", + "sha256": "b9ec78f42bbee517ba762cc989682ed667042fa1dbbf00a51d635480508b7d19", "type": "eql", - "version": 211 + "version": 212 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", @@ -13135,9 +13135,9 @@ } }, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "cfb81693b34a2db216c043943162205581d94349579a2b66a2675e3afedec5fa", + "sha256": "8690b4f17180de2e5b04b89a6a896c3a137fe7ebdd13e6982bfeee9fb2b135b8", "type": "eql", - "version": 106 + "version": 107 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "min_stack_version": "8.13", @@ -13173,9 +13173,9 @@ } }, "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "0578fdb139348058c8c4a2e14b5a6ac8ae540f83b3f732433b174db4e0725628", + "sha256": "99b4b4a9e64fa970794d90bd46d37e2ad1f23280ede41d8a8de1841b6caf8622", "type": "eql", - "version": 110 + "version": 111 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "min_stack_version": "8.13", @@ -13261,9 +13261,9 @@ }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "877ce9bd8dbd29cea230dc9f74e14b082161a6dbe3fa64633fae76d569dc6b3d", + "sha256": "3893d44e187bf13e2e0a5fffa35b36800a58de2f402432d79956113fb81f68dd", "type": "eql", - "version": 4 + "version": 5 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -13336,9 +13336,9 @@ } }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "a1fcc107efdf93073c6b20ae1f2c19b8fd281cc4cb1e5877c5c362869279c555", + "sha256": "d096dd61e0fdd262df14f29f04e3818f84e1a5f4057cade79110ad3a929aac3c", "type": "eql", - "version": 211 + "version": 212 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", @@ -13386,9 +13386,9 @@ } }, "rule_name": "Dynamic Linker Copy", - "sha256": "158bf61594522a3d1f0fdde66ec6ddedf8126dd16a556cd2b9a67ea025ae233a", + "sha256": "f1a290ca66fac0299d00bfdb6b2303033c974c4a184dd32b9ae3e34b3b7ddc78", "type": "eql", - "version": 210 + "version": 211 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", @@ -13511,9 +13511,9 @@ } }, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "10bdf2a8cb060ef98b459f111677380e45c54d687124dbe465153fc00b2a538b", + "sha256": "afd239148a789428e9afc33cc2ed4df601459622d6b114f719be62ef217f425a", "type": "eql", - "version": 106 + "version": 107 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -13551,9 +13551,9 @@ } }, "rule_name": "Connection to External Network via Telnet", - "sha256": "d720edce6b79fc47c791e12e5f56665107bda8a672446989a274d7b62d630320", + "sha256": "9c4cb74b1de6b291bdd95cef6e4dc1db2fc043af96969f7a09811263b9866c96", "type": "eql", - "version": 208 + "version": 209 }, "e1db8899-97c1-4851-8993-3a3265353601": { "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", @@ -13573,9 +13573,9 @@ } }, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "573c1614e9fd8cb5c852934bb98d126cd819067b93989525581aa5526b540646", + "sha256": "b5f28770a0cb6cc57839bec21e0d78f890b72c023a9f2a1f56329aa86d0bdcf6", "type": "eql", - "version": 107 + "version": 108 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", @@ -13680,9 +13680,9 @@ } }, "rule_name": "Potential Data Splitting Detected", - "sha256": "e5a627c8877854a1743a8653bf701e6a542b29ef63ac512764742090ab97f019", + "sha256": "4cbc9c690c480e6a0c5458a4e2e93bcf347ef61202570333fb7b66342ba93b58", "type": "eql", - "version": 102 + "version": 103 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", @@ -13747,9 +13747,9 @@ } }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "55762f454327d9065371b5165062d4e75939cd27c5a7b9d08a60987b18431cbc", + "sha256": "465ac78f6958f74fff4f46a3ff16e69a49b534ccb7b037fa26cd2f352bd13690", "type": "eql", - "version": 215 + "version": 216 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", @@ -13871,9 +13871,9 @@ }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "3dbf9bc9fd85cfb35ac80dc541572c5d63b43929630586389dfb4d21d5f3abea", + "sha256": "021c60ecf962a5bbddbcccf61190972c6aedc8a3522201413fff29dce8e8c16f", "type": "eql", - "version": 108 + "version": 109 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", @@ -13973,9 +13973,9 @@ } }, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "6863009c2b3d1dcd070aa298d0dd85428eda56639d10b0cd9df2fbf806b56ea0", + "sha256": "962391b35148784c37d51d9d75f577a0ae8c9c855443ec35d2e4dfb3c247e942", "type": "eql", - "version": 109 + "version": 110 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", @@ -13985,9 +13985,9 @@ }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", - "sha256": "a8e2f8106c708db68e63844ac1cc428b8667fe3c36c280e89ff02504ec867eeb", + "sha256": "918d54c5a6647f2078e33a286ca77359e078e643772831ec0217ef3fc2478d8c", "type": "eql", - "version": 2 + "version": 3 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.14", @@ -14174,9 +14174,9 @@ }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "709ead5c81ab3e462057c1d8214a1ba0a83c82b80ff27328133a1e0faf4c29d0", + "sha256": "e564804b6774ca1351834c65234f778427f64a1a8a9c63f54c7bceb478ea41a1", "type": "eql", - "version": 5 + "version": 6 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", @@ -14225,9 +14225,9 @@ "eb804972-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Prevented - Elastic Defend", - "sha256": "a02516be221389871603168f7a42128228b546471c99d60bbf22ea310f6e54e3", + "sha256": "1800ba797dd4735b90e918df5d02719c09d98850d2bfb0880d9fa80ff8b72f5b", "type": "query", - "version": 2 + "version": 3 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.13", @@ -14241,9 +14241,9 @@ } }, "rule_name": "Potential Disabling of SELinux", - "sha256": "ddbc5c95a5cd722eb6547a67e6e8d7f04835cb44907b7480f2c46b5b94bc56c7", + "sha256": "e7211f890d92f3a7d930cfd4bc9d80fb4376b20adbbb602dd24721075ee45090", "type": "eql", - "version": 211 + "version": 212 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", @@ -14328,9 +14328,9 @@ }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "5a63abf64de763c9eee2d8689dc1c75693f79b684903c4b6cb6941ea024892e0", + "sha256": "b69c69c1bbacce025e21987b18df13452767d8102331304cd46d1f177fb8a602", "type": "eql", - "version": 3 + "version": 4 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", @@ -14478,9 +14478,9 @@ }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "ad6a020e96bacaa9b0609d324df1d4bede5193713d80abfaa29dd4bb5b83370b", + "sha256": "0a31cd84388698181bb0e4d15e98b40bea0da0c9be8c956e27580d00780e3893", "type": "eql", - "version": 108 + "version": 109 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.13", @@ -14494,9 +14494,9 @@ } }, "rule_name": "BPF filter applied using TC", - "sha256": "d93beefad79cf7690a39e4923afdc93fe4ed9d5dcd991c142db3b53b8c7edf28", + "sha256": "66e0fd97291e83d09d35179d1e16d22ed0b573f12480ce579f2d06bc6de7b380", "type": "eql", - "version": 209 + "version": 210 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.13", @@ -14510,9 +14510,9 @@ } }, "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "a6758e15fce5ea6d93d0095eea2a912b516de9b55a219b77b27a978d7f17f588", + "sha256": "5270c503b5846ad6b35fd79100b8270b2b26c8f6968c90d112b8f672cfe55507", "type": "eql", - "version": 108 + "version": 109 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "rule_name": "Potential Container Escape via Modified notify_on_release File", @@ -14589,9 +14589,9 @@ }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", - "sha256": "f28f5314da6a041075848884c58593ba3bf4868e10c7789f92de570c17b6a730", + "sha256": "66dc553f0e5d998d6287bc5b3bb0efe2b016816411c35e13834d2fa558a64ad2", "type": "eql", - "version": 110 + "version": 111 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Alert Suppression Rule Created or Modified", @@ -14617,9 +14617,9 @@ } }, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "8f51b11fbb85ef6502fd4aeef70d40c1a0a94600569968410fcbcfe78e864fd2", + "sha256": "3e3a90a47139a3dc0d1c763351373920dee8e161a176b916ccca2e6be16dfed7", "type": "eql", - "version": 108 + "version": 109 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "min_stack_version": "8.13", @@ -14667,9 +14667,9 @@ }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "ef281309a553487eec147442e89518ebb16d626f9c63c5ffd94663b7a1e6fd89", + "sha256": "789001d17851c913e16d3c0cc68a245041a71e317aee771f954879787be2e107", "type": "eql", - "version": 109 + "version": 110 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.13", @@ -14690,9 +14690,9 @@ "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Detected - Elastic Defend", - "sha256": "b483ff55b947e2e93555fb3aa39f1789262e4edb4e5694c10bc19b8a2c486dbf", + "sha256": "6e2ffd6be5eec401665da9f328ea418437bc87ae39325fbda96eb3fefbeac4ac", "type": "query", - "version": 2 + "version": 3 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "min_stack_version": "8.13", @@ -14789,9 +14789,9 @@ }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", - "sha256": "d1171e16d5e8259411aec72aea33cb1c2682fd2d4af82e789944805eceac591d", + "sha256": "9ed35a351e57a72bfce5b7738b0f267bbd83cf55d98a20e89c2437107a1a6c21", "type": "eql", - "version": 4 + "version": 5 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -14808,9 +14808,9 @@ }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "75349fcdfe56a8631cc9346fd2f8623691f57c7e7fa533feab6431c354a3b8e8", + "sha256": "997e81e732075c8530c62edcc3e0dbacfdc2a918bb79517ee27cc287a6c74b07", "type": "eql", - "version": 7 + "version": 8 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", @@ -14885,9 +14885,9 @@ }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "89e1134e735b229a7ad239acdb9c85a68c40b34f96a19fe908c12ded3f7e5410", + "sha256": "1049a0ba43faccfc6c8219d7fbf5b81cd5c21f97a63be1f334d9b8b883e8d73a", "type": "eql", - "version": 7 + "version": 8 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.14", @@ -14985,9 +14985,9 @@ } }, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "6ecb726bdefbe3899c1e739affa928cfbfd0e6eba44de225efcc3d904dab6007", + "sha256": "e41e3069e64db02d6742f75d9126315cfeee13e18851f97d1260e4fd6b35d76f", "type": "eql", - "version": 107 + "version": 108 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", @@ -15171,9 +15171,9 @@ }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "deffcca6a713e80f7c6197c17ee1be6a9f98b582e6c922548acf9ab45a49f882", + "sha256": "12e7c55fee43e3358537c176334e6b7cd84b05d2c67c317c3fd90c4e662fb744", "type": "eql", - "version": 4 + "version": 5 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", @@ -15201,9 +15201,9 @@ "f87e6122-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Prevented - Elastic Defend", - "sha256": "67ffe83c5432e13fcf6b7e4cf476f32cfa6c44e604a32fe07f2cbb1ac508042b", + "sha256": "d1c898be638d5096dd716fa069d4f97939ae4f046843453bfc9ed889ab139d89", "type": "query", - "version": 2 + "version": 3 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", @@ -15358,9 +15358,9 @@ }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "cd83e2dee4122108d811abf45e532d0dc27fdac8ec1673c2ad306e85c97819f2", + "sha256": "ede3e3c7248ecf6e1f840d2bdc7b319a96a0b3eb97e6051872ad5b77a370e616", "type": "eql", - "version": 8 + "version": 9 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.14", @@ -15397,9 +15397,9 @@ } }, "rule_name": "Potential Disabling of AppArmor", - "sha256": "dd0c697b12d206fc9f3004381077e6f7a2367ed6acc0112544ccd443afccb2f3", + "sha256": "a7096f2d6c73fe27e1f80b1da2c040a60eb8eb8d159f2eb8af2f6bbb2cb3dcc2", "type": "eql", - "version": 108 + "version": 109 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", @@ -15784,8 +15784,8 @@ } }, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "b3a0fb9a91e96e465bf2e1a9c90fbdfcd2446a6bd3d40d9b7b245f49e82a8155", + "sha256": "5d48f1579b67e658a9ebfd53af34e7acdd767d850d05135ee9de6568e1f9d791", "type": "eql", - "version": 108 + "version": 109 } } \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 17889689bf3..5043a3adf73 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.9" +version = "0.4.10" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"