diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b0b412879cb..53bc1c6d9b0 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -380,9 +380,9 @@ }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", - "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", + "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", "type": "machine_learning", - "version": 105 + "version": 106 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", @@ -404,9 +404,9 @@ }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", + "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", "type": "threat_match", - "version": 6 + "version": 7 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", @@ -651,9 +651,9 @@ }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", - "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", + "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", "type": "machine_learning", - "version": 104 + "version": 105 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", @@ -785,33 +785,33 @@ }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", - "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", + "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", "type": "machine_learning", - "version": 104 + "version": 105 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", - "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", + "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "rule_name": "Suspicious Powershell Script", - "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", + "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", "type": "machine_learning", - "version": 104 + "version": 105 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", + "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", - "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", + "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", "type": "machine_learning", - "version": 103 + "version": 104 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", @@ -827,9 +827,9 @@ }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", + "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", "type": "machine_learning", - "version": 103 + "version": 104 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", @@ -858,9 +858,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "13724ccfbad7645a55a6148fd2331a0f15181aca09d104bc269cddfeb702bb7d", + "sha256": "328df92dbc73dc43154f8b6998e6a2201211089ea4fca02386b1d1180d51cf36", "type": "eql", - "version": 1 + "version": 2 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -870,9 +870,9 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", + "sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c", "type": "machine_learning", - "version": 208 + "version": 209 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", @@ -1068,9 +1068,9 @@ }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", - "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", + "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", "type": "machine_learning", - "version": 103 + "version": 104 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", @@ -1086,9 +1086,9 @@ }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", + "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", "type": "machine_learning", - "version": 103 + "version": 104 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", @@ -1232,6 +1232,13 @@ "type": "new_terms", "version": 1 }, + "23f18264-2d6d-11ef-9413-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "68aeb823e4de7c8e670285a009dd7c9fc39ae2a9abf83f65c35df1d9818dd586", + "type": "esql", + "version": 1 + }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", @@ -1586,11 +1593,20 @@ "version": 2 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.10", + "min_stack_version": "8.13", + "previous": { + "8.10": { + "max_allowable_version": 100, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "type": "threshold", + "version": 1 + } + }, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", - "type": "threshold", - "version": 1 + "sha256": "46d05336c091b15f5411222d6025f5b05a2712ed0cdad1ae60eda64282563004", + "type": "esql", + "version": 101 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -1820,9 +1836,9 @@ }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", + "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", "type": "machine_learning", - "version": 103 + "version": 104 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -1964,6 +1980,12 @@ "type": "eql", "version": 8 }, + "3a657da0-1df2-11ef-a327-f661ea17fbcc": { + "rule_name": "Rapid7 Threat Command CVEs Correlation", + "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", + "type": "threat_match", + "version": 1 + }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", @@ -2025,9 +2047,9 @@ }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", + "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", "type": "machine_learning", - "version": 103 + "version": 104 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", @@ -2233,9 +2255,9 @@ }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", + "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", "type": "machine_learning", - "version": 103 + "version": 104 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -2257,9 +2279,9 @@ }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "rule_name": "Unusual Windows Path Activity", - "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", + "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", "type": "machine_learning", - "version": 104 + "version": 105 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -2311,9 +2333,9 @@ }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", + "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", "type": "machine_learning", - "version": 104 + "version": 105 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "Potential Persistence Through init.d Detected", @@ -2389,9 +2411,9 @@ }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", + "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", "type": "threshold", - "version": 101 + "version": 102 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", @@ -2652,9 +2674,9 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", + "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", "type": "machine_learning", - "version": 103 + "version": 104 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -2857,6 +2879,12 @@ "type": "eql", "version": 3 }, + "57bfa0a9-37c0-44d6-b724-54bf16787492": { + "rule_name": "DNS Global Query Block List Modified or Disabled", + "sha256": "c31bbb3334b07220c4b6cef2aa9a19eab7c31d95eb16d2aa4e9238bee56e8c23", + "type": "eql", + "version": 1 + }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "f0266b580614dbb0c7ec5ff4505f577f89518b4141c2b2c116082bbf595986e5", @@ -2907,9 +2935,9 @@ }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", + "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", "type": "machine_learning", - "version": 104 + "version": 105 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", @@ -3010,9 +3038,9 @@ }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", + "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", "type": "machine_learning", - "version": 103 + "version": 104 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", @@ -3050,6 +3078,12 @@ "type": "eql", "version": 108 }, + "5d676480-9655-4507-adc6-4eec311efff8": { + "rule_name": "Unsigned DLL loaded by DNS Service", + "sha256": "ff6aae20990da6a915ef2a0f93547eabc6c109425ad02e3ee30fbad6a7fcf19c", + "type": "eql", + "version": 1 + }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", @@ -3208,9 +3242,9 @@ }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", - "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", + "sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7", "type": "machine_learning", - "version": 104 + "version": 105 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", @@ -3420,6 +3454,13 @@ "type": "query", "version": 106 }, + "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM User Created Access Keys For Another User", + "sha256": "47b579b9a56ed6ea73b213367dcfbd08587402835edd04fc34313a9314a6cd79", + "type": "esql", + "version": 1 + }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", @@ -3511,9 +3552,9 @@ }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "1259847bc59ec8a6f2558f519c3d33e6a2166fa18da8ef169a7d2de8a08225c6", + "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", "type": "machine_learning", - "version": 108 + "version": 109 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", @@ -3529,9 +3570,9 @@ }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", - "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", + "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", "type": "machine_learning", - "version": 105 + "version": 106 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", @@ -3725,15 +3766,15 @@ }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", - "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", + "sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6", "type": "machine_learning", - "version": 104 + "version": 105 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", + "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", "type": "machine_learning", - "version": 103 + "version": 104 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", @@ -3856,9 +3897,9 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", + "sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e", "type": "machine_learning", - "version": 208 + "version": 209 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.13", @@ -4068,9 +4109,9 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", + "sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2", "type": "machine_learning", - "version": 208 + "version": 209 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -4285,6 +4326,12 @@ "type": "eql", "version": 108 }, + "894326d2-56c0-4342-b553-4abfaf421b5b": { + "rule_name": "Potential WPAD Spoofing via DNS Record Creation", + "sha256": "e31ebc9b2e2d37078a625aed023401808117893b3d430c3d1efa9613c4c25e8b", + "type": "eql", + "version": 1 + }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", @@ -4526,21 +4573,21 @@ }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", + "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", "type": "machine_learning", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", + "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", "type": "machine_learning", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", + "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", "type": "machine_learning", - "version": 103 + "version": 104 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -4577,10 +4624,11 @@ "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { + "min_stack_version": "8.9", "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", + "sha256": "eccf879f86a18747a6744cb2d0084cf9aef85286bfb2fb37f3302d9f20d3d86c", "type": "query", - "version": 206 + "version": 207 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", @@ -4653,6 +4701,13 @@ "type": "eql", "version": 8 }, + "94e734c0-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "58ae4c29b8169b66911606add6b41d931703e9b60ab61eeeed2c2199d336378e", + "type": "esql", + "version": 1 + }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", @@ -4677,6 +4732,13 @@ "type": "query", "version": 108 }, + "95b99adc-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "22d8f8f7b3a1f49d8a20f6a8689d8b956724b24cc7694994859ce03c6909068d", + "type": "esql", + "version": 1 + }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", @@ -4867,9 +4929,9 @@ }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", - "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", + "sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964", "type": "machine_learning", - "version": 104 + "version": 105 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", @@ -5007,9 +5069,9 @@ }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", + "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", "type": "machine_learning", - "version": 103 + "version": 104 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -5177,9 +5239,9 @@ }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", + "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", "type": "threat_match", - "version": 6 + "version": 7 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", @@ -5292,9 +5354,9 @@ }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", + "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", "type": "threat_match", - "version": 7 + "version": 8 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", @@ -5304,9 +5366,9 @@ }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", + "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", "type": "machine_learning", - "version": 103 + "version": 104 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", @@ -5339,9 +5401,9 @@ }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", + "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", "type": "machine_learning", - "version": 208 + "version": 209 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", @@ -5508,9 +5570,9 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", + "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", "type": "machine_learning", - "version": 103 + "version": 104 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", @@ -5532,9 +5594,9 @@ }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", + "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", "type": "machine_learning", - "version": 103 + "version": 104 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -5625,6 +5687,12 @@ "type": "eql", "version": 1 }, + "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { + "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", + "sha256": "8af473db73fdf2cb22badcbf84c85a6ad922b4d8122fe10962a2210d0e73f2d4", + "type": "eql", + "version": 1 + }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", @@ -5777,9 +5845,9 @@ }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", + "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", "type": "machine_learning", - "version": 103 + "version": 104 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", @@ -6007,9 +6075,9 @@ }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", + "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", "type": "machine_learning", - "version": 103 + "version": 104 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", @@ -6195,9 +6263,9 @@ }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", + "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", "type": "machine_learning", - "version": 104 + "version": 105 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", @@ -6384,9 +6452,9 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", + "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", "type": "machine_learning", - "version": 103 + "version": 104 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", @@ -6598,15 +6666,15 @@ }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", + "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", "type": "machine_learning", - "version": 103 + "version": 104 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", + "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", "type": "machine_learning", - "version": 103 + "version": 104 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", @@ -6729,9 +6797,9 @@ }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", - "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", + "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", "type": "machine_learning", - "version": 103 + "version": 104 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", @@ -6751,6 +6819,12 @@ "type": "query", "version": 209 }, + "d93e61db-82d6-4095-99aa-714988118064": { + "rule_name": "NTDS Dump via Wbadmin", + "sha256": "84e3ebcc0dbbee2d61dda40d2f1a217ec6da8bdd5a345ae29b4efc42a3ba7883", + "type": "eql", + "version": 1 + }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", @@ -6837,9 +6911,9 @@ }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", + "sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29", "type": "machine_learning", - "version": 208 + "version": 209 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", @@ -6904,9 +6978,9 @@ }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", + "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", "type": "machine_learning", - "version": 103 + "version": 104 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", @@ -7035,9 +7109,9 @@ }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", + "sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948", "type": "machine_learning", - "version": 104 + "version": 105 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", @@ -7365,9 +7439,9 @@ }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", + "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", "type": "machine_learning", - "version": 103 + "version": 104 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", @@ -7706,9 +7780,9 @@ }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", - "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", + "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", "type": "threat_match", - "version": 6 + "version": 7 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", @@ -7888,9 +7962,9 @@ }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", + "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", "type": "machine_learning", - "version": 104 + "version": 105 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS",