diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 0147e5f38a0..4fa6fc29482 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -5,22 +5,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", + "sha256": "983f1980633f2fdeefc4b7d50b5e5662382880e65a27b51351387386cf225207", "type": "query", - "version": 411 + "version": 412 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", @@ -51,59 +51,59 @@ "8.12": { "max_allowable_version": 209, "rule_name": "System Shells via Services", - "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", + "sha256": "234ca1d03d9490f694e58e4e930034af44bc5607d0b3d9b618220e2c43f63709", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 413, "rule_name": "System Shells via Services", - "sha256": "708a60d7b82bcae8d3c5d83d4e192c9b30bb0f4e8d73b7c6c3cb947d05f98199", + "sha256": "053a24a7c772b51aa6c4cacaaf2b60d644b999d648117254f85fb9550c02b7d1", "type": "eql", - "version": 314 + "version": 315 } }, "rule_name": "System Shells via Services", - "sha256": "15ba51d5a9926689787c960642056ab3de981a47b061a42487b3d8425f22e435", + "sha256": "3c7e037d08a986cffce89446616f2c30c98c4f0c30ab9560f83af5f3f4ae76dc", "type": "eql", - "version": 415 + "version": 416 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", - "sha256": "f349feeacc158450a8c5f0668ae859afc19fd12c10c89d18b3f0f2ddd04215dd", + "sha256": "110f1d5ec2ca1f18a3743314973ced9654ea4260ae861e092afd16c9f929ecd4", "type": "eql", - "version": 1 + "version": 2 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", - "sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee", + "sha256": "084af080fe0d6182cf5ea6c48b232167996f3eead720253e885568afa89e5afa", "type": "query", - "version": 3 + "version": 4 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", + "sha256": "3d31dd5d0a8353000b212c5ffe3b14f5abe88a3f98db97488625321608bd20f0", "type": "query", - "version": 206 + "version": 207 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "AWS Redshift Cluster Creation", - "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", + "sha256": "1341375c3cccb30e7ed441439c386122fec8eca43759b591f42c42d2bd11083f", "type": "query", - "version": 206 + "version": 207 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", - "sha256": "0b7bd18f56d2a7b5f3bc16613aeb6e2a09c6a9ccc54a0592c9835fff18811b79", + "sha256": "c1b9eadbd36d57badf096a96ee583481a92a6e1de6d1e40b428fb368591eff60", "type": "threshold", - "version": 7 + "version": 8 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Detected - Elastic Defend", - "sha256": "9bd0f3d01ba4fa20cad1d9fbbc2e6ceb49cc0b07a3e1c1c6250c0f990af738e6", + "sha256": "a6477740d6012e55a9333f32ef516a7b656ca22dba1362371129cc6f75da54ab", "type": "query", - "version": 1 + "version": 2 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "min_stack_version": "8.13", @@ -127,15 +127,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", + "sha256": "810907d90a27aee361c0e4bdf4d0bfe79e58e47c2b9f7a8df4b14ad750f1aa8a", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004", + "sha256": "dbcb6ee16e0332c0f9e3c35385be6f5264364abf46e4cfa8504e52f66afc3999", "type": "eql", - "version": 207 + "version": 208 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "min_stack_version": "8.13", @@ -155,9 +155,9 @@ }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", - "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", + "sha256": "1ac8ed3b1ca5fea1b2f1908042c00a316d4459af2220eb483569bcea820be9c1", "type": "eql", - "version": 6 + "version": 7 }, "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.14", @@ -165,15 +165,15 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", + "sha256": "376189f0989a9c834ea9e807f1c31236301e528eec227aa389419a7e53aeabf0", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "378f6d82a234a955375536d3a61db47a5093fe754b62078f81f9746f4e1a3ac7", + "sha256": "3e2498d141db920ce8fc17488acde7032ea81b42d39f7e26c4050febb32a3bec", "type": "eql", - "version": 308 + "version": 309 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", @@ -183,15 +183,15 @@ }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", + "sha256": "a07d5178b0d63fe45832be7feae2eea146956b3b81baf2c247c23c39a4465af4", "type": "query", - "version": 106 + "version": 107 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", + "sha256": "6914713f09336f9c3dd081ef53ac47488673b0d06d86d731eae0c68021783845", "type": "query", - "version": 206 + "version": 207 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.14", @@ -221,39 +221,39 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", + "sha256": "63da0c176cc07352e9a1cb9d92ededc8900ca1b1c6f6dfa5b1d8af6e158f55fa", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "5a89e9c9403463bc8cad9d70b104d352791bd9ba509e45e22ce425a5b8bdba4e", + "sha256": "7be24103e80b488ec59b95552a069f1c357d42f5fec529c19402f290b74e282c", "type": "eql", - "version": 102 + "version": 103 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "SSH Process Launched From Inside A Container", - "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", + "sha256": "f20d44b0d750d0c26fca0b620394312ba50e05209f19a2c8efe8a5779d97e899", "type": "eql", - "version": 2 + "version": 3 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", - "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", + "sha256": "ae3ea0137d74ca472a7ba99931f0fb829c7b6419004e69b9a9a0ac88b87e0ebb", "type": "threshold", - "version": 3 + "version": 4 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS Cloudformation Stack Creation by User", - "sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69", + "sha256": "52da905207d1e7c88fc6422717c8a5e4a92dc36ee070a06fc4bcdbc3d90476d3", "type": "new_terms", - "version": 1 + "version": 2 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", - "sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972", + "sha256": "3b26f04620990f0636c48d69c7dddb1091ac744f61ef4244cf1bf27d38677ecc", "type": "query", - "version": 110 + "version": 111 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -267,34 +267,34 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", + "sha256": "47373227a503f5fe1fde96d536e6a205fcac83b971b0dee087b3614cd96c814f", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 200, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67", + "sha256": "8d179fe06605d1b9a62c3cda5f232e20d6e98172b8c62bc1ac5e3c362f0caf83", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102", + "sha256": "95d69d7ba9d1821cb7a31fc102eddbf4725f3512d45f8c1129cd08902c00b9da", "type": "eql", - "version": 202 + "version": 203 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", + "sha256": "60c46c899a69ab28b32485227c01fb16cee84b26abd65893b8f900c888034338", "type": "query", - "version": 102 + "version": 103 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", - "sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9", + "sha256": "605d63b5087ecb7c6b317b124502b5109f16a229ccb1a878d7f5c7f08940e119", "type": "eql", - "version": 1 + "version": 2 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.14", @@ -302,21 +302,21 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", + "sha256": "1ca8fdf09317fd36c70df03f3201b8274dda82e84f259811b7e392d1b5d8e6b4", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "ae7b800eac312f398df8ba82f12abc2529bb704c4185f69948be3617af2847fb", + "sha256": "a219cd9773dc1fa8aa69881e4de1fb3c8b9b635a1c380a4782cf15cec90f8904", "type": "eql", - "version": 211 + "version": 212 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570", + "sha256": "8d613ba421aebd8dcbce56302f1c2d6a19b749085004adc1050a81aed090dcc5", "type": "eql", - "version": 7 + "version": 8 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.14", @@ -359,15 +359,15 @@ }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", - "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", + "sha256": "6e6fcbbf2ea3332a110e3c68ebc52cde1b789a0370ce24f76e00a25d8c349bf6", "type": "query", - "version": 4 + "version": 5 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", + "sha256": "c70d925a16e8a0ca54c52ed7ba79164ff5091150dc18e8f3096440d73fd87433", "type": "query", - "version": 108 + "version": 109 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.14", @@ -403,9 +403,9 @@ }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", - "sha256": "86c63dfc5a14108858c1a668088b651845e888e1dfa6764e364d7193cda1e105", + "sha256": "1c0662f5b11e6019bfa3e32d36fedf5821114840e8aa8e424150ea7631c58079", "type": "machine_learning", - "version": 4 + "version": 5 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.14", @@ -436,15 +436,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "d199c5e9dfd9aa2e6e54808f02b7c661ba51e4c78cc780b45d0e910dc09b0230", + "sha256": "798d7634945767913aeab178e7df25c3696ac6e993cbaaaefe8030ea91fe0f4c", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "25c134214022fe4919832996ce775387fbd9ee22fda14c49daaecb865d145206", + "sha256": "cf3d305ea89fd7b2c84f8ed412f55d0c5180e021f2d107a517d501e85c15e038", "type": "eql", - "version": 101 + "version": 102 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", @@ -452,22 +452,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", + "sha256": "fe0b271cf1660d839ba9c04e3ae7c6a2ae6bfc5ba80b354d7aa2ebf8ba75db6b", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c", + "sha256": "cb388e3a30c4e77292f3c6ffde5fabc2aa388f8affa6756cf70e1b8442d61a30", "type": "eql", - "version": 213 + "version": 214 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Memory Threat - Prevented- Elastic Defend", - "sha256": "542beb283553b21b373b87f1963fa845b95929b9664d3af97f7777e621206a0b", + "sha256": "96b6afa2ed123a001168eaaafe269a572393ee32c8248cd27a29182040b5dbcc", "type": "query", - "version": 1 + "version": 2 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", @@ -498,15 +498,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", + "sha256": "380c523049b8404ce0d831d93a39d8d6e334c2a51c94e3454920aa9b947d0d60", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "d8a91efd007be1ed16d117fe17458c7361f18450b73e73083ee88ec02bf6d049", + "sha256": "3d9549ea279015b77bc82b2e69b630d2013529cbc37e51d1316381f1c8f34d54", "type": "eql", - "version": 206 + "version": 207 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -520,22 +520,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", + "sha256": "09c2f36752a76180ee5f6c3d999fca9b4a594baf1e68da518828098d4a918b29", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 311, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1d581fab9894150d93b9290184613601916238ed613aed8f033ba029c6d7f747", + "sha256": "7a1e221305122e11869857dfef01583fa3242e9353bbc3c58bd029ddc08ce349", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "cba44e5f0b785c8ff69b139d209a7e10ae87452830da92efee001b69f5a95d51", + "sha256": "a02807e2dbf00fd418c04b345cf9bb599e756134d50cfc7ceb239d0db3e3d270", "type": "eql", - "version": 312 + "version": 313 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -545,21 +545,21 @@ }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "a43d168f61e8163581d0687f0304f03e2ddae74d1116c478f933178625133b7d", "type": "eql", - "version": 107 + "version": 108 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", + "sha256": "c267399fea2ab4ee01b5424d01dc5ca68f6fbcb529f4f0c022cde54d6f87b25e", "type": "eql", - "version": 106 + "version": 107 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", + "sha256": "a01dd38408bbec2545a780590fb1551649acb6e25b7f9589b305b518dcfae70a", "type": "query", - "version": 106 + "version": 107 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.14", @@ -567,22 +567,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "First Time Seen Removable Device", - "sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef", + "sha256": "f1ac8cf1be60a96de758a01dfbfd0a5b594450e5a38ceae29fc315267402c892", "type": "new_terms", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "First Time Seen Removable Device", - "sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6", + "sha256": "c14fec5bc1b916855cac0929b535c0865ae08136bf417b3ef52374ed88a27cc5", "type": "new_terms", - "version": 109 + "version": 110 } }, "rule_name": "First Time Seen Removable Device", - "sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58", + "sha256": "70f7e9b02ae62752a1aa355c2bf0737861fcbe8f6d564b36f533e1c115925ed6", "type": "new_terms", - "version": 209 + "version": 210 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", @@ -598,15 +598,15 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", + "sha256": "df3311bb176bf73432fcbf38549d153c5d42b0a2dc86764c6daa86fc9db5903f", "type": "eql", - "version": 107 + "version": 108 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Process Termination followed by Deletion", - "sha256": "07259ee65eed64efa83cd67f2944378c9f5eac6af8a0d950ddf46fd06505c613", + "sha256": "14b2c50279749311159d46204420c773d52555a562d83ce604a03fd9d9abaafb", "type": "eql", - "version": 110 + "version": 111 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { "min_stack_version": "8.13", @@ -632,27 +632,27 @@ }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff", + "sha256": "c8115f0fe38df7a874ae8c9073dfe093a940fc49c4e0f9ae6c7e317213b43120", "type": "eql", - "version": 5 + "version": 6 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", + "sha256": "f6a45024261cb0b349f1b5e65afcbfd1cffe90e669fa3157bf60ea20538b5f44", "type": "query", - "version": 102 + "version": 103 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", + "sha256": "7a47db16ef187e82ca162b4ddc7be98c559c56f60930c7f857b4998e456db762", "type": "query", - "version": 103 + "version": 104 }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370", + "sha256": "d0ca847022a16689d65f980293f4e0fd6f57daf55cdf34dcf2d377d146f0757a", "type": "query", - "version": 5 + "version": 6 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.14", @@ -672,9 +672,9 @@ }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559", + "sha256": "2246ca718f9e4c68f8015278f6c338d481215cf44d109266c689582b268cd4b6", "type": "eql", - "version": 4 + "version": 5 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.14", @@ -682,15 +682,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Windows Process Creation", - "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", + "sha256": "e58901307b82a6b703f7a5b2767769ca7cbec1c80db040954fe646835f35d714", "type": "machine_learning", - "version": 108 + "version": 109 } }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0", + "sha256": "c0f120a64ff245f24b22572875fa394dbdc77cb4f3718153eba555eb889feac8", "type": "machine_learning", - "version": 208 + "version": 209 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.14", @@ -704,21 +704,21 @@ } }, "rule_name": "User account exposed to Kerberoasting", - "sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af", + "sha256": "ebe574808b30bc1075a58cef2f874bdd05f42e8a24777f0a63b52a2120faa70c", "type": "query", - "version": 213 + "version": 214 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", - "sha256": "22a959fc1ae4b5c978a6bb8e8fa8d2acd527c45d6f559981da7a7b185d3ce099", + "sha256": "f38d9a3cb527fed3ad70ba4055716a8490606cb347a6813497bae630dd296758", "type": "eql", - "version": 1 + "version": 2 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6", + "sha256": "4a8f1df0c1c99b704e5485fd658ff9569854ebb1e729a16996a835862cfe8f24", "type": "eql", - "version": 1 + "version": 2 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.13", @@ -726,15 +726,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", + "sha256": "91457268048c8d92e741bfd1d7bb5d54fe0d743c61407f7a0715f70c10dfa674", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "81734f1eb98d81af0ca26082b03fceb94a4883a4f849ace026fd8c1adbc3bd35", + "sha256": "9e2c7511c3657f8026a9d0e6444662c80eb57012a8d38efa6e23d9c3814ef567", "type": "eql", - "version": 106 + "version": 107 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "min_stack_version": "8.14", @@ -742,15 +742,15 @@ "8.13": { "max_allowable_version": 101, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088", + "sha256": "7ffa76bdd42de95fc9de0514beb379f3022d2480038fc89512a38dc061cf24e9", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "a41786ebd2dfbb03c42ea6bf3fdc405509199a39d2c76596d2106580b4e85706", + "sha256": "e00123eeed5a9592b8d966a72a4ad924189880c7010e544d25d5026d9accd309", "type": "eql", - "version": 104 + "version": 105 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -764,28 +764,28 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Hex Payload Execution", - "sha256": "b50ace78d817688a156f23beb890b4697291938d084ca42129f8ecf1dcb8b0b0", + "sha256": "74f721a4c27361f235243b389dfdd0770212ed79d7fe1c2959e73c93b9edb754", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Potential Hex Payload Execution", - "sha256": "2d0fa73ed28a53fba32e51085db7721c3da52a4443b249024ba095506e2997d7", + "sha256": "60df1c7136646558bb4c4713cbfb9a5a4b107a9416be8a60fbf7700cbcb94ce3", "type": "eql", - "version": 101 + "version": 102 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", + "sha256": "9507b5aae7440ff10ceb3f3e75dcc178e809320a084d56e616de90e14713d0d6", "type": "threat_match", - "version": 7 + "version": 8 }, "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Detected - Elastic Defend", - "sha256": "d762ceed58b4360fed6a1ddbf89869a6d4548ddaaff3398092e868f20864f049", + "sha256": "bdb55dbd118fb03d8e90db6727cb7c17fdf199dc7aab3fad8d6a9c783bd05f4e", "type": "query", - "version": 1 + "version": 2 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", @@ -819,21 +819,21 @@ "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "dbe1ee653e8649143a8b2aa6c43f5f5661b1bbccfd106614feb092ddd050d25b", + "sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5", "type": "esql", - "version": 4 + "version": 5 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", + "sha256": "c5b5703eecd7632b4ddb4091627b0ff3ab51fe21941d1f5b53297f00d72c4f4d", "type": "query", - "version": 206 + "version": 207 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", - "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", + "sha256": "15e804addadde83664812796f8f9823a5c7ebff99e0beb27678162bd9c31e24b", "type": "threshold", - "version": 3 + "version": 4 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.13", @@ -841,15 +841,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Nping Process Activity", - "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", + "sha256": "b83427252d66ff411238da7c5005c49740b023436dbc3bf58ba27c1ee3922248", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Nping Process Activity", - "sha256": "9e6ad0d56964a23df0d9728adfe7374b9829eb6b744d07e2139d35a8836e8ff3", + "sha256": "9e4865a109815afb06442ed8b43a911844889487f3b85f1621ef70b5400b71c7", "type": "eql", - "version": 208 + "version": 209 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", @@ -860,9 +860,9 @@ "0e1af929-42ed-4262-a846-55a7c54e7c84": { "min_stack_version": "8.13", "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", - "sha256": "b33e65a3ee076e720b9bdf2aa373dea700cfccd237404dd9f93cc4807700b15e", + "sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7", "type": "esql", - "version": 1 + "version": 2 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "min_stack_version": "8.13", @@ -882,15 +882,15 @@ }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", - "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", + "sha256": "74965d932cbd9a720a97b2ceab342bba465997b95f0c655b95003fbbe6387365", "type": "query", - "version": 206 + "version": 207 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", + "sha256": "59e29ccc3ac8165891a2e84b728fb276eaf024e4adc86f129eed888139ef37bc", "type": "query", - "version": 104 + "version": 105 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.14", @@ -898,34 +898,44 @@ "8.12": { "max_allowable_version": 209, "rule_name": "MsBuild Making Network Connections", - "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", + "sha256": "7c639b668c0b9207254749cb4e45c08ed861a61d1b5e8b27147b3b664d0ae255", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "MsBuild Making Network Connections", - "sha256": "bf7179d1b47194100baad37ed0a523ce816c9844de775a252e0c6a98cd5d3ebf", + "sha256": "dcb595ba973117d787c324d67e3c1089fbb00fd94c18e02e68348da2cbca9297", "type": "eql", - "version": 210 + "version": 211 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "8.14", "rule_name": "Sensitive Audit Policy Sub-Category Disabled", - "sha256": "1bf144627669639eeaddc1fd3dacb1721c5a22b5bbd5c657d21a9ea80a9e7a98", + "sha256": "2ccd6e44765c01f2922e5dbfec21d3112b12ea481499e274cc65faed4937a76a", "type": "query", - "version": 1 + "version": 2 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", - "sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5", + "sha256": "a58f936fd70ead1323075c2db07bdc08ae6fcf158dc76d3e3f8ee000206c8907", "type": "eql", - "version": 114 + "version": 115 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Polkit Policy Creation", + "sha256": "44b43d02b93465a284ad02a34ec8aac120647331d3e94740777d0814d5113600", + "type": "eql", + "version": 3 + } + }, "rule_name": "Polkit Policy Creation", - "sha256": "c5b96e974b3fcfcec0a0363729ff3eaaa75d3eef6433dcfa417afba10d813e2a", + "sha256": "0afcc930436684dfdd61e2ef01cbc1adfa72ab7f84b9fd58280c94953ffdaae0", "type": "eql", - "version": 2 + "version": 103 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "min_stack_version": "8.13", @@ -933,22 +943,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", + "sha256": "79a36ec04c23d206b4a169e76b5d28d8f804a425556086fca9789d4fc8b188da", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "0925718d6acd18e0a768b91cd047c58843ab49c9db753e14eabcec5fed876a96", + "sha256": "43a81f7c9afb83eccece14a9be3e1ea2f6a731c8417ac2503e6ccae6a6db44af", "type": "eql", - "version": 103 + "version": 104 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Detected - Elastic Defend", - "sha256": "744407645eb6ef1ce3977b8496e04d8f01d92fb09e755c6b86c46789bcc96172", + "sha256": "1b61e930271caf4b24683fcdcd5d779d2a0f082e6b215464af1895be281398c9", "type": "query", - "version": 1 + "version": 2 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -962,21 +972,21 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", + "sha256": "47eb039775808da28b11790e0cc065e4a50d78e27c509b0d3658b680d0e8afa5", "type": "threshold", - "version": 210 + "version": 211 } }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698", + "sha256": "bbaf49b522cd5d40af2d47cba7e4b4171ca4727ca8719122a6cdbee63432dc73", "type": "threshold", - "version": 310 + "version": 311 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", + "sha256": "76940df70c1484a0067d03c9147c59cb9cb88ff381bc232e981395b072fbcad0", "type": "query", - "version": 106 + "version": 107 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", @@ -992,16 +1002,16 @@ }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", - "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", + "sha256": "43d8180f7e5ee5ede17e49e4b51dde1ec237e4fd3684df5ed85afbbde690f390", "type": "query", - "version": 206 + "version": 207 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Ransomware - Prevented - Elastic Defend", - "sha256": "66448c143965f6318351f4adfaf855518fd60f58e0fceab482a7e31720a276b9", + "sha256": "f5b721e962c74dd5fefb7ed7ed924c02a88684947c35f6d8dc29286c755143f9", "type": "query", - "version": 1 + "version": 2 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", @@ -1015,15 +1025,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", + "sha256": "46d8b330ba652e23adf896e687f3e5366a624a5331876fc279966cc8b152cf65", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "e8f11b08f41d0af660c26c82752b4d5344f91cdc0fc98514b43577e6477977d6", + "sha256": "a2bdb54600ed5810827ddcde587fdd19f4abe4ac4f268242ea2b360c433b20ae", "type": "eql", - "version": 211 + "version": 212 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.14", @@ -1031,28 +1041,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", + "sha256": "a994d1f91f21add41bfa56ede5881e607b7400b4d3892076489853ee155f7fce", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "aa018af3ba1144c484d88c95f262455130c03245c19a0d48b1f9e314be08333b", + "sha256": "153cade6c2583d73aadcdb8e1f138fd04f15225a1d087281dfb8e0a38a94a08d", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "cd4ff3a06fa4ded3c35daf6785753a17cb5582a6ae1ad4a06a341c03c74b12a5", + "sha256": "89ff75015ccc7505d10b8e1dd68a6e00bc013390bb1d3c3261ebea0dee5a9cd8", "type": "eql", - "version": 312 + "version": 313 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", + "sha256": "22b038a9d7ed9ae2bb66b4cb46bcfc5b0b5fd00d0c6512a3aa092001b5c12e80", "type": "query", - "version": 206 + "version": 207 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -1066,15 +1076,15 @@ "8.12": { "max_allowable_version": 113, "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", + "sha256": "a7ec142dcda7675c77e9b876a21fdbc81216e3a996b187d8b9ce5fb6ee881abc", "type": "query", - "version": 14 + "version": 15 } }, "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24", + "sha256": "6b484742b765e528a93679109d41f88dab5fc43c020fe7354c920f488c850661", "type": "query", - "version": 114 + "version": 115 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.13", @@ -1094,9 +1104,9 @@ }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", + "sha256": "2e9c3df902a7e2af50b5f91cbc53f971eaac2d7c296180dc7140aa88c286406a", "type": "query", - "version": 206 + "version": 207 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -1110,15 +1120,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", + "sha256": "36f3d53e0e615d93af889f1a29da008db557f004f34ab0b3a14b5210f0aeee2f", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9", + "sha256": "5e43858136609068909a67bd2ffd833f974eeee7ae19cdb80a02ae08ad096d70", "type": "machine_learning", - "version": 107 + "version": 108 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", @@ -1138,27 +1148,27 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Lsass Process Access", - "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", + "sha256": "b5585ef93c094d17af2ec93e821abae35166aff50db392c679bdfd4ad289691e", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Lsass Process Access", - "sha256": "c7b2febcd7a93457f53f7d4c52aad131a4116e9f93d76437d261111f09423eca", + "sha256": "19af37acbf8a0f9774fb22c8fe43855471d07d04d9aa68dfaf95e90219bd65a0", "type": "eql", - "version": 208 + "version": 209 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", + "sha256": "75734b3460dff650d8fb6adbbe456341d03756acefec419bdbe2f8dbb064b12b", "type": "query", - "version": 203 + "version": 204 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "6f467e2189a55fb44966834223c32fb6509c57dd21bcdff69b4f6e2ec920aeff", + "sha256": "7c44812095bd92d02344d24e68f59d1becb7a2912cb9f782309717e196302e80", "type": "query", - "version": 204 + "version": 205 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.14", @@ -1166,22 +1176,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", + "sha256": "272a96e698a6afe16c3181d064b9c894e77f51b3eaf866209b5dce7565d67d30", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "4bbc3bd2b9452e05e7e5829db2c77881e9bd34accc89ae0ee089e96ed991a0d0", + "sha256": "dee24546d469b37c7b76c8f8f173a6c83c366cb49c0b9576f370a0bd5511952c", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "20059209c3052442c7ed5c5a377f07f5900366dd533db5b237c40a4f03968c49", + "sha256": "1a23f04cf58db376fd7b4ec19d06758a03d9ff61f0e7e73111cd6bdebc85966f", "type": "eql", - "version": 203 + "version": 204 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.14", @@ -1189,22 +1199,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", + "sha256": "98f99aa122e1e624b3e09c6ba6ef60f17fad0fb85c2a0312908fa83888d30adf", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "fe4ba438fce303e2daf224812c4bd214f595f651161a5e587cc2d2e50dda76ee", + "sha256": "655e84527e938f302b438d0661911d1fc0c26eb040707b8dadc870b71b09621e", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "2948ee0b531e8ccedd058b6ffb287bbd8285049d41818d9af4a814c1705e8765", + "sha256": "e64945c3198ab598f7b7fbb252d2af8e1130443ca01fb4b04ab121f6bdea367e", "type": "eql", - "version": 314 + "version": 315 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.14", @@ -1212,22 +1222,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", + "sha256": "17d08d5a22a343108d957c179ce6094d0257d0d8b2579a4951119dda819508f6", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 410, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "88943865100dbcb63138fc9fc3e1c81fcd227f586956038e529e688b71384ceb", + "sha256": "9e89e81b01768e4420d38600625f002d5442c3b66d427dc5892345446d213aa6", "type": "eql", - "version": 311 + "version": 312 } }, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "9ffa543a06d0f2ad3662845e6fa645986ce32abf6fdd1a341eb3cb92a2c2e4c2", + "sha256": "b0ccfcb313b2d42d0235a2596412d1178773cf4161732fd7ad768553a89a446b", "type": "eql", - "version": 411 + "version": 412 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "min_stack_version": "8.13", @@ -1235,15 +1245,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "b6c89e8c3a97272346f423ebb217dd3b570a754d8cf3cc976707c2b412198fdc", + "sha256": "7a40d647d43e173b746b298d0619a6058cb05a2eb33d6e0a4e546788fa16634a", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "c0225ffbf6f1c5644805b6540d4044e24bcb9f08e6af9d221853d008f463c7e5", + "sha256": "bdade28ec6aad91e8926504e30173907dc1309924ed35deef6fcedb8d5fd3f91", "type": "eql", - "version": 101 + "version": 102 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", @@ -1282,21 +1292,21 @@ }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", - "sha256": "6f94ca87d3b3519fd810a9fdc1a9a04afdea58ca913b4b4dc9e9be63ed77cec0", + "sha256": "3ec2e506931ecd0b5ba1e027207e34901c5ac024f575d19242d7a03f5ee033f6", "type": "eql", - "version": 8 + "version": 9 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Azure External Guest User Invitation", - "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", + "sha256": "6fbce9547774cb786e35438648ca5a236089ce43936066235b21a006520def25", "type": "query", - "version": 102 + "version": 103 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "6f7487c7e356c40aec2caceb15dce0977070fac0869a8f73757b0d4986b15113", + "sha256": "05723d7fde940cd2cc2663a56ee79b455405ca9d1e1270db75b986c5ef72717c", "type": "query", - "version": 104 + "version": 105 }, "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.13", @@ -1304,21 +1314,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Office Test Registry Persistence", - "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", + "sha256": "3e44efbf96a359a35159414069ff36e12436779f48247e1ebb07a941605b448f", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Office Test Registry Persistence", - "sha256": "e0673b4aff07f3de4b7256ce50a44e6147759d3281b639adae677dff72feecbc", + "sha256": "ef730832a93503b501376aacb96760534cb31876eed560a014670d79b2d03b74", "type": "eql", - "version": 103 + "version": 104 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", - "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", + "sha256": "fc2b301f6bbaa53417113b60b7a3c366d6f6c509954e72e27e9386b8b8585c28", "type": "query", - "version": 203 + "version": 204 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.14", @@ -1326,22 +1336,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", + "sha256": "c1c4d209cde3b94cd2f8c548ecdb34cb3fa679dd0b53e7fdede58f9d1556ead5", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "6349c839b9198d37d576fd976eaa2f85e6034f8ba89204b451ff0d11467cde5b", + "sha256": "c8f114645f7f362fd704081bd1e07a79689640b1eff476ca39c731460729be8c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "cd5c53102463d73641cecf06ff0109725f62f522ecbaba20de251787a79cb33f", + "sha256": "9b84185dd52ac21aec4f2a8db1583492782012ec7a3cf59ce9987512ffb52e0f", "type": "eql", - "version": 311 + "version": 312 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "min_stack_version": "8.15", @@ -1349,34 +1359,34 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", "type": "new_terms", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 203, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2", "type": "new_terms", - "version": 104 + "version": 105 } }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", + "sha256": "b2723b3de15eaf38f608b269cd27119a720895d4cd72b126071f5f0dd90555ee", "type": "new_terms", - "version": 204 + "version": 205 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", - "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", + "sha256": "f1e6f5c52e4c18b16f84c216103655718a11c24159fd88c9d53d7810f03b9fca", "type": "query", - "version": 1 + "version": 2 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", + "sha256": "c942ba35d01b9cb9eebfce159f6c2ef894b5f93d7501c1f04fbfe4f029914e25", "type": "eql", - "version": 3 + "version": 4 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.14", @@ -1400,40 +1410,40 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", + "sha256": "0cc6051b059f0a4c23d62a16a546d261c5bbbf67a3446bf0fb2712619334c81f", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "afb44f5ed406ccfb9c40513c5e774867e961f22a9ac007320d0a4c1c31fb8cc0", + "sha256": "47c62d0707a97119096476193b3bbf9c24f7265594587011d87a5248a4d6a588", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "43674c0e7d244957e0cecaf069f23652cb12fe5bee0b6d2dfb54c4bf6bd9160f", + "sha256": "affead342a3622a946986ec040beb993b0e5c27fe2442af4d4cdd70cce50f419", "type": "eql", - "version": 314 + "version": 315 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", + "sha256": "b852f838beb12b31ac0857a95bfdd281593b4bbcb010dc1e2a32c159d2349b09", "type": "eql", - "version": 107 + "version": 108 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "rule_name": "Potential Container Escape via Modified release_agent File", - "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", + "sha256": "6227f5574f6e391b1d85763a35113b7299b3d0a278820a3c90fe8d5758de412d", "type": "eql", - "version": 1 + "version": 2 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", + "sha256": "ba45931cd861307121631371d3ceada4c31f8c0df2f03e06f91fc43499cafeab", "type": "query", - "version": 102 + "version": 103 }, "166727ab-6768-4e26-b80c-948b228ffc06": { "min_stack_version": "8.14", @@ -1441,27 +1451,27 @@ "8.12": { "max_allowable_version": 104, "rule_name": "File Creation Time Changed", - "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", + "sha256": "4b13b87a19503b754f0e1168a58053e72b7ab57ed3f6b4fa1e85ca983050228f", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "File Creation Time Changed", - "sha256": "b50d36dbfeb9c4de02bafa12ca2bfce4a438b1ba628cf3c02d4f726079e3e1b8", + "sha256": "a4b5224b6210e6ae22a3b2aae8187bd48cbb3c7b41926bda9a2a48c0528de974", "type": "eql", - "version": 105 + "version": 106 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", + "sha256": "23b10e667366dd92f41808c9b01db2f62209ebea86cc67add8a43532a3341b74", "type": "query", - "version": 106 + "version": 107 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", + "sha256": "ee11c9442b8e8b3ba41f33c3a39715ed346f2d770c4dc8cee36662b2214222d0", "type": "query", - "version": 206 + "version": 207 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", @@ -1487,16 +1497,16 @@ }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", - "sha256": "20685cfaedd2fe2b3471f27dca9cdbd6794180b2a0fe8045a0e6eef35ebd9c56", + "sha256": "8ac49e7c12e9e26728ce584fffb95e858c0145cd1ff89099123834f39022652e", "type": "eql", - "version": 1 + "version": 2 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "03de244ffc1915c80ee82688449c357f1f23252b911b441563cb5f95106f963e", + "sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02", "type": "esql", - "version": 3 + "version": 4 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.14", @@ -1504,15 +1514,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Username", - "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", + "sha256": "e9ed01e74760cd8f6b5436fa2bf1017b75f7981365876ee0443e0bab995a0f27", "type": "machine_learning", - "version": 107 + "version": 108 } }, "rule_name": "Unusual Windows Username", - "sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a", + "sha256": "1e10d9ab500e362602268cac7c057d8f4200d268485ee4c70b1e1381d74f32a7", "type": "machine_learning", - "version": 207 + "version": 208 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.14", @@ -1520,15 +1530,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Service", - "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", + "sha256": "a1c9cbff26b71eb5194648a9907fd39e1504c7662a8f217cd2e9c099f9e24767", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Service", - "sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c", + "sha256": "63fc4e38fc33fd24ef301efc7a52d2781085a9dd8465d14910b075c4ca6b5023", "type": "machine_learning", - "version": 206 + "version": 207 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.14", @@ -1536,15 +1546,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Powershell Script", - "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", + "sha256": "fc63208d7b1218e72d90948342343c545aab84431421c2d3b6d81b1a925181a1", "type": "machine_learning", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Powershell Script", - "sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601", + "sha256": "3bfa0053ceaa3a5923c2aeac1cbb923a448d65b83dda46cfc701cbcf37772899", "type": "machine_learning", - "version": 207 + "version": 208 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.14", @@ -1552,15 +1562,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", + "sha256": "219fa2a191fb555ae903516b407568cc9bbc7be95ca6f3fb302311ce94382f0f", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0", + "sha256": "b13eb00c757b1251104bf4c37b3a291ee5acc963ba34c008a8b6d8731a102b47", "type": "machine_learning", - "version": 206 + "version": 207 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.14", @@ -1568,28 +1578,28 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Remote User", - "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", + "sha256": "c2ce8aa3cd6b41359d2374f00b781728b1d6990960574e1d27d013e9a33cda80", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Remote User", - "sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb", + "sha256": "6e49cc6ec8fa0f149019eeb0d99bc587779e02711c05c54762667fb21676de08", "type": "machine_learning", - "version": 206 + "version": 207 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a", + "sha256": "64deb3a7d35566d558e890c281946d23e332598949d863e7f3fbefa14896a901", "type": "eql", - "version": 15 + "version": 16 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { "min_stack_version": "8.13", "rule_name": "Initramfs Extraction via CPIO", - "sha256": "88f6c3605792e48f97143dae8fefedd34a2b14b68960474ed089ba2db106e09f", + "sha256": "e91def04da5452836c00e38e6652e095e4124c1820f2650c10e07cd01e3fc61b", "type": "eql", - "version": 1 + "version": 2 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", @@ -1597,21 +1607,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", + "sha256": "3b12641768e2a47b26428daf4f845ab28c7dd839b86550febd738e1e8586d6ff", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "ace9eeca0b1a6ebcd4b65d9e2ae4bd2f36b8947c516f5d108e7f2e714efc8ddf", + "sha256": "897127ce66b9d6ef35af246c068852d99e7af8df437c3e4d98baa466d779a8cf", "type": "eql", - "version": 210 + "version": 211 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", + "sha256": "f20d9f97b235081744c25d793925b812e945e1e5e01719ce39cfcc0defb5b253", "type": "machine_learning", - "version": 104 + "version": 105 }, "181f6b23-3799-445e-9589-0018328a9e46": { "min_stack_version": "8.14", @@ -1619,34 +1629,34 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", + "sha256": "f368ae24273f75a97331eb4294db2df1c387c497dada5ace32520098feaef4f0", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "2c618a1e42c7a15f0b94f84bedbef7c477dfa17b3cac3d42205bf6cde5202f00", + "sha256": "e90219da2c60953e27bc20e62830dafd75772d2db35bbd32f51b8d0a4c6dc954", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "684159701e9e3176c8ca83b06107285ec6e1aab78f1d1794866e3aa38cfaa963", + "sha256": "2e6ff66e9a80e9b1753f07eb7bd19334a9803978510c2c2154280ebcb66cb4c8", "type": "eql", - "version": 201 + "version": 202 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", - "sha256": "575964f96d787c02c6888d33c9161a93837fb176e8e240198586bbbd307789db", + "sha256": "300e205d2f05314cabd3ea5c9dc9fdc35ce1ee5211afd8f65d74a15e3ef0d8e2", "type": "eql", - "version": 1 + "version": 2 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", + "sha256": "61f062813d6ebdebc0cc6698c7dcc7a975d9f3cacf7713f599fefb3a363a15bf", "type": "query", - "version": 104 + "version": 105 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1656,39 +1666,39 @@ }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", - "sha256": "c4dbede7ecb8a7d4cb801fda64b573c95bb9410728f7c9f08aa32550ce093b7d", + "sha256": "1f41f4ccb333df0f6e2e8c35cf140f6c0d2a9bcd69f6bcbe995c987bbe00a668", "type": "threshold", - "version": 2 + "version": 3 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de", + "sha256": "3624c2a233bea0d357eca3960733b5cd7bc6de43ac52d3c824553397d583e773", "type": "machine_learning", - "version": 4 + "version": 5 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "f5cbfcaf9e6dd8e01c55fb2ed8afe33ef0b81e5007dc3743f0941ad9b58b7103", + "sha256": "3e0bbc97f6625f0f5294307064489d5cde380528cf838db84c6d84498961b0bd", "type": "eql", - "version": 6 + "version": 7 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", + "sha256": "50d50eff9038dd625531b68413c95b8a5ff3357a9369c17508d6769ab15e953f", "type": "eql", - "version": 4 + "version": 5 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", - "sha256": "2eb986eae007c47e943a3657d2458133f365a7cbb5f997b2bd18de59abedf5c6", + "sha256": "eb75ed2a02885be89ba411760bb066cdb4f58f77f25e138ab75b9eb72226030c", "type": "new_terms", - "version": 1 + "version": 2 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", - "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7", + "sha256": "33f648f8fa253d9d09a1f3594faf4499982de1fc6d268944164a5d4b08313bbf", "type": "esql", - "version": 2 + "version": 3 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1698,21 +1708,21 @@ }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "c02ce126b5e2476c4b0957b0c3ef37a9b2dba70091c0f7164a46bc10a7ebdcd4", + "sha256": "2a4b88bcda39f3627856cc76ad43b699768b3d1cabd2d7ed7335c991b0466857", "type": "machine_learning", - "version": 4 + "version": 5 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "rule_name": "Suspicious Network Tool Launched Inside A Container", - "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", + "sha256": "68a2c9ed8a46b384ecb2a355df2a4634cbf081463794ed6e93931901277da031", "type": "eql", - "version": 2 + "version": 3 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Azure Application Credential Modification", - "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", + "sha256": "f7362735f6b890396d8a39feb56c68597b92b95b75576e198efa44353fb980a4", "type": "query", - "version": 102 + "version": 103 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.14", @@ -1720,22 +1730,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", - "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", + "sha256": "62babd726ae5a985d3dd9add1aabacf93bb5c8787ad3486f8ca9d1ae675d7ec4", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Execution of COM object via Xwizard", - "sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4", + "sha256": "9826caa22a613e9fdde9bae7324fb6f400cce7a89819041bbb709563fe470c21", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Execution of COM object via Xwizard", - "sha256": "45e3cf83135b3ec25c35cb029422968d7a5094dea02895e0490145fa04586340", + "sha256": "414ae5d1c777554706e77fcf698fa405ce9159905c53e47449683ff8b606b8d6", "type": "eql", - "version": 312 + "version": 313 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", @@ -1768,9 +1778,9 @@ }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", - "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", + "sha256": "34b078db5943919e82a752fb623100ecf49de4400eb5b5af0beb5dde7933f97f", "type": "eql", - "version": 3 + "version": 4 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.13", @@ -1778,27 +1788,27 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", + "sha256": "1bc65565de45f1eff32df65b75aff663321aa0ebe9f25ab4bf86a1069147f03e", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Connection to Internal Network via Telnet", - "sha256": "e19d71cafe597bc4b326785b8e8e725a53ba901c3bb0333928c1cb54799beb8c", + "sha256": "be9f9df9dab4218b1aee0e1a6cb799712ac359f1a3282a5bed0d5872ac0928f2", "type": "eql", - "version": 207 + "version": 208 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", + "sha256": "91601e89cb6509b662c58081c0bc8819adcf3c883bdc11c2819cd87ed1ce2996", "type": "query", - "version": 206 + "version": 207 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", + "sha256": "7356e96ea1f088a2fd1b9412babba3ca73d9331aedf84b27f6fc8efe96edfc04", "type": "eql", - "version": 11 + "version": 12 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", @@ -1813,16 +1823,16 @@ "version": 213 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "ae500dfb91fef53e60123090127f7daaf307a63a988ad01fc07d30ed8c8fc368", + "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", + "sha256": "9abe49370597003f6dc75e766e6b82486a26d1616b162ec5d2057028895d5ea9", "type": "eql", - "version": 116 + "version": 117 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", + "sha256": "250fb7d71a7e245ddced159b3f88b246c5ab4e89708f3130c7b27c55c998a33a", "type": "query", - "version": 102 + "version": 103 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "min_stack_version": "8.13", @@ -1830,15 +1840,15 @@ "8.12": { "max_allowable_version": 203, "rule_name": "New GitHub App Installed", - "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "sha256": "5409f401ac786bdadc45606d8d7f4b4c537367d93cf5555278d620c26f984168", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "New GitHub App Installed", - "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", + "sha256": "e00feec6890b2361d7a10a06e2e91c713d0f28c866005e9e1f72610f0dbea4eb", "type": "eql", - "version": 204 + "version": 205 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", @@ -1846,15 +1856,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", + "sha256": "ce97e8b346f6e7bba7e209a95c49253e1561ae4cc80a170c9ae2e23ae6f36dbb", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "413e3eff92ab72f06e4cef563d06cb6fee44cc7c59fd54e342da4d6097e914b6", + "sha256": "26cde5fd51100b2103cc8ebd9ffa4347f2529e861975e6d4b22770ff4e8f244a", "type": "eql", - "version": 208 + "version": 209 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.15", @@ -1862,22 +1872,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", "type": "query", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d", "type": "query", - "version": 106 + "version": 107 } }, "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", + "sha256": "7709f499f3a03dd5ce65351e23a1a9959dc5139e8f50d72015df6ce2b0a3233b", "type": "query", - "version": 206 + "version": 207 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", @@ -1885,21 +1895,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", + "sha256": "832c238b226f2b7fbbc201338e1d0dfe12a9a7ebf4a6263a1f038ab6019e0e6f", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "6f27265db635c4e5a27af29fa64198dfa96b707802e5ccc7cba6609498d3543e", + "sha256": "ada7bae223693811f424b80ca156f7135da309f54f39186bed4f022974dda573", "type": "eql", - "version": 210 + "version": 211 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "becc05324f5f605086badfd23a1e969801e19931eb7ae06312657e19eac4175d", + "sha256": "16b6264718403929b906f7b79bfd533c83024fbc7acec96ca185dd3cf5d3eaa3", "type": "query", - "version": 2 + "version": 3 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", @@ -1929,28 +1939,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", + "sha256": "94f7d66b79180d0ba45c617e24e4cb3a00c1489fb51b504d7aeffe8001d10959", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "ab6031b77ee7e33386e09b6709ad7d1ab82280dbfda90557b8d4b617f07ee4a2", + "sha256": "c994e0389ac555c93a42a57df8ea2b97d510399c33eb3f11de809c2018c44686", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "efc56fdcfe6bda16119359923755ab32f6703b8de3c44f536d1335dabbd59c93", + "sha256": "675020877e0f237ac091e0142a7db019267d1f73af9366cc520a9f7d27bac85e", "type": "eql", - "version": 311 + "version": 312 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "181668624cb2b4bcc36606deec8dd31b109407ea7b1591438578d01cdce15dce", + "sha256": "c0dac1892d3e83d5514d879ef3a350f6156b44bf4e67c8e1055de7ef2c6d1a8b", "type": "eql", - "version": 7 + "version": 8 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.14", @@ -1974,15 +1984,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", + "sha256": "aa02b181f4f9a4df3460586733ba1ae7481ed321e4ef4e2ed3b418030ef65bc9", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "49f49d62f770f10f10fdae98e3f6c03211715e12f5a072a26c1d0b22d1c275cc", + "sha256": "9fb2dbcc6cef8cc07dbeebd0d80481cd0482fb7b26c7ea593610b44081afb982", "type": "eql", - "version": 104 + "version": 105 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", @@ -2002,9 +2012,9 @@ }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", + "sha256": "cacd567d5376f99af90e85da629e9cff9118851b3e35ce7448c89ba66e5c1407", "type": "query", - "version": 102 + "version": 103 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "min_stack_version": "8.14", @@ -2012,15 +2022,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", - "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", + "sha256": "24a5cc160724e80ee85572da35813e258fcb55ef5b077894b4a649d8fbd6f1e9", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Creation of a DNS-Named Record", - "sha256": "5accab0498d68d3aea14b3f15cb0cfde813706bc712ed95d37e68281a4e3750c", + "sha256": "bd366149e20faa5b5e9ad60b298c1ad8f63002ee1451b7ee55e6c101547e6979", "type": "eql", - "version": 103 + "version": 104 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.14", @@ -2056,9 +2066,9 @@ }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", - "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", + "sha256": "72276af57d19261776e819edd8d905bd7c5374108d27e9728922200bc839ea34", "type": "machine_learning", - "version": 104 + "version": 105 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.14", @@ -2066,22 +2076,22 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", + "sha256": "021df20053fabc64b24430c7e4bdb3fa187c6f00b27139bffc24759c4e97b817", "type": "query", - "version": 10 + "version": 11 } }, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "d57fd991da3d4f7b2a68dfa3e37deec177fe3b4f4977637a564c09c68949629c", + "sha256": "89dad03842e0833b63ac6d38d5cf8f2712f22e296b4390309b10f471ab78fc07", "type": "query", - "version": 111 + "version": 112 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS Signin Single Factor Console Login with Federated User", - "sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f", + "sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7", "type": "esql", - "version": 2 + "version": 3 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.14", @@ -2101,9 +2111,9 @@ }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", + "sha256": "7e9aeb7a0920e68d445b655d2a0b447b01aa117624ddd9e02a8ad4840701900a", "type": "machine_learning", - "version": 104 + "version": 105 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.14", @@ -2111,21 +2121,21 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", + "sha256": "4fefe2cc790c9b5fd8afbd08cfd7bd28ee6f50dffd877ec1400d81c1659bcc36", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "edb91b7c64bd8e744fac58ccc66f711fb22f4daf41dde169c4e8be954d4d2b81", + "sha256": "b8941a4bd23e47360ee8b1a98140c573efad95250ad8e4ff1315da0b83ee3d8f", "type": "eql", - "version": 213 + "version": 214 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", + "sha256": "e43231e171e4e726c838f080bb14bcde8a580af0997b0177b568ebdfd462e290", "type": "query", - "version": 103 + "version": 104 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.14", @@ -2133,22 +2143,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", + "sha256": "6f9e237253c1d533e1dceaf4f673182fa86dcb4f04539ecb15a9f0dadb01047a", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "c69929f38a28448280307676118534bb0928728d16c0269577d27e957d21011e", + "sha256": "87f7a5cdc22d29da0c8cd7bc438e5e735e064c81584577cd34b46d510dccbe08", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "1a866e733aa7ce66be8425aa24bf02efd91c98b7dce86a22fab32584ef096ac1", + "sha256": "b697c5f18da0dedf8adabf369e59016a5fd9e362cb43d0434c14e7f8b63d93b8", "type": "eql", - "version": 312 + "version": 313 }, "202829f6-0271-4e88-b882-11a655c590d4": { "min_stack_version": "8.13", @@ -2156,15 +2166,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46", + "sha256": "c647d352170795fda0533a278e5c93824030a0e2391afb7d858ddf8fcef50ea3", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "dcccdcb3bc1e5b240f35cb216dd6c016c822cf4c7adb33f410aeb8a5f7c01f78", + "sha256": "e6a93a82d6ff821825f36acf2e6b37d99c68712acf3ab5f2a522d288de604dc7", "type": "eql", - "version": 103 + "version": 104 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", @@ -2191,15 +2201,15 @@ }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", + "sha256": "25cdfe21fb209fb7941dd020fbcfbadef29f04aadf5eb0e226efda9c35351231", "type": "query", - "version": 206 + "version": 207 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", - "sha256": "f285de9c9bf8851c505323409cd2daf9c3f4f430c5bae5b68541220f7acf0fbd", + "sha256": "f2563e3a26b24e637c8ac73d1f8b2c0a4f7fde0d81cde5ee33392c65892d9ccb", "type": "eql", - "version": 209 + "version": 210 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.14", @@ -2207,22 +2217,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", + "sha256": "69246453362e5ca8115d5ebc4d54e31708b17fca42e8f1c3289e2f21e27e0982", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "606f8fb96e10d28c3f078e71f4be2fa3c1806eac4331c217010c3e5404457407", + "sha256": "b3cf96a675e8bce7a335b93a6cceb02c5a7c736ced121dac5662c305c9855738", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "dedd11f2f7e4c43edba25c00b1deddb8fcd93f7c17a384a0ff0e086781d74caa", + "sha256": "99ed70fd9f47a95ed1240f5cc52f747dee59633a0c745c4efa9ab0127865b48c", "type": "eql", - "version": 202 + "version": 203 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.14", @@ -2230,15 +2240,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", + "sha256": "633c67422491d16a2f3773ed98d16e1beb6d9369dcdf7edf264b8350e008ae33", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "8f0e6c0741fc802300e26ea71da63f8ece28e9b054d35e452de4e7d78bc634a5", + "sha256": "12383abd03ed18e19cc6e38a242cfe6ef50687fab36db30ce2d216216b538b16", "type": "eql", - "version": 211 + "version": 212 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", @@ -2248,9 +2258,9 @@ }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", - "sha256": "c154de44212ce97be6bf2064228454a7baeb68ef036313f325ecbef08dfb1184", + "sha256": "43f37baa64cc4804bd89840d33aefed80888653d43e7e46330bfb4849e0880e3", "type": "eql", - "version": 4 + "version": 5 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "SNS Topic Message Publish by Rare User", @@ -2260,15 +2270,15 @@ }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", - "sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853", + "sha256": "60b1fc8e258630c37d46106e04ddc92ee630843e73a695ff7697480d76438d79", "type": "eql", - "version": 3 + "version": 4 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "5123093932b6f544cf28a9f7f30a22658848fa12289e7f1c21584d21a79e2354", + "sha256": "ae4d37f61191761fb59911def2d9d39ebedf6f1dd02bd3d22bca816328750af3", "type": "new_terms", - "version": 5 + "version": 6 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.14", @@ -2276,33 +2286,33 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", + "sha256": "39e75f704730200ba6057b7687a63159e2080003d55f8b8e6217740e487ab59e", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "30c368664c1bd007c6f25e8f4815c47ba84d8626a03680a17f4d9e672cd6b61d", + "sha256": "7d93d723489d1f6a59e139b58489ea66daaaa5a601a1f03527f4e18f249bd3ac", "type": "eql", - "version": 108 + "version": 109 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Modification", - "sha256": "5950490a263aef327d0d6b9b4f9c83dd9eeb655207043afab349082a0d04e0e9", + "sha256": "3305c5a0f15096a7bb8b0818b40de617448029c1e701c89f35a611f31ddd9f0d", "type": "new_terms", - "version": 206 + "version": 207 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "SUNBURST Command and Control Activity", - "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", + "sha256": "8f0663314dfece6334c90619e9b9e2f5cee01e01b4768df72c1577b166910b24", "type": "eql", - "version": 108 + "version": 109 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", + "sha256": "739bcd7a637855f9186eb263bcd8107c93d83f7790c1ea4fab07b69046503e46", "type": "query", - "version": 207 + "version": 208 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -2312,9 +2322,9 @@ }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", + "sha256": "496ed866c8272f94c11bfa2277bde15dbfa2efe47873a8ddbcbbe832eb805693", "type": "query", - "version": 104 + "version": 105 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.13", @@ -2322,15 +2332,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Kernel Module Load via insmod", - "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", + "sha256": "6d909c9373be54b6dc83f2c1d0b5416582fe6dbf4206daf4e496410ac5913aec", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Kernel Module Load via insmod", - "sha256": "9abb3eb385fa47087a7d19e819147ba24a8b793841f61aa0b3d6901aa880f106", + "sha256": "34839afc89c7b63c7e306377524879c547688d939a3f78e14a6ab5cf5b7ac210", "type": "eql", - "version": 210 + "version": 211 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -2340,9 +2350,9 @@ }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", - "sha256": "3f418fe503710182cb6ee9cfde5fad9281638f086f4441f882e8c13dbfdaccaa", + "sha256": "6206107d6e66665a64ef46d0bcd7102570f88e6977651000f2609ad3cc6e8b4d", "type": "new_terms", - "version": 3 + "version": 4 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "min_stack_version": "8.15", @@ -2350,22 +2360,22 @@ "8.13": { "max_allowable_version": 102, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 202, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", - "version": 103 + "version": 104 } }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", - "version": 203 + "version": 204 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "min_stack_version": "8.13", @@ -2373,15 +2383,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "New GitHub Owner Added", - "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", + "sha256": "002be9292a0806831cffe8f7c1ae8704f2aba19ded7a11964225cde1c263c851", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "New GitHub Owner Added", - "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", + "sha256": "a2e44a9352982f9a7fab91d7a6c0ed56fa52f09663f20c41c246407f643bb81a", "type": "eql", - "version": 206 + "version": 207 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", @@ -2389,22 +2399,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", + "sha256": "9a03061d1c7d42331e54fa8c990602900d110a67d95d1245e44eae86e42cdc90", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "2fa971d8349cceea534e945ac39e6dc74a0af458533c1ccbca9f544f5f4b2a7c", + "sha256": "9e4c99a01ff339552587a57d476760b6cdeec2634d2f26b6d801a2f3baeb0bd5", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "274df472a867247fc2de690c81bfcb03b32b4ed67e0cc46c3a64d40fd0231c44", + "sha256": "77d41e72a8e9b4a7bbb7fab3c40167833d4e87d06b28d8e465774750ef5104b5", "type": "eql", - "version": 309 + "version": 310 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "min_stack_version": "8.14", @@ -2412,15 +2422,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", + "sha256": "099be59655d3f1d35382b882049816c2c0570633f5d119e1ae6285bf5d5a901c", "type": "query", - "version": 4 + "version": 5 } }, "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb", + "sha256": "75e4844865ebef904a98f31b4021a2423b98a9e56a10e931089cea0ea3821cc7", "type": "query", - "version": 104 + "version": 105 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.13", @@ -2428,27 +2438,27 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", + "sha256": "0fee3ba7e3d8302fa7bf7fe483672987cabfa3cd38c2e532907b1b788f7c8260", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "219e824eb630f41ee3e7b32a4960f77e8fbe50e1014a05e29acf3a988cf0fbc1", + "sha256": "6ae28a9f2bb3480636a6b4ed317a06aa8278b5aeffa859e7279b2d41a85a12af", "type": "eql", - "version": 104 + "version": 105 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", - "sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b", + "sha256": "74fc51f05798d86c079a4db56ebd754908e541d5391fb639a014358bf4da50f8", "type": "new_terms", - "version": 6 + "version": 7 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", - "sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec", + "sha256": "299b97cbda715b5eeabc7800ef5fbdd230b83acfb8b38ff4d6c1f1e231fe8185", "type": "query", - "version": 1 + "version": 2 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "min_stack_version": "8.15", @@ -2456,28 +2466,28 @@ "8.12": { "max_allowable_version": 104, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", "type": "query", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935", "type": "query", - "version": 106 + "version": 107 } }, "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", + "sha256": "3686340ff7f23094109815bb3ff499c3c9d5feb46b8ca8bf9dcc9059d295a28e", "type": "query", - "version": 206 + "version": 207 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "c48d98b19af215d3015bf2ae376ddaf8e9cf52396b7d8c7ecc202a8dd07e6ca7", + "sha256": "cd4778bc5d33895772be26bc4a6ecf28ef907e39c922c263758d2eed3f7c94a9", "type": "eql", - "version": 6 + "version": 7 }, "263481c8-1e9b-492e-912d-d1760707f810": { "min_stack_version": "8.14", @@ -2485,27 +2495,27 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", + "sha256": "a91ee3996b61c4f76e5010d94738862b0c66cc3ab4c1ab802cc609b442a00947", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "42c3946d99b19b6c84dd284fe024b606c61cd8cbf26ccf17a957a92f9ac8f441", + "sha256": "0ed2079dc7c35c55a5dd08388ae09965a545b30ce73ae9974ab0d607832b6fac", "type": "eql", - "version": 102 + "version": 103 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", + "sha256": "9c1500534b794aa60add9daf3da3805ce5f70b117a900faf565c911764fdc73d", "type": "query", - "version": 102 + "version": 103 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", - "sha256": "984211ed55f8898b7321729d0d86c68d2e9df858d8707db16a873776a96bf7f8", + "sha256": "8b8ce9fd3c322d65ab9459337f4a67256c7d08be0426c6825699f4fcc4ca4659", "type": "query", - "version": 1 + "version": 2 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.14", @@ -2513,29 +2523,29 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", + "sha256": "4cb0180da3ef6e0e18bd152032578629a162d39c81b679998254e1e96d7a7a1e", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e", + "sha256": "4daca120672fa56fe87a520d2babba093bc294cc504bef5119b188d48173faa7", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441", + "sha256": "62371061d0455aa0c946f5512e06573f49e1e88b64995595af69a37cfc14651b", "type": "eql", - "version": 312 + "version": 313 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "min_stack_version": "8.13", "rule_name": "Unusual High Denied Topic Blocks Detected", - "sha256": "745f9961079e7134e24a8241e8b0dd9241739cd420c1904e1d1b3d479e86172d", + "sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171", "type": "esql", - "version": 1 + "version": 2 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "min_stack_version": "8.13", @@ -2543,21 +2553,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Defense Evasion via Doas", - "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", + "sha256": "5a94f36cb64d23ad01b8c1ffe0cbe7229007da049faf46d3b1076badcc0a3714", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Potential Defense Evasion via Doas", - "sha256": "1c3da01c4b351cf0ade023da9ee0f8c71f5d33cd9ec57d70d403045f8ee952eb", + "sha256": "aeeb4b372fbfd18ee0dfa78606413a606d6bc8e7bee480b01504cbe103fe8006", "type": "eql", - "version": 101 + "version": 102 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", + "sha256": "bfaf73bd5525893100c9a0593503ec5113aa3f61db2953a685aebf429b142390", "type": "eql", - "version": 7 + "version": 8 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", @@ -2571,15 +2581,15 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", + "sha256": "d41060acde6ba44c9fd538c2c2169114bcdd473a35332389b5cd82e9ebef2af9", "type": "esql", - "version": 210 + "version": 211 } }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70", + "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59", "type": "esql", - "version": 311 + "version": 312 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.14", @@ -2603,21 +2613,21 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f", + "sha256": "63d9ec6b0b8f754c3d04d1b8509f7978545110c21c7cd36b95629e33e8327e06", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "450d468c26a54a6c70c3b7980ebdd8b9885277c51b1b7847b6a9c6cad45d1de1", + "sha256": "ac8b44ec148a457414e9ec3e058a6bc9ca8419eeb1df29a3108f4470cf55f9b7", "type": "eql", - "version": 105 + "version": 106 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", + "sha256": "45a1f7ed44be930e88471db5a5342a95b57a72bc185ba59c55fe89e7400fc69f", "type": "query", - "version": 206 + "version": 207 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.14", @@ -2625,27 +2635,27 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", + "sha256": "21c8229d021bc8b4ae787107ff45217ab56d52e249857ff17e0a4f51ef3c7f85", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "30c7423c5023c7e2a06f2b998a346e1a90ca192c24819613312d92d5f7e37117", + "sha256": "5a0f9b9a7ffefc4f2658c7b3637872e4beedb55b3e26d5cc76e3bf45f89cba0c", "type": "eql", - "version": 209 + "version": 210 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", + "sha256": "56e2aa8538cb1bfc6628887e820d427e37754644260ff65a94d8b2cd6ea08aa2", "type": "query", - "version": 104 + "version": 105 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", + "sha256": "72cefcbe9406dd477e621a600dab722c48420a443a88f1fe2afb43a0cf62af8e", "type": "query", - "version": 206 + "version": 207 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.14", @@ -2653,22 +2663,22 @@ "8.12": { "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", - "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", + "sha256": "4c5bf771c55b8c874282ea178599a0885a460a0a2f93008e1ce3b37eeca9ae40", "type": "eql", - "version": 116 + "version": 117 } }, "rule_name": "Account Password Reset Remotely", - "sha256": "8adb8b82a3d53207484f625914ee09d91378639f23dfaf99e0c5e4e504e7323b", + "sha256": "56605872558fe05e912719802d071ff5ecbb63e38f64a87c8e829ced69d9b961", "type": "eql", - "version": 216 + "version": 217 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "min_stack_version": "8.13", "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977", + "sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46", "type": "esql", - "version": 2 + "version": 3 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.14", @@ -2688,9 +2698,9 @@ }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", + "sha256": "c5975ef9ab2cb8b6055ad6bcc0d785f845ed553b7efe8c2791515b7f349e860c", "type": "query", - "version": 103 + "version": 104 }, "28738f9f-7427-4d23-bc69-756708b5f624": { "rule_name": "Suspicious File Changes Activity Detected", @@ -2706,15 +2716,15 @@ }, "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "rule_name": "AWS STS Role Assumption by User", - "sha256": "2988f8c5e5774464830730c7672f895c27574e37db7a0dd42027d9e4617f69f4", + "sha256": "953a7ce35bfed2b2ce4beb94c883fdfa3e7d04f037d8ffa09fefc2a054676072", "type": "new_terms", - "version": 1 + "version": 2 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2", + "sha256": "8e540cba7b904b32d6b84add9bbcc2611190e0acc86307c9b1808f95efcc53af", "type": "eql", - "version": 2 + "version": 3 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.13", @@ -2722,15 +2732,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", + "sha256": "60350833224cc7d578b57e68377f5c6eec36459f3b1219b27857d2dfb83c1dcb", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Sudo Command Enumeration Detected", - "sha256": "baf439993dc981bafad369990438f1d3377f8fed5bd3dc2eb66c2df021a7898e", + "sha256": "ca3c91b710e64c16368c525e5853a28d7c78cd266645365f5365dc149a48b72b", "type": "eql", - "version": 106 + "version": 107 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "min_stack_version": "8.16", @@ -2738,27 +2748,27 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "3ad739db58620275cb4330a3cc329918aeae3bec457d3dff8ae127ef93ac05f7", + "sha256": "c7cea47065a3505125b65ea6912a9eb94cc3960f40931a96702b6d941aada582", "type": "eql", - "version": 105 + "version": 106 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", - "sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6", + "sha256": "871b644ecad8dbcc497878dc7e8709971fb1b44536be0fa5cd97cfb75cec1082", "type": "eql", - "version": 5 + "version": 6 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", - "sha256": "48882709d629f366aa2742f2930bda9d8520aa354b7a9df6ecb07e58d3ce6a95", + "sha256": "3094fc894dfd934d136e44472bb85b39b667d39ae1af5bbdecb0def1e9ee08b3", "type": "query", - "version": 207 + "version": 208 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.14", @@ -2766,22 +2776,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", + "sha256": "8fbc91f17e1079c6d25358d51370483f648279f3ad8e892d2a679df03c969ec2", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d5889d6fb11d2ccc008cab9342767cacc97ce35cad65e947b0e808f8dd323e78", + "sha256": "d77ce672bc5fc2088fafb1b6633cb2f5955b7939b1d1302b5c2da31c8d336950", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "891e2a84a8bee293f84e2d2d2fb5755a5677ceb079a6adbd7cd800fd88b6a889", + "sha256": "d8fad9d3a7b3d3b175b9bfac15436fde23c180087fd9a61d05bbbdd70434ef3f", "type": "eql", - "version": 315 + "version": 316 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.14", @@ -2812,15 +2822,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", + "sha256": "ca1675b3254c032d02eb36a19399f23707b98c5db2ccfb585fd8047fe45e718c", "type": "new_terms", - "version": 212 + "version": 213 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d", + "sha256": "5ac18ed0a46ab76604bf76b574a4dd4d177cff97fabf4ba50cf58d2559cf6ba3", "type": "new_terms", - "version": 415 + "version": 416 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.15", @@ -2828,28 +2838,28 @@ "8.12": { "max_allowable_version": 103, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", "type": "query", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd", "type": "query", - "version": 105 + "version": 106 } }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", + "sha256": "020aa41dcdc659d6c9cf5c0619429e17fc67a4ed3a229e63c3e2aa82ca64dc59", "type": "query", - "version": 205 + "version": 206 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", - "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", + "sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4", "type": "new_terms", - "version": 1 + "version": 2 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "min_stack_version": "8.13", @@ -2857,27 +2867,27 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", + "sha256": "607bcf6166da9a0c07fa8208a598d656e9da82b719410a4b3861431a7ad23b41", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Linux SSH X11 Forwarding", - "sha256": "61ef0630017ee5ecedc27ac198533afc92662fccf83af9e680976fb38d7b6245", + "sha256": "00e2bb957fa4242ec45b9b70e37c642d9e2a9fda94bd439e3be93f136118c283", "type": "eql", - "version": 104 + "version": 105 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", - "sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4", + "sha256": "c40db65118e9a93fd6d8e9b520bbce17da234a91ebb79cd1b51352c4215c0127", "type": "eql", - "version": 7 + "version": 8 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "dc8b0a2fc0d7fa52084bd9ff94ef01de5dbafce96fa29a0e89c89ef27ab8e9a7", + "sha256": "9ed50af9932a336e33eacff970ebcb3d99c94830b55744d32565828d68c683cc", "type": "query", - "version": 204 + "version": 205 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.13", @@ -2885,15 +2895,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "ESXI Discovery via Grep", - "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", + "sha256": "0b220ddab575a1241b10575ba0fa022641bb5dd6d7b668a24f6e4e8e7795381c", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "ESXI Discovery via Grep", - "sha256": "d38a739617452964c32555576678742890611cdb452ed76394bb7a4dbc5b1bc1", + "sha256": "17186c1c0c162dc0877b0ee69ac30a87d0a2ab108b22eaa116c9df0c9a840578", "type": "eql", - "version": 107 + "version": 108 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", @@ -2901,22 +2911,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Adobe Hijack Persistence", - "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", + "sha256": "c39267858935a1708b5485ab0f15d8fec3c65af74dda3eabe1a645357b6ff54c", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 413, "rule_name": "Adobe Hijack Persistence", - "sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a", + "sha256": "5d4eda2322ee604b41b05b508100d15e3d8230cf544f5e9685b20c82c9957fc4", "type": "eql", - "version": 314 + "version": 315 } }, "rule_name": "Adobe Hijack Persistence", - "sha256": "98e76c4e7dfdfd6f4b1bbc860b8d1ded5399f58cf113baa58e96cbb4c2c34f65", + "sha256": "e7b371bc3cb56880f4b66c8f8fe941a3dc804cf4d7a909203eb1aac36b2eb4e8", "type": "eql", - "version": 414 + "version": 415 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.14", @@ -2947,15 +2957,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", + "sha256": "19459360acfaabbee9191b0bffc67924d652582ec4b24d908ab43e31ed2baf8f", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "9cb101dff02725a228ac6abd8ec38be725b6f0375a41b27f1ce6e446fa009463", + "sha256": "ed9cc4c9d37caa1424d72d1771b8aaa477eee67588db0cf67131757668706a64", "type": "eql", - "version": 210 + "version": 211 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "min_stack_version": "8.14", @@ -2963,22 +2973,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Foxmail Exploitation", - "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", + "sha256": "9f86eac400e2faa31c8268ac8e848b69881a1f1609f46197976260493af312d7", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Potential Foxmail Exploitation", - "sha256": "677b62dc3502ba3192802220e5c25de4e44c1c068cc4cbb54124820c29ce13f2", + "sha256": "6d21068759a60e2fe7b6b07091cfa26e48f2b6c2a2cf16239f5aff16aa3e6819", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Potential Foxmail Exploitation", - "sha256": "2cbfc9b78f91dc490e73a2fda8ca38737b819a786d7912db3d0dee69983a971d", + "sha256": "deaa9f94ff0d77ec297bbe56228d604d0ec8ff93168338d0fe56ea6586be9b37", "type": "eql", - "version": 202 + "version": 203 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "min_stack_version": "8.14", @@ -2986,28 +2996,28 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", + "sha256": "ca696785db9d072b73354981c190cb3612631aff9bfb21a7e71087839979c28f", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "a80f52e2d0f126a7c18db7078056274ede0a847de4047bf98ab6fdeb58beef17", + "sha256": "db70fff6a4d8ac90ee2307787ac0d09653001e7019f4ef1014397d5d28e28264", "type": "eql", - "version": 101 + "version": 102 } }, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "f343d88c98d36193572a1726eef142417d8f9af99eb57da610bd75e4c1a79d9d", + "rule_name": "Command and Scripting Interpreter via Windows Scripts", + "sha256": "0f14291a9a4bfdb07c95473002beefcd90774b98afcf9d8e07c0e2c3ce47a9b2", "type": "eql", - "version": 201 + "version": 202 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c", + "sha256": "52c116a646055bd0157cedd2d9977b1582266b6dd9b8f6d1911d2e72232ae161", "type": "new_terms", - "version": 210 + "version": 211 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.14", @@ -3015,15 +3025,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", + "sha256": "6f9f6d3a9b1c3c10ee6f372c529e3043cf57abbe70e819991e61b39bd48cfac8", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "ddbbefc59783e983723d68990ec3bed4228de396458b94ed38fdc10ade8d9c9d", + "sha256": "9f2195a1ff14af308fa971db89cf85114f85149da9fab3f43237cc3cbb0a5bd6", "type": "eql", - "version": 311 + "version": 312 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "min_stack_version": "8.13", @@ -3031,21 +3041,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", + "sha256": "fc0687aaffa30b4402ffbb232a6609e8a832a677f70d6f87d826e0967cb6ae18", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "493174dd97f98d9dc2385620938cdd1b1fb3bac13fbaf6cefd5bba1d9d52fbba", + "sha256": "54a054dded59179d223df5711dfe78e54de51c2d8c7f3fd91d4eb0b7cda1aa0c", "type": "eql", - "version": 103 + "version": 104 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", + "sha256": "8df93c4d2e8d8e22dc9b2519c322833798fd0dd6e0179688ad46849263b97038", "type": "threshold", - "version": 207 + "version": 208 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.14", @@ -3053,22 +3063,29 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", + "sha256": "a1f96c64b24f9a8b3741efd7057dd191f2cfe328e4418e21fa2861f4943345b0", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "903805e8cc42654adfa662e19eab1b40069bf11b67935e85d3d175c3a969514a", + "sha256": "6f66a2c4f0eb285877ec1976337925c992b5644474d9a8292c702802bd961c34", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "1e0176ef079975e1f7800254fbb79354318b4765c236b9cbb67f9ade42b3fa4f", + "sha256": "edaa7c97d52183cb2ff7b10553ab33fbdcfc197d78bc07cda7f29633f878e4e6", "type": "eql", - "version": 210 + "version": 211 + }, + "2e0051cb-51f8-492f-9d90-174e16b5e96b": { + "min_stack_version": "8.14", + "rule_name": "Potential File Transfer via Curl for Windows", + "sha256": "6557b61c306bf5be34401d54dd293dc893f43c1ecd05c5705ad94ca2967878ff", + "type": "eql", + "version": 1 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.14", @@ -3076,15 +3093,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", + "sha256": "3f92ade9c8cf46297f9846194909bde8477311035bce84de538a59154fab0a08", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "868e3c2f1a196ebbc4dd930f064d4c6b6e935ec882160043674baf64605134b0", + "sha256": "ba2643e57a281cd68d1f699d40aa824bffb36faa4b50d6ee43eafdc67fbf0942", "type": "eql", - "version": 211 + "version": 212 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.14", @@ -3124,35 +3141,35 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "sha256": "154a54c158e1072b12c8c12e5c0b1a4efd33eeb055cc0a97dfbce0af0e73dc48", "type": "threshold", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 202, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 103 + "version": 104 }, "8.14": { "max_allowable_version": 302, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 203 + "version": 204 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", - "version": 303 + "version": 304 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", + "sha256": "33aca0b923a70f6be45450125434d1f43b00df2f2b4c53db570c103caff35644", "type": "query", - "version": 104 + "version": 105 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.14", @@ -3205,27 +3222,27 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9", + "sha256": "2ef044a4379ebf8587fd12c998257f558761c47509df7f0295893dd4bb6f34f3", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Attempt to Disable Syslog Service", - "sha256": "22a0fbb06dfda70d1adfd4babcfef821d608b27db689d38ad0a6da435108d146", + "sha256": "06b9e45618193c5102c36edb26ebfcf648ece1120ef3a26f650915c43b5881b2", "type": "eql", - "version": 210 + "version": 211 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", - "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", + "sha256": "5316ada4014d2c9a7930574d4566f9b686174872e4fe5ceb6aadf5aa70ea9f33", "type": "eql", - "version": 2 + "version": 3 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", + "sha256": "12a39f6d9969db63436c1a00acca99e9add307c1cd5027f78b8845251fab148b", "type": "eql", - "version": 109 + "version": 110 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.14", @@ -3251,15 +3268,15 @@ }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", + "sha256": "bdc8c042341275de2dda2fbb2cfe8352f8fef57e17ade3f9a6a0f4a2f34f6f7b", "type": "query", - "version": 104 + "version": 105 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "16e9f3ed67d6796c3a8d6b7fae2c3432ecec1180bccc33240b81d05c0d654d22", + "sha256": "501b384fc62d0114e489f893db676c77a67a7de686ed549cc96d28110a216431", "type": "eql", - "version": 2 + "version": 3 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.13", @@ -3267,39 +3284,39 @@ "8.12": { "max_allowable_version": 107, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", + "sha256": "087ddf9a38cc3a95ddd050c3af74a8205dcf16b78a267a1c40ecab0206895466", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "696509a7cdb782460d36cfa3fa0aacd0526662d34d5b8104d0a5f75c0bdaeb93", + "sha256": "fde62451dcbc2aa7269cb18d276d8552cd6e745cb2f47292fcf56451ef9fdfec", "type": "eql", - "version": 108 + "version": 109 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Network Connection via Sudo Binary", - "sha256": "b469b8c3a65e085d1a09370ef4bf02f1feb2e98f438d6af4c42d1495c1959385", + "sha256": "78f4f52284b8ea5c871846b90d949f540c2cf40216301247c3589ad6e31e8aca", "type": "eql", - "version": 3 + "version": 4 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "a0060f1d4d4a006b66f4dad527c7bf963002cf71864a361f0c45f7959030f08f", + "sha256": "fde6148916cb146e840e4017c597cb865ed148dd9eb6ad32b27f527b18e30866", "type": "new_terms", - "version": 3 + "version": 4 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129", + "sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3", "type": "query", - "version": 102 + "version": 103 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", + "sha256": "ee23f22e47ceddb6e8677a346d2b5a4af9d9f5da170c238a64f5c8851cb61903", "type": "query", - "version": 104 + "version": 105 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.14", @@ -3307,53 +3324,53 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", + "sha256": "1d5b8b66ae45d9bcba982bcee8dc4994d4cedb7541738eda36dfb8de2accfb0c", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "3a5ba368eb9c20041f39f0ccb099b88622f09abeeca8836f0978e004928922e6", + "sha256": "27eb461382f469f2615f24a2887acc73df8bdfbe582d3d31d321bcefcaa5d201", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "7636e829317fb6054a6324982a7342705e13d8712bd9297b1e16195419b0edbb", + "sha256": "50e3fed73bd4705f76f78df40640d810c310f3acc21468d1246f910127187f4c", "type": "eql", - "version": 315 + "version": 316 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", + "sha256": "5f12891f87725569f26f55d846990b172e4b083945291b524995a0c2b39d1f88", "type": "query", - "version": 104 + "version": 105 }, "3216949c-9300-4c53-b57a-221e364c6457": { "min_stack_version": "8.13", "rule_name": "Unusual High Word Policy Blocks Detected", - "sha256": "e60e73464e34fc8b533162ec135fadf0b5dcfc463f310236241febc2eb032c17", + "sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba", "type": "esql", - "version": 1 + "version": 2 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", + "sha256": "a75544c3aa79d018caa2133ae6cea5c8ad25a63e3287613ed0a491e21ea8db90", "type": "eql", - "version": 3 + "version": 4 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure Network Watcher Deletion", - "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", + "sha256": "4361eedfbd069e79f89dc6fc2cb69959fa012d9333bb12fa3a7a48bdc1956047", "type": "query", - "version": 102 + "version": 103 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "bd14c9e18b459c255249f0f5e5e5d3fb94b2c32186ea0e40eb3847cf3da62ac3", + "sha256": "4225710e2f58d4c9a39ab24e6e05d1553387f3bd659ccf97398b490b820df50b", "type": "query", - "version": 104 + "version": 105 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.14", @@ -3361,28 +3378,28 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", - "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", + "sha256": "17788893fc6510e7f611de6c1046d1c0a8ebb5937ac675d96d8555b98ed4b9c8", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Program Files Directory Masquerading", - "sha256": "b971172eccda841cf458753c2173ec71dad386098f0aecce8d402912cc50f630", + "sha256": "dd7609c7ed75762383c65d441706b5cec4f6760974567894ea5e4b08fb80603f", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Program Files Directory Masquerading", - "sha256": "7118d989ba0d5e6e0b2a80bb486a7a93738b35454c185aa6edf9e558ca1662d3", + "sha256": "5e2521c495505730bc747cae7beaef82e123e96c4fa6dfcc7530e8d63d3640a6", "type": "eql", - "version": 312 + "version": 313 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Login from Rare Location", - "sha256": "3e3186fdaf81508055217cd52ac7b74d8c88bda2fca0eca7f8e1b3b573b7cd02", + "sha256": "c839af879a5c765f5e319641da93e5418ac234abdb825d1d9f1df9d746f9e2e2", "type": "new_terms", - "version": 2 + "version": 3 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.14", @@ -3413,15 +3430,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Directory Creation in /bin directory", - "sha256": "f412ce479acffee82949aed77160fece5ab382dbec5d754ae3c3fdf213e61712", + "sha256": "e2fc0d10f43934c5dfad79a4f0f2618e38c52f91e897b1fbbaeb75b7d2ae0749", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Directory Creation in /bin directory", - "sha256": "2c803e78bc8f8a94d576257db77fc5299f73a5e7365d61ee7d2ca6168f5f8a1e", + "sha256": "b5fec392950d06c2eed32e7b773c1586b1664272bd889de75bf44e04bae6395a", "type": "eql", - "version": 101 + "version": 102 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -3435,27 +3452,27 @@ "8.12": { "max_allowable_version": 106, "rule_name": "ESXI Discovery via Find", - "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", + "sha256": "e945a579fb2d4bdd868c12f606098cd96cd82197b76142880a5deab1ab401ab5", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "ESXI Discovery via Find", - "sha256": "fc783c447a0efdf2dbb9749e4af9982fcfe4ca9c0a25e771675c110d1e56672b", + "sha256": "3ce260f07de51346b47a66b5297226e6450cd3bb3e57a902ac1a06fb9bffbae9", "type": "eql", - "version": 107 + "version": 108 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", + "sha256": "2d6cac53a7d7baf61d489765382f2b2d431be53f846101569f7e49a35e59df98", "type": "eql", - "version": 110 + "version": 111 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", - "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", + "sha256": "8c1e8fd8134b90d32749366fb7d20b184a823a0e5e341af7b44f61679905bd6b", "type": "eql", - "version": 1 + "version": 2 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "min_stack_version": "8.13", @@ -3463,33 +3480,33 @@ "8.12": { "max_allowable_version": 202, "rule_name": "GitHub Repository Deleted", - "sha256": "660476227e525d314ca01414cb724faceba46253e12dc63cc24f8ed8e5014fd5", + "sha256": "bbc9f533b703f0f2a2aec221e6c184c662bae31b89b8e01b2a7483f00fdbb84b", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "GitHub Repository Deleted", - "sha256": "31dfbf633245e9bf0fa40429d05f942caf186ed52c457ed58d90fd309dba218b", + "sha256": "680ea8566ca2b5e114053f331458450f3a9fdbdcda67246619a56e3304d7d4bb", "type": "eql", - "version": 203 + "version": 204 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", - "sha256": "cf3130f23b44875cbdc95a497a47b56ca8d3eddfd51b8275318b17028b7f5e56", + "sha256": "0d6e63fdb711a79ed9a8236fbfa447b8dd9cd9c750fe206e4f69d544b4cb7127", "type": "new_terms", - "version": 1 + "version": 2 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "d4d536d179c2456b42cc7463e03bb7cc9e7f6b8fc478a861c31138ba803c957a", + "sha256": "a93607d49470b41ab526136a54c50d0d65923b7af46008f570ecf780090ff342", "type": "query", - "version": 106 + "version": 107 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", + "sha256": "93108f6db43019bf85a026b0e1a0283d1387d43696c8cbff0338ade95de87373", "type": "query", - "version": 106 + "version": 107 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.14", @@ -3516,16 +3533,16 @@ }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "7f778783d142f64fbf3be96cbd7c5059a658dce8b1986144a77ebac82f8c9a58", + "sha256": "b78351582a7ddf68ad29828252540753accedab11361b21c3cb3cfdcd7ea6da0", "type": "machine_learning", - "version": 4 + "version": 5 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", - "sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88", + "sha256": "3f28423faced2b8aa0493681362683f095c9464aa5ecb67465ac44f2694aefc3", "type": "esql", - "version": 2 + "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.14", @@ -3533,28 +3550,28 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", + "sha256": "fdf30a404fcf1f457a3530ba76e543daad00de78c6c30a18ca40f103beb6caf2", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "ec66f5859b414a64af3fb50ecdd42328868c38c15d769091fbe8b212c4bfeb46", + "sha256": "19bed7ae3eefe2b9f8d9f9cbd99efbff32206937e70a162d1491cd54c108c103", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Unusual Parent-Child Relationship", - "sha256": "d4084427ba4202e29ea9d52ef3f7dbf75c97b4a6f1a10725f786c723d5659016", + "sha256": "8c2faa0a772b773b9aa59da52cd46c6984b6271a148639ba16b293ccddce14a5", "type": "eql", - "version": 314 + "version": 315 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", + "sha256": "cb3f4e2e92eeffed4bd1250dcc2811b1e4ee69877e3d14a107578a5b0d10fe24", "type": "machine_learning", - "version": 104 + "version": 105 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -3564,9 +3581,9 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "fe046a7846b79f672e4e7b8458d89a2e198eed687295bd94b48f0aa55d4e2d18", + "sha256": "2c9b76f51b6b60aac35cbe7fe3bc6458f23d91c76c8cab96a30d6148b94b3d74", "type": "eql", - "version": 110 + "version": 111 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", @@ -3574,28 +3591,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", + "sha256": "e0de6aabadb9b3edc0355ae72df8fa446a91a842ef12b8ef6ec687e906c931f5", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 308, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "d70480df37508e5a424c838ac5ccc1002758e722ac2e3a8fdb58ba327ec88eaf", + "sha256": "cd1475178a3952f625d34aa54ca62f9221babf15037db6ad279da8a14ec58ff7", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "6cb28ae624dbac6a4d47e720907a77cdf089d5b190a6cc3bbbc2cc16990dd488", + "sha256": "3cfd44cb623fa5f87fb2bc4b70fb4825b8c30cc422f5ca4959f8affa6a59c239", "type": "eql", - "version": 309 + "version": 310 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "702a6f3a2433e5ad66e4dd17b555c7bc979578f8248e27744f421e12791d0780", + "sha256": "0375f50891da2c560d538d9af682bf73815c0e8097191a66c4b7ad3d2d9f85a0", "type": "machine_learning", - "version": 4 + "version": 5 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.13", @@ -3603,21 +3620,21 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potential Suspicious File Edit", - "sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd", + "sha256": "85b4308a095fda0a1a41576379cf8ca6d2bcc3ddb4aaec2c851eb2c5f083e6f8", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Suspicious File Edit", - "sha256": "e3c28261518b3d09fe11ffba93334faea5c28a139351f3b8218907e2843ba3ee", + "sha256": "cdff182cf2a97fd9ff3c7d14e95a5a79e3462d548eeef0db8a2367e2af77e5d3", "type": "eql", - "version": 105 + "version": 106 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", - "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", + "sha256": "2d9a2d2805620d5537bdc598986669726205be63bf72fd472e586860559f3c15", "type": "query", - "version": 206 + "version": 207 }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Azure Active Directory High Risk Sign-in", @@ -3633,15 +3650,15 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS SSM `SendCommand` Execution by Rare User", - "sha256": "eaca01a4eabb8830d6e1829229535613f1f61dd22c301080198653b3cbbff971", + "sha256": "713fd8c17945bb80c3b98f60f14f907c30c2a333641b4671b9a0c3ff0c5618f4", "type": "new_terms", - "version": 210 + "version": 211 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916", + "sha256": "5f573869ccc59acdcce25fd3eb2fc8e2c968f0706d244c11c7ca14753b018257", "type": "eql", - "version": 206 + "version": 207 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.15", @@ -3649,22 +3666,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", + "sha256": "335b721089e14060d49efd5a24e91c1234579d86f289c8e2d55a68f139685424", "type": "query", - "version": 411 + "version": 412 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", @@ -3672,33 +3689,33 @@ "8.12": { "max_allowable_version": 214, "rule_name": "Network Connection via Certutil", - "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", + "sha256": "3f6234c8ab1d36fc0aee41b20d47c226fdddafbf988fd7a990edd1967bb6c123", "type": "eql", - "version": 115 + "version": 116 } }, "rule_name": "Network Connection via Certutil", - "sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071", + "sha256": "ee7de9f4e8ab3c5761b6312c919095c5cf492a9db5a0723c83799fc34b584f5e", "type": "eql", - "version": 215 + "version": 216 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "4082dec3872831be075b4437114dd49a7322440fc0f7650a4de37632a9a6b063", + "sha256": "97d4337cd351104a3925d2dee5c322200ea4f2f58aa5b199d556deee79d05105", "type": "eql", - "version": 208 + "version": 209 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", - "sha256": "b27504fdf50603f2d3b2d98b424475dd42fa3e57f3331ab23a5b8290dde2302d", + "sha256": "0300fec34ca31a5cea787eaded914a17bc72892cce35401a358a0cc6aa49fb1e", "type": "threshold", - "version": 2 + "version": 3 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", + "sha256": "c794cb33079d83fd0ff1a98396f73fc84073e6498982afb0f9bc08d82db37dea", "type": "query", - "version": 102 + "version": 103 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", @@ -3708,21 +3725,21 @@ }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", + "sha256": "60c301aadbc57095fbb764f310effa2a4d569269d7b1baa6f08adde2b312328c", "type": "query", - "version": 206 + "version": 207 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", - "sha256": "3734901c2dbce0d6f0b119ddff90fe866f68c2fc432c33ef166921f6ba83c1fd", + "sha256": "6c9bc695426f3a54fae927672294c7f2717d5cad3fcbfb5f08b482c14ca8939b", "type": "eql", - "version": 3 + "version": 4 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "c17aaffab1800f50439ea947e5d83bad847542dce0fa3a035bff758b4b41d5a6", + "sha256": "3baef76c046e4ec7eefef4ea4afd2a3ab5e3087df2e8501087fcd54235a0ea2c", "type": "esql", - "version": 3 + "version": 4 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.14", @@ -3730,28 +3747,28 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", + "sha256": "b4336a223059e535a011019a1195afac85891381ddf49844a802db5e2b477d60", "type": "eql", - "version": 107 + "version": 108 }, "8.13": { "max_allowable_version": 306, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "fbccc75ff02a26ccb579fc912dbe3bf5e26a7b1c0e7f2084425a15d680bda382", + "sha256": "6fea9ce2228537a8fdd8bed28be66ad7dda0b6cab23977c97c5c546f0d948fdd", "type": "eql", - "version": 207 + "version": 208 } }, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "33de23d497e65bf6580cc0881d00591732c13e58e5e35d309d5a9bc28346b5de", + "sha256": "e8b70f2aab1ae0ee6ed818eb7bb5e7feb7fb75ac124680f6f0e9e79ae7395e46", "type": "eql", - "version": 307 + "version": 308 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", - "sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b", + "sha256": "e121d39bd55b1f521c46bde65369f4dc594bf36659e4f5ccc0716bc3a1179e46", "type": "eql", - "version": 3 + "version": 4 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.14", @@ -3778,9 +3795,9 @@ }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "372861b3a0dbd56bd07c70db72fade23ea4a42e3e23bb7f2abdcb213da4ebc17", + "sha256": "e01f62982334437f828c2aa0c07b8867b2b9811b190a82c5b871d1f47226447d", "type": "eql", - "version": 9 + "version": 10 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "min_stack_version": "8.13", @@ -3794,9 +3811,9 @@ } }, "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99", + "sha256": "eea438035c9adcd9486112d776374a2097e248b2311e73e0feb0d239e6507a7c", "type": "threat_match", - "version": 103 + "version": 104 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -3806,15 +3823,15 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "7201f6b6243d0d0dc0eac73fe827a1ffb624b049a65a51c6841c687ffe51721f", + "sha256": "32d8adf51c1b7880e73d4cdb4e6b9e4a748807c35a66aea5866abec659490bd6", "type": "query", - "version": 105 + "version": 106 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", + "sha256": "136ba855c996285fe602c5a751d85e4d5597adabab876c0840fb892207d97fb7", "type": "query", - "version": 103 + "version": 104 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "min_stack_version": "8.13", @@ -3834,9 +3851,9 @@ }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", + "sha256": "f47e578ad81a99ac6ee1bd6045dddbe2ded14cc8f273b02f0f64ab04824557de", "type": "query", - "version": 103 + "version": 104 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.14", @@ -3844,22 +3861,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", + "sha256": "9bd527185ec4c38596e49c3a7ad276daa080ef3cf609a464de4f59e21fc1080d", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 412, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c", + "sha256": "fbe869ca88d432de9d48ffbb12ee20f5a623aed0aab53eba99bd3e08daf687e4", "type": "eql", - "version": 313 + "version": 314 } }, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "6607d2b148d51566de12ce0fadb3f13c90bb62e32b04a73759da7217d76f611a", + "sha256": "ae201f63b498ee9be3fb10b20daa1fefbe924dae1f8f7aecdfa986d172ae93e1", "type": "eql", - "version": 413 + "version": 414 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.14", @@ -3867,40 +3884,50 @@ "8.12": { "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", + "sha256": "9156d62db12466eaacc5c148af5205afdccba699bacc8d950d5d34aa5b2df532", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "7dbd101cfc60e0f4febc19c31533e12bb0a1abb9ecb7563306f9f11e42d65fdf", + "sha256": "dd1b2492ffdf8c527d2d87c4912e2cf19379fed1f522ba7e4db9fcee5d00d046", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "efc4be7065fb21dda602cb05f908b052088f468c4d5895557352b0bb7b435b0b", + "sha256": "d19835254ddf472acf6a543dbe42f0a508febba6db3f7f41149edfda7b57673b", "type": "eql", - "version": 315 + "version": 316 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", + "sha256": "c64036bdf9d9943178534e62dec4700829eb822cd497d08d1ac1d8f838d9d342", "type": "machine_learning", - "version": 104 + "version": 105 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", - "sha256": "26c46bd62ff0d516a55fc08e17a9f41f3409d3490f4e6eb2c8204567f91e39f1", + "sha256": "647988b210c60c004ffe25efb4cce91136936f1cd83245f9f2b502058e6a2f02", "type": "eql", - "version": 1 + "version": 2 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 102, + "rule_name": "Unusual Pkexec Execution", + "sha256": "39004fc8c21df3175d05b13e4a85cc34c55f385af7ce819312b04b1a4df1148c", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Unusual Pkexec Execution", - "sha256": "f881f99cc51d27e19d500ed2de935f93246a9867a31fa8c9131db09d72eee2fa", + "sha256": "72cce527b0f0efd2f300fcd93f1c0273b4fd5476d6771008722109e0923882a1", "type": "new_terms", - "version": 2 + "version": 103 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.14", @@ -3908,22 +3935,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", + "sha256": "2b9c1287e301ff5273bf46bd4bc28af19a2c2e647f220ca8e0852fb643de0ebc", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 201, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "73219570f39fd74e63d334cf190ecad1456cf55d17635400acccced12f4145db", + "sha256": "cb777b967e2bef0af6adc011736d39ada2837c23d819ee51dde816731fa5a898", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "152d719bdeb4edfad363cab37bbcfc8cba76396e6167e9191f3cee7e4ea76042", + "sha256": "f87fa55947db415ecfae1427203360803e4bb8d727b1e46383b1f6478f252bf5", "type": "eql", - "version": 203 + "version": 204 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.14", @@ -3943,9 +3970,9 @@ }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Email Subscription by Rare User", - "sha256": "3782f3b4a3f1178ef89a11153e95f81c46ce674abc47b6c266753a0216a05c5c", + "sha256": "0845930f3f6cca07e769a39389e06a1fea6d273cfaf4c9470cd1a04c34b9c947", "type": "new_terms", - "version": 1 + "version": 2 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -3955,9 +3982,9 @@ }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "12c6038b69842f3fafbe9f2dd9630e0d41734d2b8678ebefe442944fe4a7595f", + "sha256": "0c33ca9283c1c2552060c3b5000ec87d338048cd715f4e7be2d3fdefe8a28fc0", "type": "machine_learning", - "version": 4 + "version": 5 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.14", @@ -3965,40 +3992,40 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", + "sha256": "c0609df66a0848dc19f078200819edba894a861449ad572c19d8eef041240566", "type": "eql", - "version": 7 + "version": 8 }, "8.13": { "max_allowable_version": 206, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "80ec99e7e9c7ceb86a2819a92409d1afbf4232a8603b961b1c2a06d3d5fec295", + "sha256": "89a4b41e934b13c0e79392e7730805f3e18c7d8cb6c3121b8b54b69a1aef8450", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "ed255a3528818035e55fb704799e92c28c150eb25062d2a1f17bcb57f7606766", + "sha256": "c7ce8b4413d99ed660c419bd822448ecdb2bb29f85095afc3954b5b698f0510e", "type": "eql", - "version": 207 + "version": 208 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", - "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", + "sha256": "383925a7469fa24f12272515f90f29aa907b908a1f8cec676765b5c5cc5155d3", "type": "eql", - "version": 4 + "version": 5 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", - "sha256": "b6aae2c2f1319d6dfcfceea3d42f2c90a421b25587e321a4bcc543da9488b064", + "sha256": "3cebf88aa246878db291a8148f143b3c0a07f8319cfd99c30942934db57c8a0f", "type": "eql", - "version": 107 + "version": 108 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", + "sha256": "66d3c7048c18aeeae2d032d26dcdc294b41eb32679eb445839815f7fcf66e4a8", "type": "eql", - "version": 3 + "version": 4 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.14", @@ -4006,22 +4033,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", + "sha256": "5e547726d704a4301dc4615b98d9b7ad1f182d5cc3aedce53b9b6b8185aa41eb", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "495df18eb2e7fce9cab92e0daa1a6fc851b024af00ffe18364998f6349b22c9c", + "sha256": "5185ebda64142769dbcbdea022b195c73dfdfaa284fe60c4447cf57b4ce31119", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "b3772a465fb94393a11a17110e5399564938138ce5e9a99952cecc8c7740c048", + "sha256": "767b7b4563a4fb94ee651353066ae8d1b66db8074cbafea2af6ee54fa111fb1f", "type": "eql", - "version": 312 + "version": 313 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.14", @@ -4047,21 +4074,21 @@ }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", + "sha256": "1a8ce0d911498f3340f7c6af2471615c1614881de45680175490600cd63fdad1", "type": "query", - "version": 102 + "version": 103 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420", + "sha256": "e3e1a89317aac3d3163e762c015186ff6195e391a1d3c206d9ed54926a2cc6d0", "type": "eql", - "version": 6 + "version": 7 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", + "sha256": "ec3773996957cf55b8cd5ac6098d1fcd503543308d70f1848e13577fa9dafef3", "type": "eql", - "version": 110 + "version": 111 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", @@ -4071,16 +4098,23 @@ }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "da80ff0e6020c1f4b703d597ce09ad294629d13d57cddce31f7eac0eb7d51f16", + "sha256": "19b368441d2d3df9e36cec3f78601af029ba7a4ad96080e8a8a260e0062e4014", "type": "machine_learning", - "version": 4 + "version": 5 + }, + "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { + "min_stack_version": "8.14", + "rule_name": "Command Execution via ForFiles", + "sha256": "a07d79ae3c7704e2254a7b3acfbb61cb39794537180723d6f351c719ecbba5e4", + "type": "eql", + "version": 1 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Azure Entra MFA TOTP Brute Force Attempts", - "sha256": "1a4b33f58f3f5e8119f8fdac2f49f61b75eb76cc5b91e8be6045078961c6f24c", + "sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c", "type": "esql", - "version": 1 + "version": 2 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "min_stack_version": "8.13", @@ -4088,15 +4122,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", + "sha256": "fac0417f4ce9d3dd3a95c48c5bc2916286db6bc572c8a5e31160761ffae8cf56", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "1aa2a1b1eca396c2a3f70bbc52d318ee9f31bda76398c543d78e25726cb02d3e", + "sha256": "9720e2ceb0deb64ad3773f7fb220ced4722d2586e68fffe60616480b49faf4c5", "type": "eql", - "version": 103 + "version": 104 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.14", @@ -4104,15 +4138,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a User", - "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", + "sha256": "224877a0c6c75c03df527910da6a040b10e978b5277a900b3a5ebd606e5dcebc", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Unusual Process Spawned by a User", - "sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e", + "sha256": "c26260d1977bf5bdca1f886c44ec9eb78f3a2a3f006f7c578474c60debadf653", "type": "machine_learning", - "version": 107 + "version": 108 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "min_stack_version": "8.13", @@ -4136,22 +4170,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", + "sha256": "f1c3d405ae61b94497a8a3b5ee7ad7b72dcadfec716c42f2975f6e18b624ec88", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "189be13789b4fe9c8186eb9792601f98902e9e4f771519b7b2fa1a3730ac9783", + "sha256": "a73f4f5a3392e6fdcae94374c133aa55cd47a2a5f09dbd25ddec84a3f5d3f29f", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "d4f0b0b8e409cfc73e748281d83319870c4576cc95f3859d8935524d3bc92af0", + "sha256": "5e43f778807201218a8a3cd2b8d33600b9cad394bf1d10a1a6a2bb8219170ffe", "type": "eql", - "version": 310 + "version": 311 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", @@ -4165,15 +4199,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Unix Socket Connection", - "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", + "sha256": "66104dc588552246b0806f00f248c812a63ff54ca038949740267b9b913b3ec0", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Unix Socket Connection", - "sha256": "48a869a44950954d5f8f9e7e503bc71a3aef2f85baf249208f3562f525347ce9", + "sha256": "4e6ed5c689e74843dfe8eb79179c061375fa76071e31e878a498eb81896a3be0", "type": "eql", - "version": 103 + "version": 104 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", @@ -4181,22 +4215,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", + "sha256": "eb0e17bd095fd38ddf2c2ed71f1364ac981fb062c0fae437dd381d62debc8747", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "ef575bc7d7acfcd5bbcb58ad8207b7e652bf99f488da62ebd21d3f1f263c804c", + "sha256": "158669641e518716cc54cccf172ae7f2a1640c5c56d8a13c1bfb3ec8b1099c39", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "00d4df4d402cbc68f54277c6595937da99601194d0c3c14f55b63bc2480f3d53", + "sha256": "291b11e58bc1c7474e180f4367210eb8d6c53f5f2d722ba277a503097991353d", "type": "eql", - "version": 313 + "version": 314 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "min_stack_version": "8.13", @@ -4216,40 +4250,40 @@ }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", - "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", + "sha256": "f97c48740ffa8df05329c651c9620651fc36b543d6cdf582bec60f4945539c70", "type": "query", - "version": 103 + "version": 104 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", - "sha256": "fe2c4a17447305354c8b9fb488d5c6fb13c563a31ab9baa5f8e4c630c4ab21dd", + "sha256": "f5901faceadcddad30aa0d48e7489446e561374f349a4bacaf544f9c5c418f6c", "type": "esql", - "version": 3 + "version": 4 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", + "sha256": "777ea9757b7d3052124e6cc8d8748e0f0b03cc82e8c82535853132c99389a688", "type": "query", - "version": 106 + "version": 107 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "rule_name": "Mount Launched Inside a Privileged Container", - "sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d", + "sha256": "b1264c8dba37013a036a37be5f2224231f056b698da7eacb55869127c98aa729", "type": "eql", - "version": 1 + "version": 2 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { "rule_name": "Interactive Exec Command Launched Against A Running Container", - "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", + "sha256": "ccaeaaf1218304a670c49ca863e898fd726c57156474f56613921232d21d71a2", "type": "eql", - "version": 2 + "version": 3 }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Login via Unusual System User", - "sha256": "66fd861d1fa983a1abce1672b26a0ec424f5021eadbd38113c20cf070607a573", + "sha256": "98d6ad1428c6a1aa6239bfa75936d88f18749d6fb33d148792889108ee6f792a", "type": "eql", - "version": 1 + "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.15", @@ -4257,22 +4291,22 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", "type": "threshold", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a", "type": "threshold", - "version": 312 + "version": 313 } }, "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", + "sha256": "7de53603ee4b0fe24f98d5eac198e89c58e92243d6a6e67795968369a9fff2a3", "type": "threshold", - "version": 412 + "version": 413 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", @@ -4280,21 +4314,21 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", - "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", + "sha256": "91d70e5b1107013dad8be7bae393bcca1047e1bba36313312bcf1ab8865abe14", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Process Creation via Secondary Logon", - "sha256": "6674dfbc494de648492942264a74378878bd65349a373567ab79725690c27aba", + "sha256": "0a1002224da121ca30f21a8dd641d8128a10f7113c132713aafe7cb287e82fec", "type": "eql", - "version": 110 + "version": 111 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", + "sha256": "eb323bc47a138a26bc5bcd92f8c25da588ca83b5b8dd6a8e7203111d13961caa", "type": "machine_learning", - "version": 104 + "version": 105 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -4308,15 +4342,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Linux User Added to Privileged Group", - "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", + "sha256": "9ea5cc7a7d60adf681ee39ab6a1c142f5864ce9d989756808a78d1d00b5e0a1f", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Linux User Added to Privileged Group", - "sha256": "f1c6054713eb3ad3792dee7d6aea237da18cf74fab7306e92ee2065db3607361", + "sha256": "aed1e55bff87f141c5ea1dd5d2bd5453a61f1e0d72d2c26f2e961a0107d1be5e", "type": "eql", - "version": 108 + "version": 109 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", @@ -4324,22 +4358,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", + "sha256": "3093b3093e9dfac5593dd9dead91b15345100e95d1bca816d602302c4ad03332", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "55097fe7650ccd542aec1b7f2aa6cbd2363a7907f40ad5d19c69854a09f8a21e", + "sha256": "83e9d41fa1688f6e43f49b8f90e227adc1faa9a2cac3db9e262c7d452e68bc6e", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "d22e1212d466beeea462d473302315e0145664ef7364a5d7055e1e499b1d1543", + "sha256": "c0608c95611f1a89e093cb3a0b2080c46a012ec91358883418506af1cd874eb3", "type": "eql", - "version": 311 + "version": 312 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.14", @@ -4347,15 +4381,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Path Activity", - "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", + "sha256": "67bd807b50763f06dc6861bd1b4a7ad996afbb5766a7dc22bec1762999b6b281", "type": "machine_learning", - "version": 107 + "version": 108 } }, "rule_name": "Unusual Windows Path Activity", - "sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4", + "sha256": "0c67162e07a41a693f97af4942752d9557c76b058a4fa0df6be8777647152a80", "type": "machine_learning", - "version": 207 + "version": 208 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -4369,33 +4403,33 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", + "sha256": "e05edd0663a23b3dc3d0dd5f2131a31dd196f6d5357755443093cbb8bf3ea29c", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "05a22c3ee9741e987667e6487211254de88c897b90832c45430c18a6b4582a38", + "sha256": "5fe1ae3d15fd72cc199a3ad6e01a42350d17065a06bc1bb2e3dc03455fe8b873", "type": "eql", - "version": 111 + "version": 112 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "Route53 Resolver Query Log Configuration Deleted", - "sha256": "fe85472e289bd363341d59f4b9a362e21110fd6fb58902f400f3575b09f612a0", + "sha256": "bca21aeb358e7719e930c2792a3c5b1b899b86341952c8e0acf0f7a4fa84d36b", "type": "query", - "version": 2 + "version": 3 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", + "sha256": "bc6f767d4be0de3156f54c606bcf218fc712696406e84ecd976a907d90c156bb", "type": "query", - "version": 103 + "version": 104 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "bc96c80774873e20fc93cc0aeb3cc34e08ce5f4b3109b4218de43a44228be7ed", + "sha256": "ed499f9d7399c1be4f54417888b74be031a5b50a48b1d7c68b8caf33c4e24d44", "type": "eql", - "version": 2 + "version": 3 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.14", @@ -4435,22 +4469,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", + "sha256": "40e7e669f1d9642518565d307ffc5b75f32bc59dbc783bf57db3e2375b38c647", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7ad3e21c453191513dfe0e226519ce81d8d70e633876b9c5c611b097850e5c22", + "sha256": "e08df69ea36b56a927183010b7fbfe8e60d6c949a5489a3cfc82b7e9f45a3af0", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "911870b02ee518a2da8c3f8f090cd4b295555c15a1be6cd1ebc0aa8b569b12e6", + "sha256": "7546574a8ca4d5b8c758c17fb1658b2b1abbed196bd8d2090721d8efac0ec65d", "type": "eql", - "version": 314 + "version": 315 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.14", @@ -4458,28 +4492,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", + "sha256": "9220e8499f32c72c36f2717e2499061f06a342f3e277f61283527351218c1329", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "70ebcc9b4db135969838d698ab1670f702ef00ddc29111226b7fa8d6b0a95f7e", + "sha256": "a2c4ebd5c69128fb78c6779664f8db208871ddc836b4b5854a0cd479429cd1af", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "ef467b076c584bc58e0fb6a3391048706f314e25ebb970eb1c7861eaaac4eacc", + "sha256": "3b0c27765337c2d89b8c6b82102d1f32fda82841806112bc4ac4d54c7d5ec5be", "type": "eql", - "version": 311 + "version": 312 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", + "sha256": "6cefd4c22a36577834d4d834fc5c1929fed830cef4703c1df262425f4f6b2cbb", "type": "machine_learning", - "version": 105 + "version": 106 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.13", @@ -4487,21 +4521,21 @@ "8.12": { "max_allowable_version": 112, "rule_name": "System V Init Script Created", - "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", + "sha256": "c38ce796006c8f39b82f0922d30cc71ddfbe8de3d7e7fa13c58947169f07dab2", "type": "eql", - "version": 13 + "version": 14 } }, "rule_name": "System V Init Script Created", - "sha256": "75707b6e1215c02b5b333be4caefad14917a87d8d0d5b38a18c346eb857ba622", + "sha256": "30cfadc148e90c2cfc4382b7c085885ddc67f47211258ad9e8c35e63fb80d117", "type": "eql", - "version": 113 + "version": 114 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", - "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", + "sha256": "dc24c07ba236a3bb8628763095daaad91b96ba4e6d7905cb1ef854665513ea6c", "type": "eql", - "version": 2 + "version": 3 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "min_stack_version": "8.13", @@ -4509,15 +4543,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", + "sha256": "725b79909f3f199afec5b728eac38e0b2be9545c1c9fb3963576649af48a2e7a", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "ee6cc99ccb00b4e64d3f60240e0c12a4355d9c77cb1bbdc35e834683ff68f85a", + "sha256": "f31488d82e4159063e7e92fa484c6c5f2b0d7c8287a8fb02adb790ef55d6242e", "type": "eql", - "version": 102 + "version": 103 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", @@ -4531,9 +4565,9 @@ } }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "24516e60132d4debae6058458462d958f659d37c82f6f68ae24cb1af134fa428", + "sha256": "de0bde89f44173a386cd38d4dd5c6e02a3fba6f877fd803f6e7e9108d609dc51", "type": "eql", - "version": 211 + "version": 212 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -4543,9 +4577,9 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", + "sha256": "27d113fc9dd74c3da88815021fbd3a91cad66fb4959ca57d5033e135ddf75d69", "type": "eql", - "version": 106 + "version": 107 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.14", @@ -4553,34 +4587,34 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", + "sha256": "cd78c0361c8ca0f7334582409bb0bd2d14c582ec978c231bc26932cbd1a614e2", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "03e1e388a616fd76a913bb276b36b25a9a92ad0d3421a55ca134c175af61f971", + "sha256": "a1ebcfed8cf45331acadbd7adebe5f1eb37206754cdedcbe980c8b27bf0fd178", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "927864e2de84459226772454150dfa72d9134da990b83c7f61d2f4621e2bd541", + "sha256": "ed365c174fdf3dc7616909685c4dc4cafc7d521448ef6e96bb2b224ee25fdf54", "type": "eql", - "version": 311 + "version": 312 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "33e3379959ca6f93326f5069bb4e5104c77c30f399d41fdb0108d3f4de3d7444", + "sha256": "a396e648dc8058d8a7af3f97d34c5784cc2e81b5a1e4616f31edc818a101ddc9", "type": "new_terms", - "version": 107 + "version": 108 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", - "sha256": "5cb666b8db28f6ef91c652488905003a54f688578c1a34017e77b80bc87c153a", + "sha256": "fdc6ca399ab1cfd315850c7822e7120a2710979cfbe329ca647b659fcf62ddb4", "type": "eql", - "version": 9 + "version": 10 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.14", @@ -4588,39 +4622,39 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", + "sha256": "787f60363fc9c42dd87f5774f5a6f219c201d492323d12dcfc3ec5d06acd4d02", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "50742a90a9cfc7318d787fe297c644ba6ff7658ae59bda3650452a451ed3969c", + "sha256": "db4dd0177df2c0fbba77ba531c3f6f51c0724b44ea31fd2e84ca4cf2536f6b5f", "type": "eql", - "version": 110 + "version": 111 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", + "sha256": "4be8032dbbeecc1497aff05372e2139e72011b598bc146763878eaee2be2a499", "type": "eql", - "version": 107 + "version": 108 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", + "sha256": "070bc3d77b85c97628a5f7626bba0e95d76cf34954f5db82e4abbdd323126b88", "type": "query", - "version": 106 + "version": 107 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", - "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", + "sha256": "986c22f239fcc3d437e58dcb98df458a9d9435c5f561c9da3628425f6dcd591f", "type": "eql", - "version": 3 + "version": 4 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", + "sha256": "6144987feeea5f57fa67484e121452ca28b0a522c8ee105f48e14de7fd4ef115", "type": "threshold", - "version": 102 + "version": 103 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.13", @@ -4628,15 +4662,15 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62", + "sha256": "e9fba7cb50d7c0edfe213e52665e64b9fbaf596bbc274d66c2677a16b6524e00", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "41858fb1b885aef0b0a2aee2353ba70f43841b18b6fab7efaa3f142a61b7db9f", + "sha256": "bffeae97a26ace150963159905c7c1cb2d3dd3aa299db431b4b0844567c257b9", "type": "eql", - "version": 108 + "version": 109 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", @@ -4668,9 +4702,9 @@ }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "340f1c9b6d0d92fa721456ed567e265ee5b0b193bb96bea2145541912b19c536", + "sha256": "df02c5a18062b26bd791e0bc8b97a58b4d463df63e0d16dd6352edde4318c54c", "type": "query", - "version": 106 + "version": 107 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.13", @@ -4678,15 +4712,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", + "sha256": "2bfb9d1c293185db7cebfaf6649ecce4d26ca6bd6e8f6fb252e811960272d4e7", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "1a3a1dd2c62931e4f4219efcb21815a2873f452e37b5a43a99bc6c1097e5456c", + "sha256": "fbc9b003a74a72df517c09f83f2629428a29346428ee3311faa27da6614488d3", "type": "eql", - "version": 105 + "version": 106 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -4725,9 +4759,9 @@ }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "rule_name": "Container Workload Protection", - "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", + "sha256": "b58a5fb3b121b08852cc186827479ae739d8b155cf8c9d12dbd17fa70d9fd74c", "type": "query", - "version": 4 + "version": 5 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "min_stack_version": "8.13", @@ -4735,21 +4769,21 @@ "8.12": { "max_allowable_version": 103, "rule_name": "ProxyChains Activity", - "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", + "sha256": "6d2bb84fbddf0c3a063f3b83fe3182017edbe19020c1e1dafc558ec07a767a0b", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "ProxyChains Activity", - "sha256": "50873c947464e5b7e0f7bf3dc3cf714ad8cb4afc0b467858fac06331df2723f1", + "sha256": "7b6c538ea2e93784ce64d2a04dbb00ddbc28aac92ab6008312821b65a46d8717", "type": "eql", - "version": 104 + "version": 105 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "d5d28b9af1ed399604eb5bc1744453ce1f5dbc4839e7650ccf12c30616fe3d07", + "sha256": "ed51342a669aca3acd05b70564dd2b6c9e0ff02f83266d5665ef6dca3851a6c7", "type": "machine_learning", - "version": 4 + "version": 5 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.14", @@ -4757,28 +4791,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", + "sha256": "c6c357f72dda9ad192ec0f1297502bd068bf0cbdcc97ab58e49d86e7cfdde988", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "dd78ff329788e32ccfcd11f3331174f609f2a0b868ccfbf47b8d997dbfd30096", + "sha256": "57c2b49691db8ebbed599f9985cf9d43545ea46a7e458dd4a28bd20f0f0476ca", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "fdac8198180b87285d0dce793712e89ac9bdb36ea90ce122de8f4b1095c4dd6f", + "sha256": "724c9eb77e876a0609dca7f377c3b888ee71c8ace7316e67235b6399e7dde6d3", "type": "eql", - "version": 310 + "version": 311 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", - "sha256": "482163bba1d5afced4faf24a38e7ed0317164468a4faf3bcb8ecb58d21024320", + "sha256": "1563951eaa26040f25dcd3eae36d9f46c9bdcf45a6f24398ce7a7fc4382da092", "type": "new_terms", - "version": 1 + "version": 2 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.14", @@ -4802,27 +4836,27 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", + "sha256": "d477a1c1cf4b80c1c4b058813b66f4952e183bd224d21bd44d145c7845ff027f", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "9fac7bb1e34b314d0950b254edfbcb8b0035486525df4e2fc5b9e9cbb65785b1", + "sha256": "276e07ad6386011b5ba83107e7f863831a18b2c1b755a679005768a02b1d9f6d", "type": "eql", - "version": 107 + "version": 108 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", + "sha256": "189ef68f8b1654ea9486b7831d9a69f4b42554453426d0d7531fe7052cd96756", "type": "threshold", - "version": 207 + "version": 208 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", + "sha256": "37d2ef8b050dfdece62cbbe06bc676f8199d5b4f1fddca44de9748f463a2ad80", "type": "query", - "version": 106 + "version": 107 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.14", @@ -4853,15 +4887,15 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", + "sha256": "f68db77a65c50c4489742ca308f8beef345bcd834e6782fd47c79d47c4cb7af9", "type": "eql", - "version": 11 + "version": 12 } }, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "7b0176c520ea313b2012e6843edc760f64652558471e6f971e2b6d86d90116df", + "sha256": "b8743c73288c176d82f7c326f655ad546ca945eaabe141bf1da60e5f045481a0", "type": "eql", - "version": 111 + "version": 112 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.13", @@ -4869,15 +4903,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", + "sha256": "26c209b252768d129ab5bccfb4006456a5cd64d7ed097dd81d513beb333d8d7e", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "37e55cdb7d8b2334bc54fc6a9a492d1dffe8309b0ee44811480a42ee01190bde", + "sha256": "f680d6c8ee7249b89249a6710ce30801b2c982cef68f015538d7cfac8430cc94", "type": "eql", - "version": 110 + "version": 111 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.14", @@ -4908,15 +4942,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Script Object Execution", - "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", + "sha256": "d03461949ea02ae5d1a9afa32408fcc350c90751725cecedddb19bc153f58ba7", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious Script Object Execution", - "sha256": "87be064ac19c5ea66f69f2e2387eea0c3cd7bf236626285df2b76b760f408845", + "sha256": "21d6ca38910e536e9886d360bd1cfe63932e9d4036a7d6a26af4708806dfecdb", "type": "eql", - "version": 209 + "version": 210 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.15", @@ -4924,35 +4958,35 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", + "sha256": "d92cb4bcc5aadaea4dc0e6b7b35a1bf6e2ae910fa754432faf4dfb96696001be", "type": "query", - "version": 410 + "version": 411 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", - "sha256": "20d605e52736db120b290b4b7629c450f6b3d0a127d68f5aea96d3002df522eb", + "sha256": "d10bf82f2f2925d3893f3170c4824f6e0cd1c812c901dc8fc256f113e735498e", "type": "eql", - "version": 1 + "version": 2 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", "rule_name": "Unusual High Confidence Content Filter Blocks Detected", - "sha256": "b7158a40dd8e99134d485c6d09a2aebc63453ffe622fb446d43f1f4d20247a0e", + "sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd", "type": "esql", - "version": 5 + "version": 6 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", @@ -4960,22 +4994,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", + "sha256": "02b2a3c16d505ff7b41a860c6ba3587cf4376a57a4dfb1d8af17d0620d4dea7f", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d", + "sha256": "186e25b241af067c22b65d97a6746b5a72b63e2aad403893a00ef3b7d39b1982", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "72eaaba3e4541c4b67787d99cacc0cc2a13b0947f01563d4fb97ee7c1b5230df", + "sha256": "133dd8bfb660f0ac4114ee86831af289b29876b1e47d9868ae4380002e493545", "type": "eql", - "version": 313 + "version": 314 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.15", @@ -4983,28 +5017,28 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", "type": "threshold", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7", "type": "threshold", - "version": 106 + "version": 107 } }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", + "sha256": "6a554290e7a84ccbd18f8a19971e557ac7a9838d92308436ae1252d215f09d94", "type": "threshold", - "version": 206 + "version": 207 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", - "sha256": "92832a1d67cc61df5e937f62a495aead9cfcc980486b8d2b754f3416427265aa", + "sha256": "16bcc4e20cbecdeda51970a7c080df121c8c49778592fd2b3384519d93b21280", "type": "new_terms", - "version": 1 + "version": 2 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.14", @@ -5028,15 +5062,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", + "sha256": "48ab779e161fbd3bfc978ec8def0e6511023cebad2f6c5874cc71cd14d2da1d4", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "daf596f6901bee71cb114cdd3ba6d93425bf62553a144a91ea77214278402800", + "sha256": "b73939a26aed301cde9d16fd437a77e325a4393d91a96a981d2fb92dedb61b74", "type": "eql", - "version": 103 + "version": 104 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", @@ -5044,34 +5078,34 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", + "sha256": "13b9667f77ece11fa75c760717a7f1a7474e6cf3583c6d428b0b835bbb79c161", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 411, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "12362423f221d5f78a62ede69455b6acc8926caeb7057ac6af76e9e8663839a1", + "sha256": "4605f205b084980b9052a6f82ff9ace18abaddddba5a0901b25ee42d0a048865", "type": "eql", - "version": 312 + "version": 313 } }, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "6888e4d8dc2ffc69e0f3b29e7601596b7ed396f3071eb3bf4b22614aec126f6d", + "sha256": "a122de466303b9918efe6f15d1a658addad361829c6bf7d515d823a75eb19a2f", "type": "eql", - "version": 412 + "version": 413 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", + "sha256": "f5a4de0b0ac06eb1a69c2cb23b7f9d7b884a576168db1d956ef9ff6144c5756d", "type": "query", - "version": 206 + "version": 207 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", + "sha256": "5d8877660ac02415a7e931d15a718cadb7de72da25f5bcdc79d9fd493d4c71f5", "type": "query", - "version": 104 + "version": 105 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "min_stack_version": "8.14", @@ -5079,28 +5113,28 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", + "sha256": "0103f881f5ee4e7c9d82ed15157325d5b5a58d4e397d6367d4da02bbf8ce0034", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4", + "sha256": "f3deede5cd5976b88fba9f4fe5814c558ca142f46001382dd888e8f1294a9892", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "4966b4c68a294538d5fe7fdd895bf295a7b8220649477a2de843e07ffbbd038b", + "sha256": "2196b597b084d5ecbb13b0b17492f36f5b84dcca3a09a280a2e2d59035ac22bb", "type": "eql", - "version": 204 + "version": 205 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", + "sha256": "097a5bc6720f07acfae2d20f11d9a717f1fe350cf94d7145adaa481146c184df", "type": "query", - "version": 2 + "version": 3 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.14", @@ -5108,33 +5142,33 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", + "sha256": "341be9c43bad17537b54fdc7f40f8c156c772443e30caf8193c825ef8ae6e632", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "84c893dffd43871523001e934f53b55aa3560ab0e48927a519cc9890b21e6206", + "sha256": "98bc7f7c240e76cd9d3ecb1a5633fb0d68e571ceffa5569f91e5702c53b02d8f", "type": "eql", - "version": 208 + "version": 209 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", + "sha256": "1e7bfe4a829855d26e56d29a29a24edf68130b67fb19c38c807680c99f335d69", "type": "eql", - "version": 7 + "version": 8 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", + "sha256": "0d18d9439a5628f8f0339e9c968f779926c27addbf3835666f0b4312115511b5", "type": "query", - "version": 206 + "version": 207 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "fd77da125fda39b0791110d21e18fe7c21233971339f47f4d46a1f228f048839", + "sha256": "94dbbc192b8f9c9fb802a3785bc420e0f318b461c50fb90a879eca803aa6d523", "type": "eql", - "version": 113 + "version": 114 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", @@ -5160,9 +5194,9 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", + "sha256": "7705ae36b0bdaf932acba46ebafffb17e3e085213212f44314d4bcc79090bb04", "type": "machine_learning", - "version": 104 + "version": 105 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -5178,33 +5212,33 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", + "sha256": "c30eb96fc6194d443c353229802bba9be8aaebc4e8abc78d2734cc5612fd49f1", "type": "eql", - "version": 106 + "version": 107 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870", + "sha256": "dda8b86ee8d2dcee8026d296c9e5f313eaa3dc3d50eedfd6ae6e19c938486a92", "type": "new_terms", - "version": 11 + "version": 12 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", + "sha256": "e6c6dd49909f5672bab0d1d27d7ea1b5661d81198a9568926b30ca91064fbe16", "type": "query", - "version": 206 + "version": 207 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", + "sha256": "8227f6204aca346ad00f70681a540b2e14358f63b3415da0a722d3fe8c4bf796", "type": "query", - "version": 102 + "version": 103 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", + "sha256": "9eafe3af498b5f504346bcbb44ddacf2157ebf9f7dc56a66e0f6512ccbcaa61e", "type": "query", - "version": 6 + "version": 7 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.14", @@ -5247,9 +5281,9 @@ }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", - "sha256": "4506697959db38106a2f20808c7650d71b4bb69ca921ecb433f9f7d437e1b418", + "sha256": "af9d57399895c1474ce02d98053dee54db65bf201345fb22036a0935476ec4bc", "type": "eql", - "version": 1 + "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", @@ -5257,15 +5291,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", + "sha256": "44240eefb782b212aa0e92aa499c5c53a15dd47c2d5ccd8d5bbd7e730a2ced0d", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "05f4e7d83a92a1aaed215be67f65efbc6491fca10438887f10a7d47cfb88c838", + "sha256": "b7dac84100da5dd86f5b3db2e97a9c0d5bbc086be021a8d71d6801723d7317ee", "type": "eql", - "version": 212 + "version": 213 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.14", @@ -5289,15 +5323,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", + "sha256": "c1d15e3f87d0c06656e38903de062e3f17bdbd3884c26fd330cb747036019545", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e", + "sha256": "dccddc93820e882a05daa4e44e2f269398b302098bbe00d5c1571ffd86581be4", "type": "eql", - "version": 213 + "version": 214 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.14", @@ -5305,15 +5339,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", + "sha256": "339bd5dfcc9715aebb297d9e0f1c984616bf99c0dd887935f7b94a77c4b1889d", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "b6183b74d47d3cfe8b22dcff57a47da7713bc366002dbf9f7979a42bf76f6cc6", + "sha256": "d727778c418f5ff259d819e6c8c56cd07c2f086ea12d877c3379792b549ba948", "type": "eql", - "version": 211 + "version": 212 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.14", @@ -5343,15 +5377,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", + "sha256": "20041d45b1675b29ac029036acb9a791d296507da6fc2d342c22e8ae9d37add9", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b", + "sha256": "3910654eec2497e6c45f9eba623296d166de75f2bf26bf5f27f652de0fe602b3", "type": "machine_learning", - "version": 107 + "version": 108 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.15", @@ -5359,22 +5393,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", "type": "eql", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f", "type": "eql", - "version": 105 + "version": 106 } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", + "sha256": "a19bb50cba9f9f404a82703239d5f7c37e59ce956e04da03adddfd9a4dfab224", "type": "eql", - "version": 205 + "version": 206 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -5382,33 +5416,33 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", + "sha256": "4a4e70e7f50105c48f29f32d7d234cfa9538813b06309ce72c3dcd4a7a21a3e2", "type": "query", - "version": 107 + "version": 108 } }, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7", + "sha256": "2b4e8ce5e2579fc3644b048d0eefd8b6c9e8ae17c0eb9201191933d58be50dfa", "type": "query", - "version": 207 + "version": 208 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", - "sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9", + "sha256": "6f18cbdc2814670890459e8a1b80c7b8bfac998d71d67c250ffa5a3017a0a95e", "type": "query", - "version": 206 + "version": 207 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", + "sha256": "a12b24ae6304c80c777dd5b7e120916781b2e76b2f09848e292a453d76cd5056", "type": "eql", - "version": 107 + "version": 108 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", + "sha256": "50c3afa5e3c557336820b41946ef7d0889d9f7002f614b9bc7a0f6216fdb24de", "type": "query", - "version": 104 + "version": 105 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.14", @@ -5416,15 +5450,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", - "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", + "sha256": "9075bac2c658f9cd09ae5480d64a0005ed4877f273b113b12c5c9d38098e5c35", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "PowerShell PSReflect Script", - "sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1", + "sha256": "60ce649f4376763aa71d2a2bbe3126251aafabb204c1bd51614fab34b09fccd7", "type": "query", - "version": 313 + "version": 314 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", @@ -5434,21 +5468,21 @@ }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "65439f5e4fa7b0f4bbb310547d8239ea649d5818b5ac6338a7b358f2eb0c03ee", + "sha256": "5ee4cc1bef3bc0cbb466f51fc238d7ea3789de02607f24d664300a4cd08147f0", "type": "query", - "version": 105 + "version": 106 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", + "sha256": "cef2f25973f7650fc0b3c4e6d49eb118a5216965cb85cee1568ac3a5e26bb119", "type": "query", - "version": 103 + "version": 104 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", + "sha256": "398d5eb8f8ee0c1a9ca69806e64a8879579ab03f3e2f5a29a66c0da240018ab2", "type": "query", - "version": 102 + "version": 103 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.14", @@ -5488,22 +5522,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", + "sha256": "7d36f22f3ea3b4008813322aadd11c5d337d890ad99892df41b2e3154c755ed8", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "6b33c63d553cab599384d2a06a3cbe2ce79ac5637431a647f3c0b0bd8930e497", + "sha256": "fdd70a684195301172c2093025954070437de67b7110b4c2fd82167df76f3b5d", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "566037aa998817fc0a251e782f43cec8f2037e67f0fdfe4fc54256563b8a8994", + "sha256": "c1df3f0030e17676949facaed1368a9f13c67cca442f5b94af0920ed85092de8", "type": "eql", - "version": 203 + "version": 204 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.14", @@ -5553,9 +5587,9 @@ }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", - "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", + "sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36", "type": "query", - "version": 103 + "version": 104 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", @@ -5565,9 +5599,9 @@ }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", + "sha256": "c2dfdcdc1b0d76b1a905b8e67a67d188594bb8b4665a8c1750ce8e92714325af", "type": "eql", - "version": 111 + "version": 112 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", @@ -5577,27 +5611,27 @@ }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", + "sha256": "81b57999573c8fb4a7a366594f25ae06a0af08d40dce604d87d7a8f30dd943fa", "type": "query", - "version": 206 + "version": 207 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", - "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", + "sha256": "57e2816be37db7fe8b97b74d890f5f1c173f9f98635f900fc0a239d93de116f9", "type": "query", - "version": 207 + "version": 208 }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", + "sha256": "62cd203498ed5ec9c26690e7c2c202cf2cdb234c9be6a775889f5d2458744366", "type": "machine_learning", - "version": 105 + "version": 106 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", - "sha256": "5faad18f6e8089e38382a04e3ef367fc94f03c5bb03e1aacbdfdae133891e860", + "sha256": "c65dca5d2ab212399ddf5f197ae8f6b71543e67dc4c506edba0250e81a48ba75", "type": "new_terms", - "version": 1 + "version": 2 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "min_stack_version": "8.13", @@ -5605,15 +5639,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "0ac95528a079d01b7adeaa69e09a6ce000a6e52cd17f4fc7984edb24bf715c66", + "sha256": "8662d51b058ba0aaa8beb626fa104c2c7f6ee6f1970db79c6ab2615a567e699f", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "98b7c643f9f9b010293863a5a9e79452dd6bd16f72b18e1c8c847b1baf6edfd8", + "sha256": "1cf2ab43dc77c7b8e03becd52f2882b3dc1844085e26351dda5f6b31bb609722", "type": "eql", - "version": 101 + "version": 102 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", @@ -5621,34 +5655,34 @@ "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", + "sha256": "195101291410db100f83b2bbb0bb45a23a5d3c84f0b3cc59e3e80543531dd5e1", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "a58979585d4e2dba00ae2bf4cc63ae6bed5e961b9f7644c0dc3fa1cdc1f2a938", + "sha256": "2213291fff0bb1ba56efbcc8b9b3bbeca328b89b52cf3e419b4fb6e70936dad0", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "922c50914d6b49f38e49963069b5aded60978873160d1be2e5ac966b0f38d3fe", + "sha256": "0803f03287c0303a478d35d524621cf58ec5e09afe472fe968a33d05b1f8e025", "type": "eql", - "version": 309 + "version": 310 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", - "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", + "sha256": "9f4687f96c022e624c6f5414ecb77f6d8b9148dceb9137d3bf0bb37c294bd2e9", "type": "eql", - "version": 8 + "version": 9 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", - "sha256": "c0274af6f64a052fd104039c8754ea7aa05eaadab769efc8a98bc62711b2b491", + "sha256": "797af136476a4575466ea7dad526fda9d5328930d8f9985a260e5e1177223225", "type": "eql", - "version": 1 + "version": 2 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "min_stack_version": "8.13", @@ -5656,21 +5690,21 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", + "sha256": "bf4217022061a7456c301cffe1ab6dd6d9298a3c45e206c125c42667862de6e1", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "22f95e8aa96442f2aaab2baa40a03a32f9a71ab839f014a32f9f57c2bf68d6f2", + "sha256": "efa24aa4e360509d77a32ce3f80aa988c50b5849bf0f3c2e8600efd49b6a384d", "type": "eql", - "version": 102 + "version": 103 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", + "sha256": "8a9322fcb0f59a2f5ade44ab323e0b057c6019500063a9e67db93eb954461718", "type": "query", - "version": 106 + "version": 107 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.14", @@ -5697,15 +5731,15 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", + "sha256": "6a40d4a3eb8956f0fa86900cd0f068813b708cf72355b20a006a4ae024884b63", "type": "query", - "version": 108 + "version": 109 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "ecb48f9b2113ef16a9cf28b12062a7336b1fc1183e11978fa97c5d28f733e894", + "sha256": "579398f581b46a408dd3248aa0e706c28ce608e3fcecb9296abc9d328e024c92", "type": "eql", - "version": 6 + "version": 7 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.13", @@ -5713,15 +5747,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious which Enumeration", - "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", + "sha256": "81bdb21ca450212add8a85c321bb3987998e8f5dada389fbc8a46fa1d740581c", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious which Enumeration", - "sha256": "73c8ca3902ddad43fb2ceb90daa245dc057f3c920067897050295d67a1394cbd", + "sha256": "31644856f49ffea6104635840c58566a40fbe5a81da84366f5eb33be25efe892", "type": "eql", - "version": 107 + "version": 108 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", @@ -5735,41 +5769,41 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2", + "sha256": "35874a6b3415659603a51352ab4aafe03d8e2d816f25c4f343115687e555aa00", "type": "new_terms", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3", + "sha256": "5ca5d9dba9c3eda093b2a3b2260982c127108c3167436867c912cf29f5129f87", "type": "new_terms", - "version": 214 + "version": 215 } }, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0", + "sha256": "4dcc839828bb5d7e479b5816322bbc8808ee054bc913c811cd9690d54c57ca6b", "type": "new_terms", - "version": 314 + "version": 315 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "min_stack_version": "8.13", "rule_name": "Boot File Copy", - "sha256": "30d90beef7fd3002ffb27eab0ea0dd20d3a7775ee4e6eb142d5351f9145fac50", + "sha256": "24d0894ed6959d5f54396c957e8dcd3de231026e473c753ef10c5c033f991857", "type": "eql", - "version": 1 + "version": 2 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", + "sha256": "89f33201ad4d76858ce52afe371130935c8d2f202139ea266bd17c9ac2488519", "type": "query", - "version": 206 + "version": 207 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", - "sha256": "22e7a4474249251e7e0ff02b91956eefe3253c4dbffe219e41537c4fca33d8df", + "sha256": "b59cc8bfab61d96bcdff86bcf5c7a1b13b64354d821ae475efcf40a35b332a19", "type": "eql", - "version": 3 + "version": 4 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", @@ -5777,15 +5811,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", + "sha256": "5ae470e75de9bdbb84070a55c7cfbd9143654a72f9e9193782aea6145b12fd1e", "type": "query", - "version": 3 + "version": 4 } }, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6", + "sha256": "d4ae42e3bddc23b1b5b75d60e725076a3baf37caeae03e0794a91fa47346aa02", "type": "query", - "version": 103 + "version": 104 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.14", @@ -5799,9 +5833,9 @@ } }, "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8", + "sha256": "d4accae05fecc5956c2caf27bab5e9eb13b871713c8855c25c6a47bd44a0d2be", "type": "new_terms", - "version": 113 + "version": 114 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", @@ -5815,27 +5849,27 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "c07bd3dc94f7395887a9d16a2c6986600519ec86ba8f4082f4c1c546be147907", + "sha256": "5236ec39f5b96c9f3b575a920dbd695b7473c5bafe7625e03799f60d559b28e9", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "58a78bbe94aa8e3ce22da6a4bbc47087b53a4e124ed72c30bb71e4c4ebfa89ed", + "sha256": "23f889cc4747d5ad5d505549b4301b18abb715f10d21b48a1c87dbd95cef2f29", "type": "eql", - "version": 101 + "version": 102 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba", + "sha256": "dac377b1d7e688c590f3961e984193d99e548ddf1fa5d9298d724d251cfb7b4b", "type": "eql", - "version": 7 + "version": 8 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", + "sha256": "6699f13d1830f5c9e67d20ffe8e3c35f4cabefe9e630339c8541bdbdff752085", "type": "machine_learning", - "version": 104 + "version": 105 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.13", @@ -5843,15 +5877,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", + "sha256": "5be300eea96d7d3fff01d8e2f1ce70318e82a027159669467454f10cf243e208", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "d3dc37d8bb5d0c604f5f739245d5529eada7a5b0873cbfd84c84f37337c57743", + "sha256": "20eb77ba6a8a8323188fa6281186aa530803e86930af2a51cb2fb2140ad57fcf", "type": "eql", - "version": 107 + "version": 108 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", @@ -5859,15 +5893,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", + "sha256": "881e17596c2ce4e314625942adb04235a12e70f19501ddbf53391bfe02dd03f9", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "7d3bf84b8bde799ef371d4a6327bf8f541afea0300cdbf24763d28eb8f8342b5", + "sha256": "9861068f16d7c13e90230fde674392101cfe9ae5e74dbda9522097093911536f", "type": "eql", - "version": 209 + "version": 210 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.14", @@ -5891,28 +5925,28 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Persistence via PowerShell profile", - "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", + "sha256": "e2a9084a8e3062415cf21a33d22098b3e31cd354006e57075af67e820641af92", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Persistence via PowerShell profile", - "sha256": "bcfac59564d41ebcb539180ca3a3bf7ce87cc15eef7fe386b497fab430a67572", + "sha256": "0383a8c5a6705916613f80d301ca0dea35cf7ff7cb13b719320e19c6dfeaffb4", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Persistence via PowerShell profile", - "sha256": "f3fa333c7f1b7b2d1da2b134f2a3f535c02a04bbe1e29aea9a07f65dc3112f42", + "sha256": "0f950647d4f0916286902132be8dcaec3f65ee3132b998b43e7eeb93677cafe5", "type": "eql", - "version": 209 + "version": 210 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", + "sha256": "b8a59cdd32843855c38fac2f200184b85c2d6530489e471b8a4130406e8ec85b", "type": "eql", - "version": 107 + "version": 108 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.14", @@ -5920,15 +5954,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", + "sha256": "975967ec3e4989e05b906196e1492ea1f24ac1162211d54845e8c1f682036f71", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "98c90d11775a22fd8b8841c192bba0357583dfff531656d7728cefb2a3cf68fb", + "sha256": "3b3ccd623ad35abe21a31e6f429265fff80ee4bb1cb27b4ca7360e556282bea8", "type": "eql", - "version": 209 + "version": 210 }, "5d676480-9655-4507-adc6-4eec311efff8": { "min_stack_version": "8.14", @@ -5936,21 +5970,21 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", + "sha256": "8f2d6fb941f3e9f2fe599164f806804b1b09b4c08131d79eb3e7ecaab5034c05", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c", + "sha256": "0e908a21b5f00f708db56a1f494aafbe52a203ae6f332d5e4e763103aa53e03d", "type": "eql", - "version": 103 + "version": 104 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", + "sha256": "a1c17423de6e19c6f7cf178290eafc3cd6146dbbb850b2c6ac92c5826af80f6b", "type": "eql", - "version": 106 + "version": 107 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", @@ -5964,21 +5998,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Memory Swap Modification", - "sha256": "87f23ecd1afbe1e17093f0f1d038a49132d433f0e99f842a2c1ea2070422022a", + "sha256": "d3233c88cf4a2b91daeca4e6247bb3758023b234d009f522b19223f87aeae20f", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Memory Swap Modification", - "sha256": "923afd5486608e70492a648b58298dd6b5e3a6e9dfea406822d0139d7e84a6f5", + "sha256": "5583dee02ed10b698537738686fdd5974f461d686e6b36f456a6eaf52a661fc2", "type": "eql", - "version": 101 + "version": 102 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", + "sha256": "3ebdea07f4ef0b08b17227bc1a2482fdf6678f10abcacd02c0a85dfb400a1501", "type": "query", - "version": 206 + "version": 207 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -6018,15 +6052,15 @@ }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Docker Escape via Nsenter", - "sha256": "11c34c854e425416671771fda4ebe364a729e7203d287c32837120c5426ec678", + "sha256": "453ade8392dd064ac66baaea865224304bffe2e8afac34c7811e8776d5989843", "type": "eql", - "version": 1 + "version": 2 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", + "sha256": "75603330eba99f8199e1a118a71eca46d7c50d35b4cd605c1dfc199a15028b4b", "type": "query", - "version": 102 + "version": 103 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Azure Service Principal Addition", @@ -6036,9 +6070,9 @@ }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", + "sha256": "083349bd92f7b6c0a756f5a62567cd8c5a5bc5daadf1eece6de8e8e79978a41e", "type": "query", - "version": 206 + "version": 207 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.14", @@ -6078,15 +6112,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", + "sha256": "aa2c30439a09a0821ce30bb48e9a7ded35e0cd590c0acbca87390d10683bc5cc", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "1baf1fef6bba99c5ccdc2528a1cf37b50b5fa046a869241e7957bc24910a38d2", + "sha256": "1813675633a8a8db3f036f1276035eb83d74c80d29e7e67aa2bf1099ab057778", "type": "eql", - "version": 104 + "version": 105 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.14", @@ -6122,9 +6156,9 @@ } }, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "0025f93aa161653a794f9a26065ea5e0cc28cde56f00267df2baedba016c4e6e", + "sha256": "3b4775c89f9910cc69fdfc6e3ba815ed3da59f85eae5f23cfba94d923518152d", "type": "eql", - "version": 212 + "version": 213 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.15", @@ -6132,22 +6166,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "sha256": "f472608d534083bdf5f50a92951a81599a2b3dce40e413de960019aa9f7435f5", "type": "threshold", - "version": 5 + "version": 6 }, "8.14": { "max_allowable_version": 205, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df", "type": "threshold", - "version": 106 + "version": 107 } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "4d6ac1ca8a19590fa0ac7866fe9b56931d6d7515611ebf4cd25c8ee1ecedfa95", + "sha256": "12e0d0b72f404e2086dcd9c36311a6eeb68c65979ce775064dd5c6ea06953106", "type": "threshold", - "version": 207 + "version": 208 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", @@ -6155,15 +6189,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", + "sha256": "facf2b369187ce8da1649950be8b3e38f3c4c1ec81f490fa646827baf5d2427a", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "469e57d1084b2101124729bd1a24f0d0de9a3ba693867395cb5e2b2747429009", + "sha256": "2b2a1dca315b2ba3e10a64bdd41f6a67b6cb64924ac2ef44668a7ec80657d775", "type": "eql", - "version": 207 + "version": 208 }, "627374ab-7080-4e4d-8316-bef1122444af": { "min_stack_version": "8.13", @@ -6171,15 +6205,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Private Key Searching Activity", - "sha256": "cfb8fb1ac5550969ade51696c2cce707ef17cb2ba835b59dde324128fe49a3da", + "sha256": "d14cd033b213dd2aa22e191e4316a3e9399efede1e2a54e6b84c28fc98e43248", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Private Key Searching Activity", - "sha256": "6a4cafcee7a10b376ff76157de5011d5f20df6e1ffda15016ffb5030b599d4d2", + "sha256": "5519c882a79e550a82c6cdf78d433feb500b6bd32ef8f72913f9df44a00f8a9f", "type": "eql", - "version": 101 + "version": 102 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", @@ -6193,39 +6227,46 @@ } }, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6", - "type": "query", - "version": 211 + "sha256": "fbd13d6ec521fef8ffeaf94e8c126b6c3d610a7440b32fdbec53435987e3e9ea", + "type": "eql", + "version": 212 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "5a3fd12529c9c80182c6867d42fd64119b65ce06f0106fb6c46537b9f536d9ed", + "sha256": "3a95ccdc273d7d2af093ab0c0445370fc790147be6d43d2a2edb2b9b3cdc82e0", "type": "eql", - "version": 5 + "version": 6 + }, + "63153282-12da-415f-bad8-c60c9b36cbe3": { + "min_stack_version": "8.13", + "rule_name": "Process Backgrounded by Unusual Parent", + "sha256": "208219618907f9af2a97a782d360496106265946d0d6b37aa5eb4369f2bd210a", + "type": "new_terms", + "version": 1 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c", + "sha256": "9bc024ebd7d20dd7d23abc9dbe71bf043edaab5d7afc79551d0da709c4fe821e", "type": "eql", - "version": 3 + "version": 4 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", + "sha256": "53a873d39857e58ee6e4fc5b7399e895bb152e41c1ab935663837628267e4ec7", "type": "query", - "version": 6 + "version": 7 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request", - "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", + "sha256": "c8d9810184ef49e7246335b18a3ee60393d89ef7ce8f918026a59c34bcc38064", "type": "query", - "version": 5 + "version": 6 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", + "sha256": "17099608b9a995ff056b49ffa5be61ac5b2aa1b25812fa9ca68294450e48a050", "type": "query", - "version": 6 + "version": 7 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", @@ -6239,21 +6280,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Signed Binary", - "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", + "sha256": "66192fcde84de1d9b0e809854015279f1016447b2e2de3d0f3f81aad88df91bf", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Network Connection via Signed Binary", - "sha256": "13ab27af642b6257541d2f7dd40e674512caf3615983668154c3cb69ce92212b", + "sha256": "dbff3c36a4ce01428dd306c519a48b7816f503173ba63ff090c31c9719748cc6", "type": "eql", - "version": 208 + "version": 209 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation or Modification", - "sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d", + "sha256": "9d1158eb547e4cbef8792d8e21f04e26ed8f8e6a4205bc87f557901520583a3d", "type": "eql", - "version": 2 + "version": 3 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -6263,15 +6304,15 @@ }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", + "sha256": "83a660084e9cace9aebc80260a7b32dde9583c295a54c288ca8cd2bde4522611", "type": "query", - "version": 106 + "version": 107 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac", + "sha256": "2077b595953101f3fa176295f9adac0453ae759f4adfda777ee54f9285fb893b", "type": "eql", - "version": 6 + "version": 7 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -6285,40 +6326,40 @@ "8.12": { "max_allowable_version": 100, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", + "sha256": "0dec5c209de4432366d522c8479caa203fc027282bbca7df21df60a9a9ff41e1", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "41602b6a702f894fa85aeda894b432bf97541e7a789da640b09d1a6ccb020920", + "sha256": "fae229cedfaca7b7e8f9a7e40a573cc0933889bf6fd0a9add01469c2f12bd0bd", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "f777f01e40e9050b0c782526949a439d855433b0f63892411d709ce8cda391d4", + "sha256": "159c5871496b2240dc1edfc09db683fb7932c924589e736eb32c5a80fd21b0a7", "type": "eql", - "version": 201 + "version": 202 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", + "sha256": "5ba81546094d936ec84995fbcb3e17bf792328c2426d692c1d219cb256fba423", "type": "query", - "version": 203 + "version": 204 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", + "sha256": "6883edba26e4283cdfdd6ae341ed445cd67e51d20dc15f1fe106514a29c07af3", "type": "eql", - "version": 107 + "version": 108 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", + "sha256": "12e2cdafd4870927e64b1a906bbd4a927ea681570396c184a54f119486371411", "type": "eql", - "version": 6 + "version": 7 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "min_stack_version": "8.15", @@ -6326,22 +6367,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", "type": "new_terms", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4", "type": "new_terms", - "version": 105 + "version": 106 } }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", + "sha256": "b8bb1b1e0023c2ce2967ad5ecc17c016a9de356e9f27d2e9f33c5ba979e7801b", "type": "new_terms", - "version": 205 + "version": 206 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", @@ -6349,27 +6390,27 @@ "8.12": { "max_allowable_version": 206, "rule_name": "WebServer Access Logs Deleted", - "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", + "sha256": "3d41e0a751de0eefc517ae323b3602930bdfa24fbf61b7c15235e4be117511ac", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "WebServer Access Logs Deleted", - "sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938", + "sha256": "c437c24eaca8d8d4b1fbd92c21ca0f8dd61115f3a64e0c02f1e23aa0e428060f", "type": "eql", - "version": 207 + "version": 208 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", + "sha256": "f8282a2d5173fd7e6fde9595c6efa24f5ebe48767db9981ec5a6cadffcfcf341", "type": "eql", - "version": 7 + "version": 8 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "6ee19e30f1b9b03cb860b685a9b64b35926db4749f7f4bec889b9061a34dd99f", + "sha256": "676676fdba05827386bf901a05e1f8335bbe5042bc52bc54c688eb0aac55b715", "type": "eql", - "version": 116 + "version": 117 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.13", @@ -6377,21 +6418,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Linux Process Hooking via GDB", - "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", + "sha256": "d6069d2128de9e65240d1c2a03f27f397f632fbdb78102892e58b51e395c942a", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Linux Process Hooking via GDB", - "sha256": "233c3166926ca81a15eeadc2bbe25b0f37ced7d272398ae6ba062b5f21883786", + "sha256": "102f289cddaa0bfdaa48642008df6ac4c7ffe2be9cc0d5ab335ec0647d841c6d", "type": "eql", - "version": 103 + "version": 104 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115", + "sha256": "e35261396a28f58844455d18ffd0bcc2c385ca3960845c6db9f87949bc561fb3", "type": "eql", - "version": 207 + "version": 208 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.14", @@ -6399,15 +6440,15 @@ "8.12": { "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", + "sha256": "71980b7e4a7ca43713bfa72cd0160821533b13c24e3fa1d0e645a42eec4f8512", "type": "query", - "version": 13 + "version": 14 } }, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b", + "sha256": "1b9b6777a50eef6af6496d2bc9338d04c6b74efbbc726b1cae58177d40ed8b92", "type": "query", - "version": 113 + "version": 114 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.15", @@ -6415,28 +6456,28 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", + "sha256": "79a56d12f5cfae0778882f6215f3767e744601b2d0f0183fa71a191bc5d9a8c4", "type": "query", - "version": 410 + "version": 411 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", + "sha256": "f899b24ce14bb0d0e1c223537cd020b2b65c7b71ad97b87fd5359b89e6bd2e2b", "type": "query", - "version": 206 + "version": 207 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.15", @@ -6444,22 +6485,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", + "sha256": "33e8c27c30a851ee7f9d49ed14bb20f1cfb5d370320db326fbfffb9c7b855b63", "type": "query", - "version": 410 + "version": 411 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -6485,28 +6526,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", - "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", + "sha256": "8107c66fd0a677b8966bf0f40409dfdac75050d7a2372a8e4ba10ce0350e6dfd", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 308, "rule_name": "Image File Execution Options Injection", - "sha256": "9cd61cbd2e186a7e79c84c63453170d959f8a17ba7f17226d7b751d3eb3401a0", + "sha256": "2eb29b66dbef8063acbd04479aaeb1f14fc4d5f7235afe9076fdfc86d199e837", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Image File Execution Options Injection", - "sha256": "a0e0e9db739a9599f432f5b67c38f79f2d78548a4048ada364cc2a77c63ad808", + "sha256": "bebbfc9c058cfc51931d5709b857995da179d43ad8e786073c42d4d74c29ef69", "type": "eql", - "version": 309 + "version": 310 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", - "sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344", + "sha256": "0c327149e5c49e9161bd8a1ef2fb8bbe117febb4c86c9efcaab8a6dc5890205a", "type": "query", - "version": 207 + "version": 208 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.15", @@ -6514,22 +6555,22 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", + "sha256": "e40176c9634f6d0f324b5be9bf2cfae0370f3d8fc01188d10e54e5684d5fbbaf", "type": "query", - "version": 409 + "version": 410 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", @@ -6537,22 +6578,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", + "sha256": "d89ab2b28fdd4a4d0ad8ce943d5b320e1978c3ccde5d83d44424b7aa9e1bea55", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "5ea5116cd208e91c51260783d73f21acff4cc3285956fefc376e9fae3941f1b9", + "sha256": "6c476da86e9b4676c87675514ef346fe09280a8911de64c826ab5696fc9a515c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "ae80e6eef7f02f152d24f72778eb22b6f998fffe08710ced5a60d17513f2ba50", + "sha256": "eb1bb445ec3e2abbd15d674c1b44e5304446e52f281eb18ca65cb039745c82de", "type": "eql", - "version": 312 + "version": 313 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", @@ -6566,15 +6607,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", + "sha256": "a55f600e7c4e20a4be4404040ef2bc40bd6288c5aa54fc3a6d52c192f117858e", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "bb5ce1fe0201d211c3e0ee4e797372019294920771fb9be33e2e03799c925f41", + "sha256": "c0988d5971ae4b85ecac42dfbe57eb1514ddc1c13df5f2bba07ca1f2097e2414", "type": "eql", - "version": 208 + "version": 209 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", @@ -6588,15 +6629,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", + "sha256": "5af182ae30ce25b660aec32433ead1ec5bb2caa3ebb06fc72801ac367d19014a", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "ea3607c104e47097033fed5ea9538819d7ee0e258c4956660fe6bdb792e9e9c4", + "sha256": "e7daf2e718a482222bdf0efce8b58bd0b54b5ad6697d3b9c492962fd802e79a8", "type": "eql", - "version": 102 + "version": 103 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -6610,28 +6651,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", + "sha256": "88f491fbc91172a9ce530e464d3e41d098720ae427782544b68895129cdc1564", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "d9f1796c6d6ad026fc2376b376520d5553dcbd8c64035bb1e86132a90634d94c", + "sha256": "dd1cccfa31ef19b5a08923452387349ef94bd64771d07f0bea725ec4a9d462f8", "type": "eql", - "version": 210 + "version": 211 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", + "sha256": "9111baa04124fb4545052164f1f94445a22b38269c10ddf9433bccd3112f7b0b", "type": "query", - "version": 106 + "version": 107 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "min_stack_version": "8.13", "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "c0b79735104a736c418ffcbe21e0292334ad5d5ed9c425c75d5d0aaad52463f0", + "sha256": "6f69dc6e309b86b281bd3f02594a03d86ba15d5835011a2b37a7ce21f3da291d", "type": "esql", - "version": 5 + "version": 6 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -6641,9 +6682,9 @@ }, "69c116bb-d86f-48b0-857d-3648511a6cac": { "rule_name": "Suspicious rc.local Error Message", - "sha256": "5ca0e055dc47c8c359d83d3c42388f2d1da1c8bb7fd5b309f29e81d5e4d767d5", + "sha256": "bd61c67f25dedf7bbc88efd6e7088a4f24faa27595c5ec46bfcbdfef30126b78", "type": "query", - "version": 2 + "version": 3 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.14", @@ -6670,9 +6711,9 @@ }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", + "sha256": "e2ba77f3b79dada7823d3ab325dc40c902b56e2272d29bc671c218bf23de24ff", "type": "query", - "version": 206 + "version": 207 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "min_stack_version": "8.13", @@ -6680,21 +6721,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Attempt to Disable Auditd Service", - "sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f", + "sha256": "f5fa9bfd7d9d2f03fb2e6f1b264a7b0f0f433bfb3953f27bed2afda53a7af098", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Attempt to Disable Auditd Service", - "sha256": "825e810e08bb39ba58fd1dc50b36b28f4128e5448e6061670a62b7274acc3d4a", + "sha256": "a21ae8ad2d9a9aa7f634479e7b2fdea05a56714d0e14c6541044895377b4f628", "type": "eql", - "version": 101 + "version": 102 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "EC2 AMI Shared with Another Account", - "sha256": "0c4ef4f51a8579747372ea43f8369add1855a2c4ca49c0059a91aca3c86b15e1", + "sha256": "7f27abffb5aef9aadc163768a1f49184de75aebae83c4a7addfa275d9395699a", "type": "query", - "version": 2 + "version": 3 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.14", @@ -6702,22 +6743,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", + "sha256": "5f2f1310bff01d3a4c1ca2605ab01c632f85b21d4078a06cb88c4ffeabc174ff", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "a5aca0cae7c3d4e2af72e551b196aa734185edb840e64a44250875f56954f40e", + "sha256": "0b7fffd5409c0d916c6b441f0f6eb2c95550d8c5c9d74192d312b7ec442372ac", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "43459eeea6bab6c7fd87826c312985fcadb070763b879b2c8918b3cec2435895", + "sha256": "f463a7fe6e3b83f613bbd5fe19c3341fc1281b264a8b32289a081c9e9f5748cf", "type": "eql", - "version": 310 + "version": 311 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.14", @@ -6748,21 +6789,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", + "sha256": "1c1d57466f2540ce62774922d5711359a9650bd523baf98fa3d13d5c17151881", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "8bc0cdc7893a5a1bbedcaaed4829fcf58e1a1c074dba0e0572f917408f4012f5", + "sha256": "4b44cff5ea71dfe44a694925ca874673be82adc62e7000b867108002baa8c6ba", "type": "eql", - "version": 107 + "version": 108 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", - "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", + "sha256": "09e49424ce202fe6c5b9e7f31510da79059a0617231c4c0022d2c1825ff55f8c", "type": "new_terms", - "version": 208 + "version": 209 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.14", @@ -6770,21 +6811,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", + "sha256": "35a97fde08022de5eb9913eb1b86dc35df3e225ffdf4871c7880402ab13a1c20", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "81dd8799d02ef1ea7d54b9def9a1ab5cddb29910c2a88f978b310fc8b0b4b232", + "sha256": "60d1fc76b949a4e86b9d41bd1ed2f51acc26f54957efb24581f61db6c674ab23", "type": "eql", - "version": 208 + "version": 209 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "rule_name": "Container Management Utility Run Inside A Container", - "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", + "sha256": "d66c939dc799f05fd9549a603ff1d567af4287f8a2e3c0cde5dac918e7575c8e", "type": "eql", - "version": 2 + "version": 3 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.14", @@ -6792,22 +6833,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", + "sha256": "545b3d224a0f1f8ebeb0d9f6ca6077c60c57b650d6a3daa51b4a8b30de55da39", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "5c11225cdbbc4109678a5ed167332604297fd7074668973d0b0112b3b4052f3a", + "sha256": "1b469660f4b28888121b5610c6034c3b0a309f63debe06bd347750f423362cf6", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "2fb47f8769b5103eed7d0e994a27d88daa89b306a570f96a16b4a7143462ea24", + "sha256": "7d551332f1288a1e8d53bccfab142a72143c5e61a950b05be6f4f8711ba883c5", "type": "eql", - "version": 308 + "version": 309 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "min_stack_version": "8.13", @@ -6837,21 +6878,21 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Process For a Windows Host", - "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", + "sha256": "a84737464ef6658f7587d12e88f77356e079d797986616813ffb6be47e2abaa0", "type": "machine_learning", - "version": 111 + "version": 112 } }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da", + "sha256": "557a4432fcdb67fea0e8dd2558d19664cf507405b6db1317a0c399e9808e851d", "type": "machine_learning", - "version": 211 + "version": 212 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", + "sha256": "f9612a6680c21d0e7472c260b412d0ce245e770722ae4ce351d2724843c22512", "type": "eql", - "version": 4 + "version": 5 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "min_stack_version": "8.13", @@ -6859,15 +6900,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Root Certificate Installation", - "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", + "sha256": "f8f51e4211d34c59185c437d929b82051162d84c2c026d0a311fd0d6f40f2099", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Root Certificate Installation", - "sha256": "7b3d5c33a80f686358b9a2c1e87a460372c73e2745f919fb3ea2bd8bf4a3ddb5", + "sha256": "f253848012c90e8fdcf02df03d40dbb169248ea5c7555e85d439610392aa81ee", "type": "eql", - "version": 102 + "version": 103 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.14", @@ -6887,9 +6928,9 @@ }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", - "sha256": "c252a18bf2a68359e1d94df169c9571410f418945f1b4a916cbba7bbc94330c3", + "sha256": "55651a72478c93e332ffd43ceed7bb57e098fd6549e20ff56ce66ede80a49a75", "type": "eql", - "version": 1 + "version": 2 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.14", @@ -6897,15 +6938,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", + "sha256": "aa536cbc660cc56dffc7bd3cbb4098aacc6c96df9edb4d4dbe8f33414448b4d3", "type": "machine_learning", - "version": 108 + "version": 109 } }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9", + "sha256": "f51d97afdd1733e5fc284af1e741adc641483e82eab7f5fefd10f0447b2654d8", "type": "machine_learning", - "version": 208 + "version": 209 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.14", @@ -6913,21 +6954,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", - "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", + "sha256": "f665de1ecacdaa7b1c6b0556304063dac3048aada63e8f6ef7a725068e85f087", "type": "query", - "version": 110 + "version": 111 } }, "rule_name": "AdminSDHolder Backdoor", - "sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360", + "sha256": "eae617d40bb78ff247049dfa080cc2aa3aa6f67036c79af83b3d0c573bb1375e", "type": "query", - "version": 210 + "version": 211 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", + "sha256": "3603dc2b2c4d67886879719f5bf7a3028418d0fd6b68942c48a0266e237f5200", "type": "eql", - "version": 207 + "version": 208 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.14", @@ -6935,15 +6976,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", + "sha256": "736e277394bca054547364d6d99541019679fc36129d52d20115c635cea06701", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "e7158ede633bc5e943fe69d3f0dd3ca7dbbb2dcd7c6be7221419dbeb34619d36", + "sha256": "8c0b8e6ae4907a14420c8dc8d06917470f29f360f9604118f6220115e981bef3", "type": "eql", - "version": 209 + "version": 210 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.14", @@ -6973,15 +7014,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", + "sha256": "eb944b67560451bef538d988be2f0fcfd42f4a6dce1a2f67fc23ef34d93692e8", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "a44f454d7d3b4ac3bda2f2ddfe43c1eb63f445a52c8cc6c7bb56d32440122ae2", + "sha256": "a2bb01debfece4938dd4811b68b388aad80362fd4005573222fab19ba5b3f6da", "type": "eql", - "version": 107 + "version": 108 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", @@ -6989,15 +7030,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", + "sha256": "03eb5f7517e61382f1036b5beee21a7d1de836f457cada365be4b8aa39f93045", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "3a007cf6213892afdb51e38c653b7fbb54d64d355bfe16ae31a77fa323fd5fbd", + "sha256": "5cf116ca583a54c21dd2db7e27f62fa234832620236dd9cf062d0599afa18a12", "type": "eql", - "version": 102 + "version": 103 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -7011,22 +7052,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", "type": "new_terms", - "version": 4 + "version": 5 }, "8.14": { "max_allowable_version": 204, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8", "type": "new_terms", - "version": 105 + "version": 106 } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", + "sha256": "4b4aaaf8565e177b55da43b3b76e40c256d8df646f804b5548be8f9f4eb95a02", "type": "new_terms", - "version": 205 + "version": 206 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -7070,27 +7111,27 @@ }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "48ce070e2534c85222ae42380aff08e9cf1051209120195a41abb438dd4f8f6e", + "sha256": "fe89abe29a8070ab4e00e31a6d1cafde62515321d21198ba780381a9cc87d9b5", "type": "eql", - "version": 109 + "version": 110 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", + "sha256": "6d5f8124605ee8d89f23173accb268a0822ca4c9d19c6ee69a82b72a054b8c85", "type": "query", - "version": 106 + "version": 107 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "32963011dca38553023a0d151758f181bed528bee5ecb5b09ac7e98db6994910", + "sha256": "cc0ed08e75b10ef23c81e0eaaeaa4a105adead987b36e625e56b5d3fd95293af", "type": "query", - "version": 5 + "version": 6 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", + "sha256": "11a00101c170955ef44f1ca300cced85620dfde179c9eed8484b753c960993b4", "type": "new_terms", - "version": 209 + "version": 210 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.14", @@ -7098,22 +7139,22 @@ "8.12": { "max_allowable_version": 214, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", + "sha256": "021ab9fdaf96cad949b46c2810f09637e27d34d4870bb4544afe5e33d4fcc8fa", "type": "eql", - "version": 115 + "version": 116 }, "8.13": { "max_allowable_version": 314, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "3602a1e97b87858224410b312b908c03fd8de29c7043c6e494f1f906e12bcc30", + "sha256": "b28951fe4ef7053b478f08929474a4220e85d70c52a9d83f2779447c8b6a5cfd", "type": "eql", - "version": 215 + "version": 216 } }, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "265742cf965a3ba843e506c2a3b295f9cbd5d86e7cd45f85a3135b441230d12e", + "sha256": "25b753cd927ee68be264ce3804a09298ae399947fa04077161f80d8f6db87aec", "type": "eql", - "version": 315 + "version": 316 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.14", @@ -7121,40 +7162,40 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", + "sha256": "4465fa5b7551e881e3e5b66b1cfae96e4f8459191b87e2266b1fc1998c26d690", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "8225645357459c0d58f7893ad549d29d2962f1d7223312aab7feb5c8b918fc68", + "sha256": "d39c0a65fabb51bbd9bbf21cda120d03b4b1891934c8d8298addd7d3585b1ccb", "type": "eql", - "version": 210 + "version": 211 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", - "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", + "sha256": "9c5e49e4ec3d86b7a5b7018df29cbbaafcaa6bc37f325409687ef18528d09109", "type": "eql", - "version": 3 + "version": 4 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "221735c970fc3e380f11afa20a31274e578aab37486d9b912fe880f215412ddb", + "sha256": "53f2d959afe1859d602b087186c2f25fd816ce59109d230336260a9d4c9c2985", "type": "query", - "version": 2 + "version": 3 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", + "sha256": "eeedb6e75b8369f569e27869c6d1cfcc66b89f71b4869f6357e49a43538c980e", "type": "query", - "version": 206 + "version": 207 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "34978ee634354ab60ca9b666477fc311458de3badb024f148a5005ee0469187b", + "sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59", "type": "esql", - "version": 3 + "version": 4 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.15", @@ -7162,22 +7203,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", + "sha256": "9a377a031cd4fb9cb9842837169396944442098d99de7fb295b107e286c332f6", "type": "query", - "version": 410 + "version": 411 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -7187,9 +7228,9 @@ }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", - "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", + "sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf", "type": "new_terms", - "version": 2 + "version": 3 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "min_stack_version": "8.14", @@ -7197,34 +7238,34 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", + "sha256": "14c220c965f94f3d24b674b86ed86d9a0e093a00d8bb6fc8eb670488981b443a", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "e855ed53b4cfc63e2e39c9229565a1c01d7d48221d8070d431e8dc9e876c8f50", + "sha256": "f6fa075f0e990cc2ced9697647d10fa16903bdde80c50a403c2f4bc7b78d7a0b", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "ae1341f2955bd09f391d9e1c7a700bda4d7f98485c0639ce3a9296fd402d7f36", + "sha256": "e129818b4075375d23aede5312cbcac6b1a4b64ce749202fd8a924cdb2ed5a06", "type": "eql", - "version": 203 + "version": 204 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", - "sha256": "a1de5406513b29e7517ce6db0a932eed198d6f6646dde0fa92bfd7cc13817aa2", + "sha256": "b962ad63b2d98409b515c4dd3a06e95db517c9a7d1b13f171924c19dbaab563e", "type": "eql", - "version": 2 + "version": 3 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", - "sha256": "335243f27a9e9ed1e3642e492e90d9884c17019a2822331a668c6e48b82c46c4", + "sha256": "c1f5f6023527e8ad1b084703495bc9a930c88144a67ab419027b598476b0565c", "type": "eql", - "version": 1 + "version": 2 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.14", @@ -7232,21 +7273,21 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", + "sha256": "491014d84ab03e206e7acd9755d0269b2830a9b3f9c44913c29682c433c740a6", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "c31f8fce3143f7e8eb7fcff3e3855ec68728dbb708d60e35ebc951c8dea7b0a5", + "sha256": "46384078f361759cefe252f2ab0c88a0782b3c678d19dbdf8f572efaf67b2044", "type": "eql", - "version": 212 + "version": 213 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", - "sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e", + "sha256": "44bbbdabf96190f26bace4b98f5c51ae42d1a21d7d1da27237875fa98e94a949", "type": "query", - "version": 206 + "version": 207 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", @@ -7256,16 +7297,16 @@ }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", + "sha256": "181dc50d849f55bfcf9764f49f182fed0798673d7fa5fbf72be7656432884240", "type": "machine_learning", - "version": 104 + "version": 105 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "min_stack_version": "8.13", "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "e302282bacf904630c492f9029228d942da4a53e8c775f0a4d050c1adc149db8", + "sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642", "type": "esql", - "version": 1 + "version": 2 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", @@ -7281,21 +7322,21 @@ }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", + "sha256": "35c6e99bb87ba74e8ad015a7294177cb02da7be90c3c3eaeafcfc7be552d06f8", "type": "query", - "version": 102 + "version": 103 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "22a8ad00011d5f164b7afb9036e0c5c08d16762e2128190811ec8aafe4886bd4", + "sha256": "6af358d3be4d9bb00ef30bfd0dbcf86a28d3137bb9860f1f4798f16b397ca98e", "type": "query", - "version": 104 + "version": 105 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "5ddd8e0de022dc243009f61fe4aed4fd7812fd7d7ce4ff362bb536a2e0dcc1e9", + "sha256": "e909dade063ff13866c5e0f93e3c21f803087e12ab2fec4064af1a3dfa872729", "type": "query", - "version": 204 + "version": 205 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.14", @@ -7303,15 +7344,15 @@ "8.12": { "max_allowable_version": 111, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", + "sha256": "e27879646a752098196f7a4c79196676252e70f55aa7d52e91c8571fcf426996", "type": "eql", - "version": 12 + "version": 13 } }, "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "548fe255b858588807657801d2412f86bb23f3f7be4ad873dc10a2106a76466c", + "sha256": "53ab74d6acf45ef59942b5dd19e0d71f5ca14ae4de1da8c6090b4507887d6e22", "type": "eql", - "version": 112 + "version": 113 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.13", @@ -7319,15 +7360,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", + "sha256": "d821f3e5a0bf1e2dedce1bdaf15fe58785f4e47e81a99103fd0c35cb62e5fbf2", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Creation of Hidden Shared Object File", - "sha256": "7d8aba7675bdfd4210d9d2d6fb545a6626a13ccccaee4a669650fb3a6381aaac", + "sha256": "4ca005023766d02d784784bb7849d0cc16327545a1864fcca200f297ab249851", "type": "eql", - "version": 210 + "version": 211 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", @@ -7335,21 +7376,21 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", + "sha256": "d7ae7c609b2c09df86e03eb23c9f3d9c19a114f3e9e69d99121828e0555ea7ff", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "49a20927f23290c2e144d1b65851802c17c754cff9a811996be6493bd052aa8e", + "sha256": "79ae7e59e1d03bbcfec778070f91b178ec05f43c08636a10bbffb05ee2bca01a", "type": "eql", - "version": 206 + "version": 207 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", + "sha256": "84f537c4a2c1c856bfe6d666e3571345b696959542bcca59883abd23143ece1e", "type": "eql", - "version": 9 + "version": 10 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.14", @@ -7380,46 +7421,46 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", + "sha256": "d62e2b76d88602e0cdbf18894a79c5eb6e97d94b79daf465cf55f42a2afa7bb4", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "2b7e8fa40dba01ec3ca76881d26777d3de3ace0c62af4427698b3bd594bd7195", + "sha256": "31b16b50f6ddada62eb767b0e6eb1ff02c6a155e2618729dbc807defff6abe0a", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "d72d3f14698c4424226b130a2b715c698d3064d3c24a739a0927e48acb0f6aa8", + "sha256": "82829ceebd92fbe5abb27cc5e4f5139731a0b337c7f1a8e09ed51ba9d883cc63", "type": "eql", - "version": 314 + "version": 315 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", - "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", + "sha256": "ade0c6d9a4d9740cdb0024f7c02cc8b73775f63d9be285e4692d87bf29938f72", "type": "query", - "version": 102 + "version": 103 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30", + "sha256": "4c034f3a9c42c12be6b1a00041754822d517d75f23ddab914c20222cab8ebc8b", "type": "new_terms", - "version": 4 + "version": 5 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", + "sha256": "11fdb1469f92140db4557f4b11369477cd9bf511578238a7b6db0f4a8535243f", "type": "query", - "version": 104 + "version": 105 }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", - "sha256": "9121a1422f15efedecd947633f481a8974363778374dfdb1bdcce1b188167fbe", + "sha256": "2cd6f77377a3d577ab8065dba895a7e2180b5a2c9e63cf70c3c343a2e869befb", "type": "threshold", - "version": 8 + "version": 9 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "min_stack_version": "8.13", @@ -7427,15 +7468,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a", + "sha256": "edc1dcf2de6b0222d78f62e7eac490f5069a3917f49022d78a3b84b59739ac14", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "af6cc4cbc5fc5b1750d6673473cc5143ed51bc71ded94a44bef658cd72bc3c90", + "sha256": "18285a5b5c95fc7dda5307e71045134c595f4fc27ce61967134e85c88eb12f35", "type": "eql", - "version": 102 + "version": 103 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", @@ -7461,22 +7502,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", + "sha256": "0005a9a8a6ef5e1175a1455632c00ea760e3a9af4094ad1ac870f68df926d254", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 304, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996", + "sha256": "3ce0e176a839d12ad331e3842627d3025bbd3ab4ab14d6bd3cc4b7647b783d93", "type": "eql", - "version": 206 + "version": 207 } }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "b4eea876e31435d0c73ac8768c4954d50f6d10e4862c73652ad1fa9d0faa4464", + "sha256": "d898e75beef6831e445cc1fc945041edc9b598e291f5ad76dc7bbe7b040eb79c", "type": "eql", - "version": 307 + "version": 308 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -7486,9 +7527,9 @@ }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "bb615c82f76f783f0f58151931932eec4f8b1bab35a8600d646c237df38dcb1f", + "sha256": "74064ff365e610605f23b1e89523fbb13694d5231cd3738b21ab8cf30c6d0e2c", "type": "eql", - "version": 7 + "version": 8 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", @@ -7498,9 +7539,16 @@ }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", + "sha256": "26a1c9c9ec61e57e11380743c01f25a54a74cb7f580dde50a1a6d9d43e4f537e", "type": "query", - "version": 103 + "version": 104 + }, + "79543b00-28a5-4461-81ac-644c4dc4012f": { + "min_stack_version": "8.15", + "rule_name": "Execution of a Downloaded Windows Script", + "sha256": "bd592841bf0b6ad530aa3d406b9a9eab1967356532a3378b75aa5fbb032ce9ea", + "type": "eql", + "version": 1 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "min_stack_version": "8.13", @@ -7508,15 +7556,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "SSL Certificate Deletion", - "sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac", + "sha256": "7c7dddf409d27c4336808578a23adad99b63a0ffdc3ca7a3651f429905241271", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "SSL Certificate Deletion", - "sha256": "c081611ae197d81de6a8f032e4e35d9559ed5aa2edde95336b05822f6143e42f", + "sha256": "7e7cc3077f9f831c4c0bf8d8d0cbdb3ab9244f904d9ecc9698a4a1790edb925d", "type": "eql", - "version": 101 + "version": 102 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", @@ -7530,22 +7578,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Potential File Transfer via Certreq", - "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", + "sha256": "0ab2916bfd0a5de67b88a693cf85292e73b61538b72dbdc008f37e561b662f86", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Potential File Transfer via Certreq", - "sha256": "c7346c7c1df15029b05df11871734739ec4818f53fd9684c2a583eb85d432fff", + "sha256": "f6cb3500aef0219e60d7a68529a59b0a83d53dc2a4be380f92e62fd0223d44b4", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential File Transfer via Certreq", - "sha256": "317afcd5484f4d5ed77732c52136d63141c3af83abc8cc130d698fd7da4ef84c", + "sha256": "e1897e626658e3fe3b447488817112191c5a960deaee23c8b957ef58ee977d91", "type": "eql", - "version": 210 + "version": 211 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.14", @@ -7559,9 +7607,9 @@ } }, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1", + "sha256": "391c7298682fb3726536a7f552ccf9f49fd3d8d83acaf1ca3ba74e49aa91590a", "type": "query", - "version": 212 + "version": 213 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -7571,21 +7619,21 @@ }, "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { "rule_name": "First Occurrence of STS GetFederationToken Request by User", - "sha256": "97ed856d2841e0782bc46e870d33be5ca0ae8b6df0b3ff8f168f828213f57081", + "sha256": "3e8f2ecf0b50b7db1d4294ac9f9a788f8bf8790151183901e7829cca9aea5f20", "type": "new_terms", - "version": 1 + "version": 2 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", + "sha256": "f59cd7ace12ad2dc5977115a2a36eafbd45b5f549085525dd8a9e4a84885f089", "type": "eql", - "version": 5 + "version": 6 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via XZBackdoor", - "sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564", + "sha256": "5757f1a3f917b887d146a792807c7a05c1495134c028e8a489a70611899aa636", "type": "eql", - "version": 4 + "version": 5 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -7595,9 +7643,9 @@ }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", + "sha256": "1ba40cb9f4c5c384f4d6b52a76eab02c45e14d33eb930cccf3fb1c329c7455f2", "type": "query", - "version": 206 + "version": 207 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.14", @@ -7621,15 +7669,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40", + "sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "fb599d47e089dce25c3906b8a4fb854daf47b44c10decf2c631dea195e9ff4dc", + "sha256": "5760c0ff5525a18ed54b21f9e5b8b7b19658ed8831398454d1df210be1bbe591", "type": "eql", - "version": 101 + "version": 102 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.14", @@ -7637,27 +7685,27 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", + "sha256": "9abb27e289a572393ecc8c26044e5a71196cc1d77d152f84fbee7138251de7de", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "0bcdd2692369252815bb0b5c45cdfcebaea56683de999dfad868be1f725d9ddd", + "sha256": "bb2e07eec501f5e296c694526b219607dca9e18bad1a4d862fd1cab9bac5fe08", "type": "eql", - "version": 308 + "version": 309 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", - "sha256": "b29563e9adeb94b3d771f3e0f0316518415fb4312e33347e187c39ba28647529", + "sha256": "886f6f210debfa8b2263107d6bb45787db17443c3f09f62bb792e44159dfdcd0", "type": "eql", - "version": 107 + "version": 108 }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a", + "sha256": "5640fd704ed05c227cd8de85371a84f00b0f3086b3a976bd99359b15b0b4d4ea", "type": "eql", - "version": 4 + "version": 5 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", @@ -7671,27 +7719,27 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Git Hook Child Process", - "sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052", + "sha256": "cbfd0389fa0ca95a4de245b02e374ee3f3a3981798ed207f5f5ceff7808d654b", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Git Hook Child Process", - "sha256": "bdd3376f6872ff5b5e3f17abeea43a6619585b2c7100c4a5626889edbabbc1a5", + "sha256": "3aeeab0a9f9e1baa8c36a0d3aca397ac0be75278ca1a51b60022819bf9ea8cde", "type": "eql", - "version": 102 + "version": 103 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", + "sha256": "30dc79af79c7ffd88c47ce8902032f7d4088dcc82f73f4da0070e14257270520", "type": "query", - "version": 104 + "version": 105 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "2b5beb7d7435862fd58aef36fbe1c663e0c9dd064e09b122cce712360569c1da", + "sha256": "1382999f7d36996f9608126c6608707d9d695dcd3298755443448a1d81c27ead", "type": "query", - "version": 2 + "version": 3 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -7705,21 +7753,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc", + "sha256": "7841db675589b43a0132206eb7b239ca46f3ac97ad9193dcf04937159707d691", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "34dce1cb53174696ef9ea5a28676eccf92ecb0de0dc7a010aeaecf9c02a2b2c2", + "sha256": "5a08a86502f4db05eca4b25e854f8f9be1f852325a962075dea70815aacf6764", "type": "eql", - "version": 103 + "version": 104 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", + "sha256": "f0d040485bd01c51e2c8f158dd600fb222395c139e0268bbbcfde6b0c4be3bc0", "type": "eql", - "version": 2 + "version": 3 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.14", @@ -7727,22 +7775,29 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", + "sha256": "f4f3005ebf031857782967a3872088cf11afc078151a683045d3bf756aa415c0", "type": "eql", - "version": 4 + "version": 5 }, "8.13": { "max_allowable_version": 304, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043", + "sha256": "da4714c9dcfb5d07b5b39b1939ecbfc5b46b7da8d7d77a91c9093ee2ee6e18e1", "type": "eql", - "version": 206 + "version": 207 } }, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "332111db4905fbf977cb9ea156d2aa394347669370073cd3430efc581d4c41eb", + "sha256": "647288a0f887d8f1f0552ecfef80652333f04873e5f925195d218507a369b28e", "type": "eql", - "version": 307 + "version": 308 + }, + "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { + "min_stack_version": "8.14", + "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", + "sha256": "e03b56ad3cc6e1d81845996b6bf137225573011b20ba352bde3cfbb18e4479f6", + "type": "eql", + "version": 1 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "min_stack_version": "8.13", @@ -7750,15 +7805,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Security File Access via Common Utilities", - "sha256": "35fc8b548fcc1523cdea4fa29865704d65b15be3c7601e2a1f778dae2d006575", + "sha256": "46ed777838914f516739b0d329e16d62457fc60aedd877440c7cc4022d7ed059", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Security File Access via Common Utilities", - "sha256": "977a2e7491fde0d4fa3a5f2c80a9e93d7c2e5e0aed313fa99a0ec8328bb8b405", + "sha256": "3b40fd7e087f2c301a1f5742e48c632df6fe05921c88d4cdcaf67053bcc5975e", "type": "eql", - "version": 101 + "version": 102 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", @@ -7766,15 +7821,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", + "sha256": "1fcee1562ccb772f6a7729303e250ead257201a219aa8ffee182b66f784076d3", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "95ee9038faef018973ee81cb960175831ba7c20826685ba790ba0f6926232d5d", + "sha256": "a12e4767a30ca28c3ddc986cf3c77848cd65ddfce15fd96b7577dab2afff5122", "type": "eql", - "version": 209 + "version": 210 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", @@ -7784,16 +7839,16 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5", + "sha256": "d28a5fbf12cd038860603dad3a3f927b893dc2a624963063025cbec73932a4e9", "type": "eql", - "version": 15 + "version": 16 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff", + "sha256": "c074c4066439731cdb1ca074f41712d8139ba7383e854e9990c3f5fef99a6a9e", "type": "esql", - "version": 3 + "version": 4 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -7813,21 +7868,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", + "sha256": "1106414c1ef42b911e2c96ae0a545a86614b9a568aa9742419c22b0a71a0e879", "type": "query", - "version": 3 + "version": 4 } }, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "b0bfa7d73d6ccd6142283e63031f550eb9abbf5a4becfb93c6e5c1340752f2e1", + "sha256": "f81754824afd09978cc7c486a795db468b2056bf7fad5883848582f85a47c031", "type": "query", - "version": 104 + "version": 105 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "SSM Session Started to EC2 Instance", - "sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc", + "sha256": "d0cfe0f7d2abfcd56dc76d693aba0e8ff89281385360ae75a90446721d5e85c3", "type": "new_terms", - "version": 1 + "version": 2 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.14", @@ -7853,15 +7908,15 @@ }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", + "sha256": "e29105d1b78b1286a5636c653ea518672e193131ac622f0f3ee2de7f1d5e5528", "type": "query", - "version": 103 + "version": 104 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "rule_name": "Unusual Remote File Extension", - "sha256": "d33a4fa7f5db48036701cd4df4e4586b2218d47f930a796097379a4757023e30", + "sha256": "f79f2ede08c18655e62fd70d2fdd42a914f43a74abd5019f7356324fbcd96f92", "type": "machine_learning", - "version": 4 + "version": 5 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.14", @@ -7898,15 +7953,15 @@ "8.12": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", + "sha256": "efc3d78e44e73f61be6817f00d4df5af584ce5e02e96ca5fb45a45d84d771116", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561", + "sha256": "446a5437935aff86d9b2c78df79189e0201a991a36436313898a59f7706245e6", "type": "query", - "version": 314 + "version": 315 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.14", @@ -7914,46 +7969,46 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", + "sha256": "6bf952805cab991d5963490e557576ee982dbb3d351e9a2b4b2a18092b5980c4", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "b1820c87c951dea5911f8205052ea225bd0591292ca0283895f1242d165ff6c6", + "sha256": "e4459ed8785c0a590bfca408bc7e0bf79a7101cffb3c56690bac0f7cebb948fd", "type": "eql", - "version": 108 + "version": 109 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a", + "sha256": "663d1f8ba0fee571a5dcfb323c0f2b66e1b356104fda2cb7d213cd33a51c6f65", "type": "eql", - "version": 207 + "version": 208 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", - "sha256": "ea85fe009c0baa447a0bfb2014f8b45d2f3ad35fb65a92097ef9e74c24bc5c78", + "sha256": "c728415c613b2f36c5c323bb7c97a17891786e1986c6e4c9ea1b69e3d1500099", "type": "new_terms", - "version": 1 + "version": 2 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "min_stack_version": "8.13", "rule_name": "Manual Dracut Execution", - "sha256": "293ca3a55dbbb8dfb51898fd8a165e50c1da1faf40482950e3af6498314478f7", + "sha256": "7aacc11b5e41f9a6ee5bb11cc2825d1361cd44bcf69a8fb3d6599be1e9e65c8f", "type": "eql", - "version": 1 + "version": 2 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b", + "sha256": "ed8904ed52554b72e3d4db4b4954ce47beef9e99a0ce76a3106d1cf6c0e89123", "type": "eql", - "version": 7 + "version": 8 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", + "sha256": "b04ed2cc0d2afeab9a1e5ce21f7ffe90acbd75940c93166660e2d41abaa39070", "type": "query", - "version": 102 + "version": 103 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -7967,22 +8022,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", + "sha256": "81ca7480b1ca8ad4fd6c7cdddfb2622e9b14641cb9b0b612e22d6bca9e329179", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "13d53b19535acefeb9018df99a3327de628c8cefdf886e9453b33d0f128fb058", + "sha256": "13fd6f48996c900fb7a162c04e7b0e7ea52bd9bb0cf837a4edfb19ebb6c3e8c4", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "13d45d27cdabc4d4143ebc5cccab8fff6f0a87c28bdb2f258d0dab66423371d2", + "sha256": "8f162f40f9630207e21d4ce6a4025ddefcdfc01ac59158bc49c0ef854c20450c", "type": "eql", - "version": 202 + "version": 203 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.13", @@ -7990,21 +8045,21 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691", + "sha256": "6662212297b3975808144113e634d7165b30280989ae8729d7cd570603f52193", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "883808e835acb845d8ff5cbd80647149a7076f8dea14f01e0b45b5927f744cc2", + "sha256": "6ffa831c31c4b214a52ff08f056a860da877e2c2a926988622839bc3111d7185", "type": "eql", - "version": 109 + "version": 110 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", - "sha256": "7527cb6d613f3cbebb763fc8b4da705569785eb0d5f20552483a9ac4e03c34e9", + "sha256": "01513b5293f4ae3276aacd57b67b38b4957f57cb9447cfc9e4f4e580411b6677", "type": "new_terms", - "version": 3 + "version": 4 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.14", @@ -8024,9 +8079,9 @@ }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", - "sha256": "a987f893268d128252316712332f0deeb89dbfad27ee9595059745bcfc9cfb1e", + "sha256": "b00d2ec654af8f1f110f648f4094160b9ef9e812d8eb7980b94e0879c40ad211", "type": "eql", - "version": 2 + "version": 3 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "min_stack_version": "8.13", @@ -8034,15 +8089,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", + "sha256": "5add5265cea65ff564e6f374b8d963ea6af326fbed8d8d0b3ad11829c55033e6", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "5164b099f1ea1a21b7b6e07b5f4d72e0e2d15a8ec2d03744d57b3590e96b6d0c", + "sha256": "151e0853d12af096c8290858df71ee81fd2ed9a318fca88206295da8a3cb6646", "type": "eql", - "version": 103 + "version": 104 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", @@ -8074,28 +8129,28 @@ }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", + "sha256": "8c5a7758239101b15cc23eb4fb35a783f8e692ad99783c3801a074cdcd98e637", "type": "query", - "version": 206 + "version": 207 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "AWS RDS Security Group Deletion", - "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", + "sha256": "03916533d138f82d6ba43073f971d26e8c8fc154a5722bfb56b1bec42cb8f26f", "type": "query", - "version": 206 + "version": 207 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", + "sha256": "aee9d293bce7b42db112f783b52ca95f4c163851cb39f56542873a0caeb9f9af", "type": "query", - "version": 206 + "version": 207 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "min_stack_version": "8.13", "rule_name": "NetworkManager Dispatcher Script Creation", - "sha256": "cb638e8f75b4b1f3fec56d06aa0146d0f3870081db365cff4e0d2244b03f423a", + "sha256": "183f75eab447dce4523d4f25e514acf26cfbdf05b137fd5a3fd9eb1b968d86ee", "type": "eql", - "version": 1 + "version": 2 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", @@ -8127,15 +8182,15 @@ }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "3d33ca4d8cc8f50f00c2a6b7388013c9b1484a65207ad7bdc9dd221460387ad9", + "sha256": "d1b4160bab5ee676bf3eab50efcb4bff6b9ca03017813d404ac83b5d429c6e77", "type": "query", - "version": 2 + "version": 3 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", + "sha256": "5cb776ec175c443858372adf34644ecc3edc4f4123ab3f91796ab08fa8d0d162", "type": "query", - "version": 206 + "version": 207 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -8145,27 +8200,27 @@ }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "rule_name": "Linux Clipboard Activity Detected", - "sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3", + "sha256": "ca936e7322accdce60e6973d70b3e164506cb6fb04d87bbe28ee8f64c9eecff5", "type": "new_terms", - "version": 5 + "version": 6 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", + "sha256": "23ada8e36279e7e1d4e063b07f108194166709b11de778959bc24e7eff2a55c4", "type": "query", - "version": 206 + "version": 207 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e", + "sha256": "99a91041952f318c45cf4a8f2aa5ea27a2b4d57079dd6844d7ccdb85e88c708f", "type": "eql", - "version": 108 + "version": 109 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", - "sha256": "48ef2dcad2d1f95fb5e7cd7f890d36ba444b2c045b00f18db67a56565a8fb776", + "sha256": "67beebb88fd866d0c58a2785de107b2bf8f925d18bbbdd790906734f21a39f7b", "type": "eql", - "version": 107 + "version": 108 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.14", @@ -8173,15 +8228,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", + "sha256": "8809aba8865764ab7fa1c657c37778c6657378dc4f2cfb4c6127be5e794149ed", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "23ea84a839f5ac5677f5dcd1bd511e1a590fb3a73e3bf7922f0ac80814489841", + "sha256": "53a213d8996a7876b24f56a45cbd4b7f95f660de24ee6058b95deef9899d84c9", "type": "eql", - "version": 208 + "version": 209 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "min_stack_version": "8.14", @@ -8189,15 +8244,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", + "sha256": "9bd93a579ae1a7bbd18dedf1ae6dad6e63793a9512980fd85c8ae941687b452d", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "f41675c0e6c71d8ffce61638873343c099dd76784a16afca7fc2bf6896b4ea63", + "sha256": "81c8f8ed0970f15203496f9c2987f89c5c57a24edfbffac2587aeb52629ec0ce", "type": "eql", - "version": 103 + "version": 104 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -8211,15 +8266,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", + "sha256": "7120f5e967222b6743edb0bc495b3453b4d26dc1f63088bff68607f6220e8b59", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "ca38aa28a331bbae9391539b45d46648d9465bbf8261f1320789c780faf60c37", + "sha256": "14dc4752088817761b090bd9e818c960db21258c4ce1aff3ce6e86dbe199d127", "type": "eql", - "version": 210 + "version": 211 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.14", @@ -8227,27 +8282,27 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Command Prompt Network Connection", - "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", + "sha256": "95c1cb5499a597411e4e3b7103680f9d8fb49cf5fc8cb6f354b9483142545adc", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Command Prompt Network Connection", - "sha256": "20e49f8b0cc9cd52d6a4e8878d070cae67b09b9f66c1d604d4d844a1a31a48c1", + "sha256": "f36e46aabd03a9e82d6e55f6c98dcd0a0f0ae620cd00b0ba0f21e7518a759e2d", "type": "eql", - "version": 208 + "version": 209 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", + "sha256": "4eeb21145663f19873a7b259f2aedd9a858885571f911ca166304d52bf4a49d0", "type": "query", - "version": 106 + "version": 107 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", - "sha256": "e6768a2a66d26ab7605de86680ec11417c10c845603ad67d0b5768837751b40f", + "sha256": "222d4530ad568937c4a1e40fefcfd3cc4761ff0cbf227edae0193e631274505e", "type": "eql", - "version": 6 + "version": 7 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.15", @@ -8255,22 +8310,22 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", "type": "eql", - "version": 6 + "version": 7 }, "8.14": { "max_allowable_version": 206, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", + "sha256": "d84240158ef05b04877fc81e2d2f50edb882cd77a53b137f7598c54e84ca5879", "type": "eql", - "version": 207 + "version": 208 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "min_stack_version": "8.13", @@ -8290,9 +8345,9 @@ }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", - "sha256": "3709b15d60903268e4e30eba20dc1d89c099e0aa71b45dcff996484296a8c994", + "sha256": "79396b5a9e555f97305570bb4e88f328ca55471768c325f8cbfdec62e20c30e5", "type": "eql", - "version": 105 + "version": 106 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.14", @@ -8300,15 +8355,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", + "sha256": "cd861b1c03ef17e10978c9c1e342be58e0362cd9eef31c85cb7b40568cf5fa52", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "2b1670c842dd4482f2d66f4b20ad288dba295639673efae366e467a0b4347eac", + "sha256": "ddcebc2310acf9c6471b9345d63edcd418123b3e163cca09175bc75defd47755", "type": "eql", - "version": 208 + "version": 209 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.15", @@ -8316,22 +8371,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", + "sha256": "47bcd8271a1bc8780152afe19fa834ab97946e9cba47bcb65d819e92b6625fba", "type": "query", - "version": 410 + "version": 411 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -8345,15 +8400,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", + "sha256": "2753a4670d4217cc050e838bf5a7f4843db23df0caa83fc1017d346297e4922f", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "9a0a3365ed112536df8300b00672c2dd8ef6fac49e7deadb783f732a60a102ee", + "sha256": "61b0dd506782ed3d2c0be8ec13e04db7aa0b88f80d4e4900bec06089bba27de4", "type": "eql", - "version": 104 + "version": 105 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", @@ -8361,22 +8416,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", + "sha256": "79486f56c33d6afd1cec4fbf8dc404d0f0e9fc38b19572051d537f800d601ed5", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "a5ba27def82c8a23b306fc36f9fc4d034de167102926baab02506d958ae44b71", + "sha256": "8706ffd6a46a7cdbd2b6400c609ec39bf1f1bf833ecccf2d71a38a9316b96ccd", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bb22de8a34a7d93efe239f27bf92b15ba453c32860882728ed8eba1e57eba71d", + "sha256": "c15790a8f71b15dd684b959f65fa22034a2fafcf821c26c0a2771f727b0c088d", "type": "eql", - "version": 309 + "version": 310 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.14", @@ -8403,15 +8458,15 @@ }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", + "sha256": "38bdbda8e1ba1c0aff2f02b3f46c2fc694a92e6a4dfc7244cc948c3e38dfc8ef", "type": "query", - "version": 102 + "version": 103 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "6659d5d4a4edaff5a8ca68cbfaf2a04c0158a37d500c6e10acc18c930935370f", + "sha256": "084b9ec33eedc1699c7dd2f8b5c81771300c6f944ca3fe5c5cfb7039b474cf43", "type": "query", - "version": 104 + "version": 105 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.14", @@ -8438,27 +8493,27 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "187f18c4d04b8449ae3e946d3e2dfe18c3a5cd4a22ac2f5a20319294fef4e588", + "sha256": "dd976a4b62d0afc39c2d7af53056e456bfe88f3261cde76fa6df84e4948cafd0", "type": "eql", - "version": 108 + "version": 109 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", + "sha256": "cf387e78a1d52b36974bd4933ef7d56730af702385f9a128c2d39cdbfe1334e7", "type": "query", - "version": 103 + "version": 104 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", + "sha256": "fb77d08bdc9f8ec6a12b4b74458cdc27ffcecee0c8497e4268cd82cc72685eef", "type": "eql", - "version": 11 + "version": 12 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", - "sha256": "9868139ca7255c94edd8b10c7750af9f9be3e501bb386dce4f46e240eca21bc2", + "sha256": "528868f65a9cb81c8c4c131dd0d3f9550a95750bf358c31cf275b4585365bead", "type": "new_terms", - "version": 2 + "version": 3 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", @@ -8468,9 +8523,9 @@ }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", - "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", + "sha256": "bee7fd95d7e5e74fcf59ac4cc197777031c190f90b069ddcbe97bbb18762e92c", "type": "eql", - "version": 2 + "version": 3 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.13", @@ -8478,21 +8533,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", + "sha256": "b3457a5fe20b9065c1d9ebd5a8629e04c5ec7633c1976306c1002925a7819bac", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "925c7e7ba202c46a58ef9ddf0845eb693f850d8f085c9c701af731a73d7dca0b", + "sha256": "bffefdf6a83bf3a802805b5c6129038b3804ed28da89fb014230a8483be07d8a", "type": "eql", - "version": 208 + "version": 209 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", + "sha256": "b8c3f70d8170292a5f9e3cacb2cee9106f06c4c8f11a83ade3fec287cbf5aa0d", "type": "query", - "version": 102 + "version": 103 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "min_stack_version": "8.14", @@ -8500,22 +8555,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", + "sha256": "0271ec3b7dbac27363d1768f6fb6633b1ab0c6eaf0382a21336ca11b2cc1f0b1", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 203, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "3e2c0816b6054ee90afac447a89f0dbd2c8657badf12aedab3b4c1f371c1d799", + "sha256": "1cef3e85f9ce38dcb49c69b0cde38dc80d5d7fe5c048432052116587f371866d", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "6f20b8e3e7b5786f7b0cc4ec248f9c11431df6e0ee30decc8a98078423a583cf", + "sha256": "3827103da350a27cb215e645399cf8761a45bbe50c525c2876fa8bcad9570533", "type": "eql", - "version": 205 + "version": 206 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -8545,21 +8600,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", + "sha256": "d9d7ef5d8a35b0d509f6c52f7e95a8741f5ffc80c671295bcb5b24651ae9e8b4", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "53543595176dfe8267e4ad2d5a70fdf91eaa2919aa81daf806a9d56daf0fd67a", + "sha256": "4a2ba32e4ade2dda214d50545bdffa1d1d97099b107e173b18969c0cc6b4fc31", "type": "eql", - "version": 103 + "version": 104 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "2593df86374cf3250f718b43d01f4e492da7574bdf8bc54867aad7fc465a8f60", + "sha256": "d66c39f3899393daf54a7c7c7bda79a52b0733a1e71b07e84a34707b1f8806bb", "type": "eql", - "version": 108 + "version": 109 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.14", @@ -8567,21 +8622,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", + "sha256": "fcce93128b54c854991bf62a7016a112b1eae5e6fa8d95fc7f0ce183c1695e49", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "8e6310e520c4ac17999de81799f5ab21b14bad01162d9cc5aa9bd5a8acd914c8", + "sha256": "c4aa90522a7d5aa3b88d0036b85d17990ea683e84e7567bc8c9393ae0bc21e42", "type": "eql", - "version": 207 + "version": 208 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", - "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", + "sha256": "2f1fff6789d5ceaa58f36f5b239347b6b2b5b222f513b7cc186e20a943add449", "type": "query", - "version": 104 + "version": 105 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -8595,21 +8650,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Hping Process Activity", - "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", + "sha256": "58160571062e081d702d11bf00b07b9ca2dc75b7463e22d6eb58eb8c00ac7ae2", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Hping Process Activity", - "sha256": "ecea8fb1997a8b5e997b809e522afb4a39b60365f534b0cc14be6897d0df2907", + "sha256": "a60128d77de2c0eca6003d227982fc4c5c80c8c95e0da69ba91713797060a25d", "type": "eql", - "version": 208 + "version": 209 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", + "sha256": "ca9ec7ec6260dfb4afd6121acdc3f0f01cf82233de4bd473e0a4832ea5cca846", "type": "query", - "version": 206 + "version": 207 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "min_stack_version": "8.13", @@ -8617,21 +8672,21 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Simple HTTP Web Server Creation", - "sha256": "616c2c8d1ae0e869534ba6f3f7f497bdd72792f46de42e6c51d6bebcf3eebd99", + "sha256": "4717868c8d8d29e5d6f9a575a34fa4d179d67b8a82e17f838845ba5c125ee114", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Simple HTTP Web Server Creation", - "sha256": "a8ecdc54a3793f8b6800533929726fab9b3f467cd74293c788c45f4706fcf60a", + "sha256": "df11460970a3eeb111f933ea0c48401c916e8f2f9ba35b1c8595a215b624242d", "type": "eql", - "version": 101 + "version": 102 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", + "sha256": "e2adf962cb1b1cfaa01850f2abc72f2b56fb3c131551c98f605640ab10025952", "type": "eql", - "version": 108 + "version": 109 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", @@ -8669,33 +8724,33 @@ }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", + "sha256": "139452a8b12f147a4c17f5b13922c44d88f841f111f7b4b06d4aebfd151c7061", "type": "query", - "version": 104 + "version": 105 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", + "sha256": "eadf846c26261704cc3fd68f5b83bf44f04f3b41d1c3b6392df97969cd66a749", "type": "query", - "version": 206 + "version": 207 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", + "sha256": "c52af5241e23b6ee752b9dc026a28a1aec7357c7f102ee305ad6447d3ea619b4", "type": "machine_learning", - "version": 104 + "version": 105 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", + "sha256": "594a91f74bae3a825e91e973e29f5c443e2bdedb09b4e759c751c5a25aa63b43", "type": "machine_learning", - "version": 104 + "version": 105 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", + "sha256": "1460c1764afdd458a0891c83634804634714ece5f9e22aac3ad9c6bb91cd4351", "type": "machine_learning", - "version": 104 + "version": 105 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "min_stack_version": "8.13", @@ -8703,15 +8758,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", - "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", "type": "threshold", - "version": 1 + "version": 2 } }, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", - "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", "type": "threshold", - "version": 101 + "version": 102 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.14", @@ -8735,15 +8790,15 @@ "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was created", - "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", + "sha256": "d6747d1290f1796ed4e4f87144b3b8399615d65f1fc3916ffb33b2060b900a5b", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "A scheduled task was created", - "sha256": "e5b5be0c7d172af228b2b4d7673159c5732796739b2ca948c4486b38d6b867ac", + "sha256": "38d6ea55b4bc9a334bcda8a6cf1640203f0bb3b12a67a82301f1af5765c75412", "type": "eql", - "version": 109 + "version": 110 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.14", @@ -8751,27 +8806,27 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", + "sha256": "fa28cefe9751d4a0325f5ebbe3ea32294ce408c668b871efac8d0eb508456468", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "7ac59a9ca2f1b45c91bacb9ec313fd3e400a28a06751a9175f3262892e0f96fa", + "sha256": "1e99903005310727ca5c0bc4cc21adb68f7c312b54bc690ac668324fec1d34fd", "type": "eql", - "version": 104 + "version": 105 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", - "sha256": "098648b0ec9a99626b4b9cacd20f79f9028f13d93cda5ddb8c02d9394c758353", + "sha256": "dcc381b0ea011aaffc99fa2552210fb9bd8cfae3fcd9a246033831836d4f5f3b", "type": "new_terms", - "version": 209 + "version": 210 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "750c2d617d020e994dadb92ce3e0b585d16bbdc097fb24a656bb3e2f95ccae14", + "sha256": "c31135dc17960a856d35663ed054d09eab76047d10a86f30f4cf5b8ec1a7abe0", "type": "new_terms", - "version": 205 + "version": 206 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", @@ -8785,15 +8840,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", + "sha256": "2ff5b58315d4aee44cd2bcec8d5026cc4e7770e3bb4d906ca2489e2385babf3f", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "7363bf0ec1ba1d14c0e88b63d2dd0597d01dc13ab80fcd01d0ca58e10e232b4e", + "sha256": "55c655f3c81ec5fc6d674e2429a40bd0ea00235f4ce1935765a26941a143cde9", "type": "eql", - "version": 210 + "version": 211 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.14", @@ -8801,22 +8856,22 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", + "sha256": "de92e4d989f9d5610e757c673fbdc4c456231b4ef81e7f4504698b6c264f9962", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 410, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "b5558abe7fd77b3214d07c369401260d1c211b91845eb37e5f92266ebf92ef54", + "sha256": "d85365573dabbdc204f56fef122dd591e689ffd34004f20d74d2c47e2aa4ec5b", "type": "eql", - "version": 311 + "version": 312 } }, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "af45080cf231cdc384e6d85e2ccc178fd5b9cc69c739e04396373babe9b31ae5", + "sha256": "35de6ffd8fbe84e6ab25ad60ed8b87c3a2cc1e96bff7daa9699c9e6123acbcc9", "type": "eql", - "version": 411 + "version": 412 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", @@ -8826,9 +8881,9 @@ }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", + "sha256": "2915057dbeddaff7f8345d24e40dd53ec41319b7192a27d93e593ef5eee6a45c", "type": "new_terms", - "version": 204 + "version": 205 }, "94418745-529f-4259-8d25-a713a6feb6ae": { "min_stack_version": "8.13", @@ -8836,15 +8891,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0", + "sha256": "16145a1b22661ff2e88c9e1ba07836862628630beefcda649d52f876480530d4", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "bc41244d94cc85db15513c451863fe2ca0b0a9340c5b8686813eee0609b3917e", + "sha256": "b5f2d2b732ed56124dc1f618c8aaa4a1b035b3af81246aca47b16d675c5888f0", "type": "eql", - "version": 104 + "version": 105 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", @@ -8858,22 +8913,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", + "sha256": "4fa63aacb71764801fa191bd2326696f937bd85aa84baa0883b51ec2b967b3b8", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 208, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "5d504991acb458ceeb163edfc30f03c2b639725ce90470439bd1854d0c508ea5", + "sha256": "1d785de785b00340684b4e0f441211c357cf2ee299f22b28f3bb5e2a3bdf1784", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "5ac9902c4013c4a43232005924bbd2e3ea5837f3b1fb46536414e31a990e9dfb", + "sha256": "10a993dd4620cab6a35f2dfbdfb89ca009ba18a7c60e6e10c93bc8954cacb6bd", "type": "eql", - "version": 210 + "version": 211 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.15", @@ -8881,22 +8936,22 @@ "8.13": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 202, "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", - "version": 103 + "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", - "version": 203 + "version": 204 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -8910,22 +8965,22 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", + "sha256": "30e9709aa596d9469d905ec6593683478b4eeb9a2d40edb724b0c2e5f1ba6bd2", "type": "query", - "version": 4 + "version": 5 } }, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746", + "sha256": "d44b1b9ef878285d8dd07da49ecf77844b4892d271d1ebd4ac6631939dd3857e", "type": "query", - "version": 104 + "version": 105 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "min_stack_version": "8.13", "rule_name": "D-Bus Service Created", - "sha256": "f153afa77c393c47714f3400013c4ee67412920ecc93b851d389d74b5f049040", + "sha256": "f49342d2753a20175c2dbbc0a575357ee2a7bbc665af3267b73778f6270b6bcc", "type": "eql", - "version": 1 + "version": 2 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", @@ -8965,34 +9020,34 @@ "8.13": { "max_allowable_version": 102, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", - "version": 3 + "version": 4 }, "8.14": { "max_allowable_version": 202, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", - "version": 103 + "version": 104 } }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", - "version": 203 + "version": 204 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", - "sha256": "85feced66a2d2b2c88a257f2aa26916b9bff95d08871035e142b35191149d8cd", + "sha256": "433032becb5c8020450493b9158692e4e8e93ce81f820b25705231f2942dd2bc", "type": "new_terms", - "version": 1 + "version": 2 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", - "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", + "sha256": "79d1b7004319abbd6311a32bb7e63bdb9edf25beaba2503a2bb7fe596b63048a", "type": "eql", - "version": 2 + "version": 3 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.13", @@ -9000,15 +9055,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "File made Immutable by Chattr", - "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", + "sha256": "61a885e5fd8caa58db1e46f7ac46a9212cb60f45987a57654e44fccf0044273d", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "File made Immutable by Chattr", - "sha256": "86e3735f45437f53bd1261a8da6628e3dfcb6825b335f3447c39923c2c38690a", + "sha256": "2cccc89db8fd4c8b5997d76d60b9d16e04ad9016804c886fefb7be5155c551e4", "type": "eql", - "version": 212 + "version": 213 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.15", @@ -9016,34 +9071,34 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Create Okta API Token", - "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Attempt to Create Okta API Token", - "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Attempt to Create Okta API Token", - "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", + "sha256": "72dc3ad1b6b20812a65c1e7f6cc607abd7f61572f341de9e3914d9355437b4e5", "type": "query", - "version": 409 + "version": 410 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", - "sha256": "dee0fa159010c2aba6be29979a0ca7a24423ce4b2897d3bde2f635ddff3fe6c8", + "sha256": "d242e9b768158e113d5b497903704bcf3417ee47dc9240caed8322566a25a388", "type": "eql", - "version": 12 + "version": 13 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Access to Keychain Credentials Directories", - "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", + "sha256": "a58b0877159c33e555ae1f66edde525a759a987fcc04a91aabbd2a35aa5cd863", "type": "eql", - "version": 207 + "version": 208 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.14", @@ -9051,46 +9106,46 @@ "8.12": { "max_allowable_version": 107, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", + "sha256": "61c1a4427e02b605bc3f9c668f45b6c876d901b271b04e6d5ab681b96370ef3c", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "d04ceea45c0ac0f1155e702d8add70dc3c753a765f23720895f180232c65a4a4", + "sha256": "a3103e7a211a1b85248f488f250216ebfa31f23d029f49d87340c7c74ebbf34a", "type": "eql", - "version": 108 + "version": 109 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "min_stack_version": "8.13", "rule_name": "Unusual D-Bus Daemon Child Process", - "sha256": "fbbfbd97ebae57de46748c99eeddc873d89daf60f1b8c8f95b9c1a99420d1285", + "sha256": "047f6e5a12bc33a0db9822bfcc4d9532eb5bb20f261dc8d5d0a6b9d335db1175", "type": "eql", - "version": 1 + "version": 2 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", + "sha256": "996edcf7b84f597c5b917b95706acfa718b8b78ac0fbaaa24a1c9a164374d32b", "type": "query", - "version": 206 + "version": 207 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", + "sha256": "a68596e0c8c08057fe0d449a485c3024b5c19a131d0f8e73a91070d52b2aa5e3", "type": "query", - "version": 104 + "version": 105 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "rule_name": "File System Debugger Launched Inside a Privileged Container", - "sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9", + "sha256": "38153858d0ad809d23edde22212b8e76f0e17a2813aeb4b4b8144dd46c1dc699", "type": "eql", - "version": 1 + "version": 2 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", - "sha256": "4ef7bf5e39de2d55f436f611e2de8f1d905d1ea116d8ff8000753ceb8d2663fc", + "sha256": "15acaee88ae03f37d33254f0274ae68eeef32455fc96461fe20aefd88e49b24d", "type": "query", - "version": 207 + "version": 208 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.15", @@ -9098,22 +9153,22 @@ "8.12": { "max_allowable_version": 311, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", "type": "eql", - "version": 212 + "version": 213 }, "8.14": { "max_allowable_version": 412, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1", "type": "eql", - "version": 313 + "version": 314 } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", + "sha256": "31c83a49dd77cb7c92b81b820392ab0edaff0810927f55cfe52754a54a43a48a", "type": "eql", - "version": 413 + "version": 414 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", @@ -9121,22 +9176,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", - "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", + "sha256": "9de7f3413eaf33a9a4c7ff77a174eab1cc42d1f3c3f4327567efe65ce7c7db7d", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 413, "rule_name": "Suspicious Zoom Child Process", - "sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee", + "sha256": "d2b8083ef96d8b40fa12bfc2f2ef8433f49b06144264a9bb5cf5d805f26f34e3", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "3db79975854f188574aa5d5aec5b4fe1e5375be640e0ac15fa02437975ef0d7e", + "sha256": "75a2acd6fec4e5e9aa275a9b8af68eb1de804913337ede2bfbcd0420422bc0ff", "type": "eql", - "version": 416 + "version": 417 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -9146,9 +9201,9 @@ }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", + "sha256": "4ca383b998699336db64bc99ee8c2a7b52c0fe6e2e57a2a424262b1656f15539", "type": "eql", - "version": 6 + "version": 7 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -9158,21 +9213,21 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d8b7b25e2fefe1dc94dd57ee87b2dd576cc089e5d7a78dcb91f493b33e925285", + "sha256": "814a1903fe60035acd9815188db701fecb3cd77f622205487cbb5dcdd5895034", "type": "eql", - "version": 113 + "version": 114 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "13bb60d5c1f5306bc12b67f81f15a38dc8238c2cd154896536269d9668d075cc", + "sha256": "9af59876aae930d88fa37449a4e391434ac253a1a3a68a7f19aa8142681af396", "type": "eql", - "version": 4 + "version": 5 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", - "sha256": "8e57b1dbf16d5746922b8edafe41713555a95bb09c7bc1b9f9f63a00bd5c3724", + "sha256": "c07414c56696bd71465558933f65566b033635cd7cf42419eb70a7695eddf4ac", "type": "eql", - "version": 2 + "version": 3 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "min_stack_version": "8.13", @@ -9180,15 +9235,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", + "sha256": "71605f19bbfc7c7d7b38c3c938e25db98327f11a8597bfc3707c0b7936fc407f", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "bf30f1636a07e74463574f49efab7d6e8b0cb58dfdcbc00486a72ea8388c3439", + "sha256": "0c916283ee1f0d1637c62ca43d6d9d0ecedc506d586db6f76fbb4760f241bca3", "type": "eql", - "version": 102 + "version": 103 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", @@ -9208,15 +9263,15 @@ }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", + "sha256": "2df4707335bb89c170cda8fb27a189ca2e1da3b0a558637041354bc560f3c934", "type": "query", - "version": 104 + "version": 105 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", + "sha256": "193707cacca422693c80b0f220dc512aceef3c53ab09b92a266c678eb5066f0a", "type": "query", - "version": 206 + "version": 207 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "AWS EC2 Snapshot Activity", @@ -9226,15 +9281,15 @@ }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", + "sha256": "635f24d3547bdf9acf3c89fcf9ca0a208ab9c5728c280fb1ef000066cf7d0b15", "type": "query", - "version": 103 + "version": 104 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", + "sha256": "d58c1f45d74532cc49086f3fc2b1694098a7286463f0cea3fe7512d6b681a085", "type": "eql", - "version": 107 + "version": 108 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.14", @@ -9242,15 +9297,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", + "sha256": "f9bab10027d4eaff5c7cadc5613cfdfe2caf71917f01c2298779b3693e458905", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5", + "sha256": "aff8ce3c97b8657b94418ecea700cdbd08933e40dae51fc4cac6978e212ebbae", "type": "eql", - "version": 110 + "version": 111 }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.14", @@ -9258,15 +9313,15 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", + "sha256": "d1a480f7832f8712d06096eb7dd3d5ff5ebd8c57a23ccb530abd85f8523c12ad", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "4bf6f2a660c85fd28a35ddf6782205584eb0a142d6df00a0777a759911565330", + "sha256": "c655401d4db3c1c8925fad88f4c58efa5897f96092a4eb5e5f39f19ee391aa73", "type": "eql", - "version": 310 + "version": 311 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "min_stack_version": "8.13", @@ -9274,15 +9329,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Access Control List Modification via setfacl", - "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", + "sha256": "59b417d5b2a03bba13ec5f3948f8dea5787846aa669acafde0f1edf8f4c9179b", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Access Control List Modification via setfacl", - "sha256": "5fabd6c9b8a348ecdbb6ccf61bd29115e1088e89d594036cb436531de8418315", + "sha256": "fd3dc1350984a9b8467d555f148ef21d43fb04f913791ca642896a5a39069f55", "type": "eql", - "version": 102 + "version": 103 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "min_stack_version": "8.13", @@ -9290,15 +9345,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Web Server Spawned via Python", - "sha256": "34fe21a4d673170b9d5de7326cc8f18a359a13a6b97d49085d89e96cf0f9952a", + "sha256": "590abb2de8685e9ba6ac1bb26b5ba6e6799b404bca1b24fed7d7e3c37f8f4452", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Web Server Spawned via Python", - "sha256": "20fb46e1ca6890605aa87f9c08a2190c217b23b3759cc7eca032edf59af64ec3", + "sha256": "177d077650fa0b0c0a8d232ffd7f502d9de98c9d95e244261e6accf6e9f047bd", "type": "eql", - "version": 101 + "version": 102 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", @@ -9309,9 +9364,9 @@ "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.12", "rule_name": "Endpoint Security (Elastic Defend)", - "sha256": "a4dde703652ee6884fe682bb32efc9fe966aaa7df53bca5436de63d993527889", + "sha256": "fe3e81fc1a5dd73c6932676c7b09d087a3b3848733fa74eb5a2b18f068972549", "type": "query", - "version": 104 + "version": 105 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", @@ -9321,9 +9376,9 @@ }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5", + "sha256": "957303ee184b536fc22f9671dbb2ed19527c497f148615b01ab438db8d2d1748", "type": "new_terms", - "version": 209 + "version": 210 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.14", @@ -9331,22 +9386,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Explorer Child Process", - "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", + "sha256": "dd9f2215be389c33f7a237f9116f9ebfcdc92de051c6babfea314a2664c84bd0", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Suspicious Explorer Child Process", - "sha256": "8911b89e1d09588deb7e5a942983225efff7df52cca7afc92f98f0875de1c7e2", + "sha256": "a2a0a26741e33b91efa6e94308f5e4734607222ce87fffcf03ad1682e63fe624", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Suspicious Explorer Child Process", - "sha256": "155a1370c4fc3154277e3947dd506fb75a99bd378727d59485c4e1947de04ecc", + "sha256": "e26c452a699c5910201336b89c6df67ad2e167129b2cad1f19a687282dc07362", "type": "eql", - "version": 309 + "version": 310 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.14", @@ -9354,29 +9409,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", + "sha256": "a89728e7de28de1f41f89eae6884b7434dbd8f948cd682f6a0621a4cd7027067", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "f3167a9539280f0deb3103a26e2dad2bc7f971e05e60885f5a533db2ba730fa2", + "sha256": "bb878ddab8423add89b2fa6d67e8fb17d61aea08318d7adcc5f16859511228ec", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "6c0f3e8a857f02183dd2476acbc51cd2417ad39b9a38013caea85872f6c0495f", + "sha256": "bb1dc73390bf4205bc5518949d88f85a8ab64938716323d47e6c8a36817c07a2", "type": "eql", - "version": 310 + "version": 311 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", - "sha256": "19bb01d2bfc28053a0a6ef4bba3cc428e187d1c71998e94cabcc80b2b15ef822", + "sha256": "5261d7a8d3df0f503139f70be2c16478f9da435dcb45315321b70c9f0136c973", "type": "esql", - "version": 4 + "version": 5 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.13", @@ -9384,15 +9439,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "GitHub Owner Role Granted To User", - "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", + "sha256": "161fe9bc03f0a9bd845c1f1a27a75b057d54285240798bac0af9d268896a8ec6", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "GitHub Owner Role Granted To User", - "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", + "sha256": "17b30931a90a1e2a268c89b8ca1c50d33a9ad847cf40b03526748115fa47df6f", "type": "eql", - "version": 206 + "version": 207 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", @@ -9400,28 +9455,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", + "sha256": "034dbbe0e465dbc6001136495954743ac55334e869c7c26cc9a626641ff6aa1b", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "890f3569bcc29ef77a9be476b20376ebe51917937cb2bde1ca196f0698b6c9ff", + "sha256": "0912aa1b6bc991c999aa95627f0b21c7a306638eb24927bdceb97a8ff3299250", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "894cde78d489d010f90f6c225dc210803634f3e1d380a685cea35bd4605694ef", + "sha256": "a374edbd21cdd1d173a65c55d3d972a408a56b5c6350100b0dac8c36141ab105", "type": "eql", - "version": 313 + "version": 314 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59", + "sha256": "cb064b54fbccc8e07affaf57e4d14856f67f6918ff0c44205cd1c23aa4dcf427", "type": "eql", - "version": 4 + "version": 5 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.14", @@ -9441,9 +9496,9 @@ }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", - "sha256": "b203af3a5e4914073b4c50ace39c1cd98fff18e024f1810b36679a1ae394cf3a", + "sha256": "b351f332d2ee0c37576188cba134e30d7fc288887cfb5247b494162043ce2343", "type": "new_terms", - "version": 1 + "version": 2 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.14", @@ -9451,21 +9506,21 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", + "sha256": "3e15a597d73ad4a145c44b02a7b7c7cd1825b1cd4c5a3278a1c07008434f6a08", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "9860fa33ea3768742f597c39c25196697991a88b7dc7cf668e73827b1da60387", + "sha256": "dc1a5b32175347af1afd41737265cbb2862a8c64a10583b52fa85a49f73f1afa", "type": "eql", - "version": 109 + "version": 110 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", + "sha256": "a5aa8f87141efb58c5a9fc040430072979a81838fc6185b652fc5d08cae05ac5", "type": "eql", - "version": 2 + "version": 3 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.14", @@ -9473,22 +9528,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", + "sha256": "97790052feabd6d8d92049481818933f920d5128b459958b23b4f454788e1926", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "382fed94a5329814298bb2fe0283ed3c63d2c0ff9293e69efad3950dfe08121e", + "sha256": "b70867b53f9047d648a74ee785fbfb344461397ac17e24dfb7d85c50b80bd906", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "71bbd98aa70c506906a99a90cb6f320ba14cfe6276decafe44eb330c1a9e7428", + "sha256": "d16970d52f5665857e15296e8ce24758baf698ceafc64a1ac5355b5c221c2692", "type": "eql", - "version": 310 + "version": 311 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -9508,15 +9563,15 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", + "sha256": "c6feee8b5f84305767251a5980243998d9d4ba2743ad9874895791e3fa10e948", "type": "new_terms", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360", + "sha256": "8781554bff624a0faedf21aec63a088525699563be1aa50547303cc3af235151", "type": "new_terms", - "version": 311 + "version": 312 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", @@ -9524,22 +9579,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", + "sha256": "bfab358531d2fb7cfa9b7a47b1508d37b00322f539ac43fa61530596a4eb2466", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "1a76f0bbf93f2e947cf44f3a49de094b9821895129e1861a2e6f30b6af1e9ea1", + "sha256": "29e49c1b420b1f8b800a4ac388b31b3bdbd3de5b3d1bd4a25b3655c2879ec8ed", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "b231de2975d9c748c61f7f29bd2b82eff7dc7eeb84a3b7e15858428d7acce811", + "sha256": "3462d5554238a5314c72b9c3f0c56611fd6c922c4c7ee065d1ffc95969e14966", "type": "eql", - "version": 312 + "version": 313 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.14", @@ -9547,15 +9602,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", + "sha256": "1658b389087bc7cd6ee91ffc89a1714168b562dd44451d4c4d6f72702036b9a4", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "e5c954ed07e9fd47ada5f8b7e54e8b4a9dbd25bee53943caa9897ffba3703f10", + "sha256": "ba5fd2330dd1b6032d2553050acd7351a5e7cd9c1f74152c0fc5a78d0732b6ae", "type": "eql", - "version": 213 + "version": 214 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.14", @@ -9563,15 +9618,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", + "sha256": "0bb18ca3b493310ba23b616de3d39cfba94773b53140eafec03abd781a5897c2", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "402957a0efead0143ad51d2e826e9107da5aef344e559d2c85478257a3aa15b0", + "sha256": "aef7f15ace1ec416d8e85249577e2301f49840b905843d141189269d3f904f75", "type": "eql", - "version": 210 + "version": 211 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.14", @@ -9579,15 +9634,15 @@ "8.12": { "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", + "sha256": "e084fdc2aeb3587b28f10bf09ec2903a8523537a67b3b1538f46727a736d16f8", "type": "new_terms", - "version": 214 + "version": 215 } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772", + "sha256": "35156b3e9740e59353d84856c46b8780be71d93b456573600a2f5093cea01698", "type": "new_terms", - "version": 314 + "version": 315 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", @@ -9595,33 +9650,33 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", + "sha256": "6e08e0961e8712e3fa798614ceba20842f1fd9e78569f3efb5b0236bd2ffaadf", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "cb223017b8d3219787c5490b16190472e106e9b56b2efb8d0d5e50af116f48d0", + "sha256": "926469208de2cc16311faa56f835813cb0da62cf3ee0ff79366e3c2572a11edf", "type": "eql", - "version": 207 + "version": 208 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", + "sha256": "ee6fd1c193ca3176b28e1944ae22027cdbe34e8151a5571d2c9571ae0970960a", "type": "eql", - "version": 106 + "version": 107 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", + "sha256": "4ce9e353cd70a52c2d7d94beb8a05952a35ff6c117689d5ce2d9a7da5af011aa", "type": "machine_learning", - "version": 104 + "version": 105 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "d5b10fa1230219482d9260c9b3abc29a378aad24325e84d344be2fa223a72b04", + "sha256": "aad06c86f00fc49143d2b0b6c0f3b27380ed7eff0b3cf20193f5338fc2ea0a9f", "type": "eql", - "version": 2 + "version": 3 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.13", @@ -9629,15 +9684,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", + "sha256": "3e4eea02a43d60f58a4be4bea2a88713ba7724676b52851025572c1bbe451d5d", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "ba184af85327ab0b30d44303e6f197aa3633bf956b71268bfb4c1cdb7ff0e0a0", + "sha256": "e49d72b63706bac64f750445fb8273899588eb0881286ee1c15f8cbf3d4b495f", "type": "eql", - "version": 210 + "version": 211 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", @@ -9651,21 +9706,21 @@ } }, "rule_name": "Potential Credential Access via DCSync", - "sha256": "42787461cd6ccfd67f8830817f8a5a08ce5c23299a470a46c9b4f09e6db3d307", + "sha256": "c827437febd6573bc72e13eee68be8b34803f97343b531bf5a4ac64899989cc7", "type": "eql", - "version": 215 + "version": 216 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b", + "sha256": "5d7f431713626a4dcd90230cc90a452231a2f4f09ce222c8f023205f6921b8b3", "type": "new_terms", - "version": 211 + "version": 212 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", + "sha256": "7b2b92f74b503fc18cf5ef70b93536fbb877f88952c072c944b062b3f8f647f7", "type": "new_terms", - "version": 312 + "version": 313 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.14", @@ -9673,27 +9728,27 @@ "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was updated", - "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", + "sha256": "73081f6875d6de77e1cfc1de7cd27bbd885b7f016546a3e004f06be2c614c254", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "A scheduled task was updated", - "sha256": "749ba895080051e4aa8e4a2df55b64ca9fb5e99c35767bb1f288e9c07842211f", + "sha256": "b4abe619c6873dbbf537a259fb41b785fd39c973534f78af8f41347c1f9a6834", "type": "eql", - "version": 109 + "version": 110 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", + "sha256": "4fb0c2f13b78a878839b6ca5deae3f3256aad7e97fd364c5e60139f495f526ad", "type": "eql", - "version": 3 + "version": 4 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", + "sha256": "2192b6dc1346c8016c7f7e18d0e4def61f38a7359cb4c665235f7c7a35d81646", "type": "query", - "version": 105 + "version": 106 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.14", @@ -9701,15 +9756,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", + "sha256": "009c0f45c6d544d656f91b1a17dc4ca36d2fa5cda90732b95d8cc0840b82684f", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "539e9bec28c5ba2b0d44bd1a2c646f203f6b4a07abe0fff58707c93fe20a2684", + "sha256": "3826d8c2ea0005de5c96f492c5dd896a58db738ff754a638c848dacf6514d220", "type": "eql", - "version": 207 + "version": 208 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.13", @@ -9717,15 +9772,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "File Deletion via Shred", - "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", + "sha256": "cb4768e9cc77383814b6bf126bda3c193dae302c4d755159f2ce1e4079e49733", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "File Deletion via Shred", - "sha256": "3d589003c93cc87bb316a3627d284b1a283da55956d2cc4761debccb078a0b8c", + "sha256": "88cad104e97ca755480aafaa4a712b418afbe8b9eab3dc5b3a7f41b78982ad6a", "type": "eql", - "version": 209 + "version": 210 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", @@ -9733,15 +9788,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", + "sha256": "ff0cfb580ab3d4b49d481e29249862e6b6880e365188f6042d40d1b3773f1b70", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc", + "sha256": "12d937324cbeaaa49e957871d3d23a99d065e3a5070e763111e10bcb6a0e9a92", "type": "eql", - "version": 208 + "version": 209 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", @@ -9749,34 +9804,34 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", + "sha256": "60b4da3686af1892886ef1568adc3da363b41fa02069a8ad5f02c1f13fc5e375", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "a67ae649a271e68ef17b80ec7a1d6cea6f39d80a5dec0803424fba96df9a9024", + "sha256": "a95daf1b60dd955c84fe99495d627e26da5f8c3071938bff985159d488d74b35", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "0e7f58671c9058c1194ab7cd3b496010e9aa320e5ca20b4bcc8b196c7fafdb4d", + "sha256": "ab452a27753833a9982fac9a2797499691153c3fcc51357315acc246796bce7f", "type": "eql", - "version": 208 + "version": 209 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", + "sha256": "1c1a346a5c44ffafc16e7a28a4703248527b03dd10eea79fe823ceb5a035ce73", "type": "query", - "version": 104 + "version": 105 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", - "sha256": "6e0a27cbad2201b443c14712e096547ab0f70144d8a1777fbc9a7118b6f31701", + "sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba", "type": "threshold", - "version": 4 + "version": 5 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", @@ -9786,9 +9841,9 @@ }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", - "sha256": "93d8a95d1c43dedafd6cece3fab8d0b375e5a15801c84585d037fd2c7f361076", + "sha256": "6318c4dff530e8b0d50c646549d60a859ca4d6d4881dbcc94e3b5c26620390ce", "type": "eql", - "version": 6 + "version": 7 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.14", @@ -9796,34 +9851,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", + "sha256": "06f788f98600e28f36873cfa890ce266317a1b101169c481fb3099d9c0e35eae", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "64d63c9fc9cd61923e9f98811c5823a1bb8a27a525a4b54b969fdd7051bb4649", + "sha256": "db4b51eff904ef0ef94f2e68fa3ac4e7e64a9bc8c6e03af8a426537789e233c8", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "ce9a658724c78ad0fb002e88c88c00891614f43d625181cf23e6541447ff4daf", + "sha256": "ad7b4900548730f045e3b58898846a5953e28138ddc81ea4b2cb5e8f7bc4f30c", "type": "eql", - "version": 311 + "version": 312 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", - "sha256": "30e15837fc2299fc5bd51618f8f9d726a4f81121c3e9213c9f0f37b7f1922784", + "sha256": "9e16a6d58c5f5a677f1cebc91183afdae5a7ecdfcce34207fcc6f62f65367152", "type": "new_terms", - "version": 1 + "version": 2 }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", - "sha256": "cfb03e9127dfd2a1580d29f64f412173261e28a1c22ca8b51e484f75b870ff8c", + "sha256": "bfb7eddaa9656dc8832f4d1a089450b5b180a6620a1dd22d601c7bed17c286de", "type": "new_terms", - "version": 1 + "version": 2 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", @@ -9853,22 +9908,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Execution via local SxS Shared Module", - "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", + "sha256": "c70b5b61b3ea697efa1bbf34aede51b77d26f0af37f29414c403967c589fa37a", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Execution via local SxS Shared Module", - "sha256": "2084297807278d91612b5ba01c82c2f10551b23506d0009a391feb6f63287dbf", + "sha256": "7f90a2bcf9eeaff4a2dc027ec117964bf311dedcbc86cba03a8615c9780c68bc", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Execution via local SxS Shared Module", - "sha256": "1bb9e2021e6b0db51906eb89a0556e7513a62b080972cf61ad4b7dd2a7f01e2a", + "sha256": "0411088910bff1036ccad0a0a7e3e47b669f970b76031d73843f1a6ee00aa168", "type": "eql", - "version": 308 + "version": 309 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", @@ -9890,9 +9945,9 @@ }, "a52a9439-d52c-401c-be37-2785235c6547": { "rule_name": "Netcat Listener Established Inside A Container", - "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", + "sha256": "04ff1b708f21926ca8673e536f01751da5464d3c618e199dad5190935569c59e", "type": "eql", - "version": 2 + "version": 3 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "CAP_SYS_ADMIN Assigned to Binary", @@ -9902,9 +9957,9 @@ }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "rule_name": "Potential Reverse Shell via UDP", - "sha256": "107d9dba2ad9b03f457311eef2f1d29f5c30f692db76b52c0ecb7ad90cb1bba0", + "sha256": "dd7935aa4635611792001b36012fecabe2d6bbb0b7a8cc2f80a706b7bfcf659b", "type": "eql", - "version": 7 + "version": 8 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -9914,9 +9969,9 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", - "type": "query", - "version": 209 + "sha256": "9b292d485484c3753314bef6df52ec945933baa8293f6967b3f4a326ef8daa1d", + "type": "new_terms", + "version": 210 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", @@ -9926,9 +9981,9 @@ }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", + "sha256": "c061bcef15efcf1c65649493512805d27d383b262ef29f1ee14d2c941e88724e", "type": "threat_match", - "version": 7 + "version": 8 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.14", @@ -9955,27 +10010,27 @@ }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", - "sha256": "468acf9925b683cd43a8c9d55cff0117071c66f66e7c1a1dfe43b164b6cb22a2", + "sha256": "b597402a792a29e82c02d56787dfb0088afb24fe4681fccf800ec8ff10a08a10", "type": "eql", - "version": 1 + "version": 2 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", + "sha256": "cbdf047624c4be0c4e5064b465f23c279737467edb36c6a8f0f51d8081900042", "type": "eql", - "version": 107 + "version": 108 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "rule_name": "High Mean of RDP Session Duration", - "sha256": "55ef145cde18d6c08b01ce4ece7f4903351d9bdd131a8453002647a668aaa5c4", + "sha256": "16d442bb0e68cceb100b590cd99c27126094ef873e1557bc0494c33f672351ba", "type": "machine_learning", - "version": 4 + "version": 5 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "96b2fcbc3924d11fc9c3eed38fc768bf6f97bfe8fe667f084d210769af057164", + "sha256": "1a8db1f12af5f8f6acda01d02bf1f7858b64b591e8cc97e80b1f821fd01b136b", "type": "eql", - "version": 113 + "version": 114 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.14", @@ -10002,39 +10057,39 @@ }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", - "sha256": "5550f7f742c87f9bd39c1e4db8db24caee9b67540120dacf5f7b201023626f25", + "sha256": "04dfaf2e0ab843431c44a2508695e0793ee75aea13aa78ee94a7c26e31c27c5b", "type": "new_terms", - "version": 2 + "version": 3 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID Device Code Auth with Broker Client", - "sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323", + "sha256": "3b36ca3385b038425d51a7e5ed4106e263b270fcfb2b2b3f080d747370eb1bc4", "type": "query", - "version": 1 + "version": 2 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", + "sha256": "7af20755d35869e009f843fef6fb3ad74173f1f9d745b649a798002ecd3fb640", "type": "query", - "version": 102 + "version": 103 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", - "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", + "sha256": "7dc8a4e76f836a2dabc1f97682ff2a8788770c2df8b3c977a9a21e48600874bc", "type": "new_terms", - "version": 1 + "version": 2 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", - "sha256": "41c537740053f42fad23d5168744e96453f28557cccc97585c0f976a10ef5178", + "sha256": "9067b8538121e710f6bc88912dc5b959b87527aba3c8d4799197e2b1155bfafa", "type": "eql", - "version": 4 + "version": 5 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", - "sha256": "f40d918cd70e374c3ea932e1a3b6c14fe1d4bea3bc082607586e660708225c9f", + "sha256": "b10636c16f0df07435893373776847351520e760d2923c0ac25814bba42a51c1", "type": "machine_learning", - "version": 4 + "version": 5 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", @@ -10044,9 +10099,9 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", + "sha256": "6388eaea93dbea69b2def246d3830353851466710a017a1b197cf97d811e445d", "type": "query", - "version": 206 + "version": 207 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", @@ -10060,27 +10115,27 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", + "sha256": "521b0deac4fa27230216cb8daf48bee86c9bbef64c5b0dc90d5dbd5acbb31f0e", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "4687afae3e7472fed3b420f99cd3124158312bfbab94cd1f7303fda1d1a139bd", + "sha256": "3408526e0c0dac93e7765ada0f10c56843aec79f4e3c80ff93f5afb3ec32e96a", "type": "eql", - "version": 209 + "version": 210 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "f6ceb7d4ece3477e49b056e9dd3e833f999b2eee034004d015ed34cab40f8df5", + "sha256": "c5e9563513ceff85a4cd305b620e50b46d0abdcd6b749995b72d1dfe43f137f2", "type": "query", - "version": 105 + "version": 106 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", + "sha256": "05234b27bd38c05a4148c880399948bb9f659dc2409c560ff2c17735d399fdaf", "type": "query", - "version": 104 + "version": 105 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.13", @@ -10088,15 +10143,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "System Log File Deletion", - "sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350", + "sha256": "9e7b2926bab16d0e65d0b84a1ec35d2ebfe3b10e1f219c4a9f7a8d87a9e5a132", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "System Log File Deletion", - "sha256": "ada984096f2d14c711d004bdf03cf6f511a543fe021a46c40c89c501a6a2b6ed", + "sha256": "90cddbc10f4f4760da203311ee1ccaaffddec3e97369b36fa049935b55906f94", "type": "eql", - "version": 212 + "version": 213 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", @@ -10104,47 +10159,47 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remotely Started Services via RPC", - "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", + "sha256": "c5ae21879f28fadb1daca353f3c354f8f96a89ebe15eb191af73bbe85a2e1b0f", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Remotely Started Services via RPC", - "sha256": "3bca920a328d271bc638274d9265324896cb1635894bb09d8c7628ee499617d2", + "sha256": "470c7c8413962fc0f844e61a7bf6314d1a2eb8517d76b793b627d1ab6c0ee1cc", "type": "eql", - "version": 213 + "version": 214 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", - "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", + "sha256": "b09c6bdf53c574bd6a13c29289040f6d39647434595c2ef5e908596c2f87e744", "type": "eql", - "version": 2 + "version": 3 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", + "sha256": "dc906d8e338b0fba7e19f677e0f95691c4e1c94fab8b366f0f0fa007db2226e3", "type": "threat_match", - "version": 8 + "version": 9 }, "aabdad51-51fb-4a66-9d82-3873e42accb8": { "min_stack_version": "8.13", "rule_name": "GRUB Configuration Generation through Built-in Utilities", - "sha256": "78ab7ba6d046b4901b164ee6e3fd63c4c9c277b9bd16337514274902f4322388", + "sha256": "6c9d7d72e70ba8fa7028586f7dd96f22a714aea37e9b6a748c48f4c2b84cf5bd", "type": "eql", - "version": 1 + "version": 2 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "d83d4d35e0bb8980567f6aed233e06d8bcb4824a6e438a8f8606f7318ce7f204", + "sha256": "8969379383985fd2ccf5010b8b1c8c4e72e6c2508b920cfb65101ab13bfaa620", "type": "eql", - "version": 115 + "version": 116 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "min_stack_version": "8.13", "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0", + "sha256": "c58bc9bcee72af710a07f880ed3df3eceef229e97454f6ad449273d078b06c4b", "type": "esql", - "version": 2 + "version": 3 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.14", @@ -10152,21 +10207,21 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", + "sha256": "83e5654634806cf836873526072beb4a411dbe215b4be002f799dc0eb0866d82", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c", + "sha256": "62b3cce8bb0d092c2759ebc4697ef92d744a740ec8e418ac7370a52052d0d04a", "type": "machine_learning", - "version": 206 + "version": 207 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", - "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", + "sha256": "5b1015d4458273b2f101dd22674b7cc73970fd91015c91ed9c22fc5049ca1729", "type": "query", - "version": 108 + "version": 109 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.14", @@ -10174,22 +10229,22 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious WerFault Child Process", - "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", + "sha256": "5a3182ca2012152d9bd5c912111d82b1f3214a893d6da8417d00cde83cc42f7b", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 414, "rule_name": "Suspicious WerFault Child Process", - "sha256": "c1b3b8d2072d918930efe998f724cf12942ee022c135971e24778f2c1821eb4f", + "sha256": "9e5fa90d4dcc2b7ba457b5d5c1701304fd158e99a68fb7fddee7dee79f9b55f3", "type": "eql", - "version": 315 + "version": 316 } }, "rule_name": "Suspicious WerFault Child Process", - "sha256": "cf59420deb50d843084ffc3320ad39588acb649e55c3c0eb12c54b1d52a3b4aa", + "sha256": "2093382d45530ceba2ddf764b031af27fef9087e0b6f90f1e6cb535a04e5798b", "type": "eql", - "version": 415 + "version": 416 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "min_stack_version": "8.13", @@ -10197,15 +10252,15 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Git Hook Created or Modified", - "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", + "sha256": "ec16be4f5fe86ad7212a2520875b8f40ee71728666d7085220d272f1e3929d89", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Git Hook Created or Modified", - "sha256": "f2f13e4195a1e04b1288a31c748ca8bad1eb7112fc9e77a2a5547b948f54a5d4", + "sha256": "0c1a8c2bb10aaf8e8c9dc4c3c70b9fcafe1230ffe0687aa31e5909bf176ee7e9", "type": "eql", - "version": 103 + "version": 104 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", @@ -10213,22 +10268,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", + "sha256": "9e311415c8086b3934da0eeaa5ccac777e192f9c2c9953b705e3368c14fad664", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "1adad2fbaac61dd3b02e58f8271efb1177aadfc906d7c20a2a30ce2f984ae27d", + "sha256": "981f0b0dbe49943a8536ee475f57749dedc4e10f1c32351e9ee5c122813eed48", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "02cd6bf4e2e371ef2e60d5a1df762ee51868c135ad78304ce723d27a91a4c7f2", + "sha256": "cf576e47d585c50b59b5886c7f0802f74deb1e56177dc7478d66d1e3a7379fa6", "type": "eql", - "version": 201 + "version": 202 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "min_stack_version": "8.14", @@ -10236,15 +10291,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", + "sha256": "f0b9a400aad8092fd6bd78cf6124173e5d87d3a8d40fb37af54e7611a60734de", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "ffe2ee7667dba6c6d5b6c0f2e759bd20739ce00b74f2ff55cfa78eaac5c6167a", + "sha256": "6d20396d3b2ba5db4a1fd80aca9c645d4b789dcb0d39161b5dfe9b1d4f1f216b", "type": "eql", - "version": 101 + "version": 102 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", @@ -10254,9 +10309,9 @@ }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", + "sha256": "244086ab4aa98317bccdb56cbe25ee1911c6c8b1b5d6b56e5da66e969e9a1aa2", "type": "eql", - "version": 6 + "version": 7 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.14", @@ -10264,15 +10319,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", + "sha256": "73aa4e201e1220c47c689009c0c24f4ef6a0dcdab57655d7f25c5525472d28b4", "type": "query", - "version": 110 + "version": 111 } }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0", + "sha256": "e75ecddee03f0ecd4c9052ef2974471d669da03a7d25fd6c4c46ad39537304b6", "type": "query", - "version": 210 + "version": 211 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", @@ -10282,15 +10337,15 @@ }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", + "sha256": "c893c9924f303a60bf8cafdffaf2cd627c6fdaae221bd7469fe25ef355839d32", "type": "eql", - "version": 106 + "version": 107 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", + "sha256": "0634c4cc8994181d8d803e1f8a015b27a0287326c7bbe72e41f6caabaec65771", "type": "threshold", - "version": 108 + "version": 109 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.14", @@ -10298,22 +10353,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", + "sha256": "71cf5c81124dd45113bcb530642c295387bd2b68ee1236cb2a3e8e2f0f0aca2a", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "6bedea5ed62553b3faee7de59fc7d5379a82ec9a852980276971dc29d0c0b345", + "sha256": "86ac334bd5ab8b6d729a0fd45b6134932f7b204b865b83dd786664d0984c3da3", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "de021f1c7c7f774f5ae581c5a8dcf13e91eaa358742311cabddc983f8bd428e0", + "sha256": "88a18ab3c5f799879b46bf994ced31f7d53b1188b29318f70d67e7f1fe7bc832", "type": "eql", - "version": 309 + "version": 310 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.14", @@ -10356,15 +10411,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Openssl Client or Server Activity", - "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", + "sha256": "8eb908bf23fa02ea31de0dcd624ff3541d1bc60c2389d04820670c32bd4b7244", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Openssl Client or Server Activity", - "sha256": "7f976d99bb3f172f171e5652c8cad18cbd56030f72633c4a5455b0c8f420a2f0", + "sha256": "1b7199791c6d84167d236ea1e7b0d434bbd215be6509536b9d943c0be646d2a6", "type": "eql", - "version": 102 + "version": 103 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", @@ -10372,21 +10427,21 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", + "sha256": "e36bc47e8ad58d550eb0511c38b7e7ebe9f68e088ec6215f78f7a2780d0f4e24", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b", + "sha256": "014ab6a9d47a402634c60580acfcdbc73e02eda99e30868cdb84bd27f75bfe59", "type": "query", - "version": 212 + "version": 213 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", + "sha256": "fdb9bfb1476b606fed9fb9f5d813bd2649bbfeb1e82522dbab72f7f63e379c10", "type": "query", - "version": 106 + "version": 107 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "min_stack_version": "8.13", @@ -10394,15 +10449,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a", + "sha256": "a1f733e8c14c8a8ddb91a5c919f8598d6578b992ab231ea6130ddff737d80b25", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "a44fc3ff83a0e6aaabac522e599b8f92b95cce50059049fab47a1a16e41c5995", + "sha256": "746d0a429f9ff030e458664ae3eaa0292ccbc3c15e7f707921cde5fa37659e91", "type": "eql", - "version": 104 + "version": 105 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.13", @@ -10410,21 +10465,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", + "sha256": "883178d57a5f0e0cf1ea5d9e4c778051a895d0e41a27aea175cfeec0058c9573", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "fb1931f01dca4a44f26a9e4a4226b6ed2eb886d1ca2435600262bbdac2d279b0", + "sha256": "1da815d35ec17c8073f83a5113a2ecc2ed46bc4ea6694beafe243f8bba9f4f43", "type": "eql", - "version": 210 + "version": 211 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "1e6f2fd1e6f9b02629b2f190c0872668bcaaa1d2b3b8011b1798f1e6ebda905d", + "sha256": "36e34a2abf002a55bb25f1d7c6333a2b2ab927c5e1e735f1ee9b1ab5e41b29aa", "type": "eql", - "version": 6 + "version": 7 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "min_stack_version": "8.13", @@ -10432,15 +10487,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", + "sha256": "cc84e69331853cce8fdc6642b517c1976575b91f66f2e049315267bc2bc1c035", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Suspicious File Creation via Kworker", - "sha256": "02ab7ea5b4914325e4e7cf18374acd1f9a35821031152a35fa098ed270466f3e", + "sha256": "638df02131a857a0c394365561637358f6a3ffb4aaa634e28f95a56dc649878a", "type": "eql", - "version": 105 + "version": 106 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", @@ -10448,40 +10503,40 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", + "sha256": "e98a3d6c4df8d691ad52d2e09453788cdd9059b5d1d1417f8c27adb82ad82604", "type": "eql", - "version": 5 + "version": 6 }, "8.13": { "max_allowable_version": 204, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "bc36274c731c5231be458f7c7b13cbefb5bbe0dba08f745f6d3a65c6f02bbbf6", + "sha256": "6f87d083a88525ef7eb03a6d4dde91d57fecb67021008268bbe38eddcb8de46b", "type": "eql", - "version": 105 + "version": 106 } }, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "8b17583a4547a22fa32e210797078688b3ea53cdd67f93494107cbc65d3e69ab", + "sha256": "6457c55cd14c40cf20aaa69545261b5acc6f52e94266a412cc7eae717c18f7d6", "type": "eql", - "version": 205 + "version": 206 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a", + "sha256": "baa6bc2ea280de9151fdfe8e52180a5e692bd39318a6d37a5177670803b9600f", "type": "new_terms", - "version": 9 + "version": 10 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol", - "sha256": "cb2725c021473f600c5a345ec6f8d3ff117b7ed72f2b96bd4e98d625edcfc640", + "sha256": "c873fc0c596cd973f1b742aac95e71e5cdd88437995ca1108204c81efb510ef3", "type": "new_terms", - "version": 1 + "version": 2 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", + "sha256": "3b1d96fdac5914fb91eecbc97fa8f38bc40a93377e7b9b291e2521e0d62884e8", "type": "eql", - "version": 4 + "version": 5 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.14", @@ -10489,39 +10544,39 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Local Scheduled Task Creation", - "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", + "sha256": "153a680562c2db766ddc13960ff0b1b1d40590dbbf944177fdb07680c4695cbe", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Local Scheduled Task Creation", - "sha256": "866c1232689b9c39d30a1a03948c4544423e632af7fc8b8b42c69e4a88ca637c", + "sha256": "a9a640dba899a3c92c6a25fdfce9b2ce29774069d5e4b49e89209b64d0bd8431", "type": "eql", - "version": 208 + "version": 209 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", - "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", + "sha256": "7be4987e791da9dfabee670a6146bc8feecdc79d6116df0d953a8ba12d281ac5", "type": "eql", - "version": 6 + "version": 7 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", + "sha256": "9f17380d50e88b7451dd13c376b322d5597ee174ee532322e00728ddd30236e4", "type": "eql", - "version": 5 + "version": 6 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", - "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", + "sha256": "f446d6a851c5fb5c1d8c57353f72923d40776727f9f1464155a7eb802e6a9d92", "type": "eql", - "version": 106 + "version": 107 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", + "sha256": "c76e638ceb65578acea1d18f1415cffa579dd2b5922507665d774472de710a4f", "type": "query", - "version": 106 + "version": 107 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.14", @@ -10529,22 +10584,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Netsh Helper DLL", - "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", + "sha256": "ae6521e56ff6823f52f0061b21556a43efe712f7fd43485bcc1e437849bb0c4d", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Netsh Helper DLL", - "sha256": "12a75647b89fa1a4bbc61d7654d7f62e6c69fd20f55ad24ff83e672bbb8ca97d", + "sha256": "f6a3950e6a53ae6b222eafb2db8745cb0c160be006a075c08b5fd6a0a7f9a7aa", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Netsh Helper DLL", - "sha256": "54f00272d79b87fe262ae02033486e748e84d4ab22a02b091b094c3cb456d4d5", + "sha256": "8b1858525694ec6e7adb1eb4300cdd4ad1e6e4721418a4c30ff5567d37ed66f4", "type": "eql", - "version": 202 + "version": 203 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "min_stack_version": "8.13", @@ -10552,22 +10607,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "9775897dddd3d5ea2fa72deb33baef8f2737925ad1d5be0ea764df8986e49111", + "sha256": "6108a4f29f29a7a3de508648ab5fc9681b4307662435aa380267f50682002e00", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Hidden Directory Creation via Unusual Parent", - "sha256": "801f1305ee382a5aa0d97a9fe784df8f025d7b4a31f0a0560ab3165dc7731fc9", + "sha256": "354b847a7f132052a3849af3c53e5def5104dd2dd73db94eca1fed67cfd83e8e", "type": "eql", - "version": 101 + "version": 102 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "min_stack_version": "8.13", "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "b4bb7df60780eda7a7112af699e8f9eeb886859104a14dc0c0e590d88fbdfc26", + "sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e", "type": "esql", - "version": 3 + "version": 4 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -10593,9 +10648,9 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", + "sha256": "b3411c6b99d0c79d2fe1c0df6b34fe5c2a9866107f061e8bc8b9c5ae08a66c80", "type": "machine_learning", - "version": 104 + "version": 105 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.13", @@ -10603,21 +10658,21 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", + "sha256": "0d0bd0de1c42b394ca6d718a32761db9128689309c818676ea02bd44009e6f48", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "0c04cfa96ede82a6bbb59d8e384474d50b45f25914ae1e80b8f511c08aeb6711", + "sha256": "c8f3a33a1eda62ed530a6fc161bba9b0b5971ab42727c08f73a793be0b2199f8", "type": "eql", - "version": 212 + "version": 213 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", + "sha256": "723230c66b898eb377542e469559e3654604ede32b8721af457c83afa144c4da", "type": "query", - "version": 206 + "version": 207 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.14", @@ -10625,27 +10680,27 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Compiled HTML File", - "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", + "sha256": "8eed8d54357b27cc75f72fb6d8bfbf8329b2bd2a0c09b43187d7132a3a6e195c", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Network Connection via Compiled HTML File", - "sha256": "116a6ad1cd9cb04c665956e8d54a4b226e296be8ffbf0a20f7073e7b6329ed3a", + "sha256": "7399a81fb47d057bd4c83b8a488b4fe9e614fe9fbca03daa78018eac37dcc058", "type": "eql", - "version": 208 + "version": 209 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", + "sha256": "2eb4c2399504f67ff666102ceed72f7d457d96362545c820950c951e0fa3c5db", "type": "machine_learning", - "version": 104 + "version": 105 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "5ef62fe38d22a4511a897c8008ac45dc5666daf58d4330f04538f49decbbeea1", + "sha256": "b66f1e7d1ec9f7028453eabcbf79b0a385bcd2f7f051b6c42fc560f604bf3ebb", "type": "eql", - "version": 2 + "version": 3 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.14", @@ -10653,22 +10708,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", + "sha256": "788aa64f654d1ac9b8ffd4d72359798797fc89867374541a87bbe9a894fcf4e5", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "67351b07df4aa1f47a5962233ac558f0f841b0b99dc69791d778f50a1490b724", + "sha256": "319f2d05d6abb9b5ba124cc01beac7e744ae47dc12b992b2bed1a9e23f17d27d", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "0cf7c5888e6bd4702f883dc4ba471a0d9c383c885d4588e6fe1a7ff741df7a15", + "sha256": "36ec98bc6180df8ef468f9c0214119135f7e9048ef4758dc1373818fc33d81e2", "type": "eql", - "version": 313 + "version": 314 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.14", @@ -10676,34 +10731,34 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", + "sha256": "e8d26c789dc518e64dbc8a2ebc802ec86ad2ece06bdd9b24713721e87e4c3f2e", "type": "eql", - "version": 9 + "version": 10 }, "8.13": { "max_allowable_version": 208, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "8abbd6548883de2d4be1a5b3301cd6db8b4794b27c6795d260aa7bc4563dbf15", + "sha256": "8e1370bc732b7ca13a8a4398d2978e5fbce22c79d8ed69889d4271f8500f9347", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "40c7f66bf4e89df1d59470f6039032a32e6991959d8e11a12649604b2ba79da1", + "sha256": "ada7de75fee9e8d288c51a4bea4856ecbad5060b978f2319b741a67989164c15", "type": "eql", - "version": 210 + "version": 211 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", + "sha256": "bdd06953c595a6c37482e67037eb72fb0d5301b42a5f4343e549c01b8c7cbb52", "type": "query", - "version": 106 + "version": 107 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", + "sha256": "2f8c1a57650a8885345541c39bf72fc1fb21b8a10ac375920f107bc8110e7c76", "type": "query", - "version": 206 + "version": 207 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.14", @@ -10727,28 +10782,28 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", + "sha256": "7e95af47b812b851ff7c0d56818e3f8c2aa918a77fc10b771a33f6b34d47291d", "type": "query", - "version": 410 + "version": 411 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", + "sha256": "e577352f4e85cfd958d5873c0804e639b7b3bf1f869e7ccc0f203e6d2492672d", "type": "eql", - "version": 5 + "version": 6 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.14", @@ -10798,15 +10853,15 @@ }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", - "sha256": "f7dabab39fc646885b39c4c9afb130a28ee22c77ab5d59c1661931a5024b5ea4", + "sha256": "632c8e11b721e5ec61820d811a8007bab97cc61f20dcaac08301345e24d0651e", "type": "new_terms", - "version": 3 + "version": 4 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d", + "sha256": "fff06615434083388a264c460161ae05556bb720792b5e921a635a843dfd4739", "type": "eql", - "version": 107 + "version": 108 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.14", @@ -10814,15 +10869,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", + "sha256": "60fa1c1f92316dff5dbafafb8828c4493eb084e0a892fef14665afb65d337269", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "4f452d9f56b62a85917e5573aa9d6ccec3f73e1f315ed4713033aa6c121baad6", + "sha256": "972276704cff979323a1023ba183a94c4a7811ffb359898829ab87df4c85a032", "type": "eql", - "version": 210 + "version": 211 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "min_stack_version": "8.14", @@ -10830,22 +10885,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", + "sha256": "1f948ef193a4bd5afe3496e85933faafaa574a3999c3f5ebdb743dc559799312", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "a781b7d7d5cb0610d58d9d15d1958e44ecdca51bccac374b26439493b44aa19e", + "sha256": "668a4b5083f2e5cddf17ac87a8d72dea5459ecb274000056b4b1190cf8cc9bb5", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "72b427f54c6695f023af0e9104a96d6c24a4b1b4656b3ad7c04ec87636e4af2c", + "sha256": "bb6f902b009039096c1412de2474ec0ac73ebe4aa60b042d2c63f0b0a7d3d2bf", "type": "eql", - "version": 203 + "version": 204 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "min_stack_version": "8.14", @@ -10853,21 +10908,21 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", + "sha256": "84cb2fa184205ec6c7b5ebef44c3cf43d7a24ecba9aec4c0f148e7a5973fe61e", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "af45308979a39d4eaba7f820d1065c522553f97422f59b37e1ceaa30e384f5b6", + "sha256": "ea54cd3fdb16046632a7a7a59ce1c225ff10aa9102c2044d0a293ea1b71c04d0", "type": "eql", - "version": 102 + "version": 103 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", + "sha256": "cd16ad7a073247fc161d8c2ca330792ee681647ebcd1f37bb77fdc876df61cda", "type": "query", - "version": 103 + "version": 104 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.15", @@ -10875,28 +10930,28 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", + "sha256": "08c9c6276d365fc690a88084ebcbae48a7842785385a954b0ed862a4b2a174dc", "type": "query", - "version": 410 + "version": 411 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", - "sha256": "5380c3038a2af299ccd3b033b1406b58964ffa17c1f58df16c2ef6e5cf6cb8f3", + "sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3", "type": "threshold", - "version": 3 + "version": 4 }, "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.15", @@ -10904,22 +10959,22 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", + "sha256": "e169dafee56e838f29e144fabeded937b7f9b89958e3b1bd0ecaf6001a8cab9f", "type": "query", - "version": 409 + "version": 410 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -10949,22 +11004,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", + "sha256": "07495ad3087d7d941d4ac6b44ccb6b4afffd0b7a10b6cd91e41dc91e2c8bf5df", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 410, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190", + "sha256": "dbe3ce72ae96d9a388571dbaee69e57b2e0783bfb28d89c12682e731babdc79f", "type": "eql", - "version": 311 + "version": 312 } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "1a2bd980116032f3b23c60f6ff7d330af67914677769ffb5257e3c4586c81cf7", + "sha256": "f6b6199880ad069f381932ed419cc9eb6a89a0bdd3a8643c23bdf0f8ec1375b6", "type": "eql", - "version": 412 + "version": 413 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.14", @@ -10972,15 +11027,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Network Connection via MsXsl", - "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", + "sha256": "6fa622d8cf25c559993ee681c4c59fe4875676f7a1e75fae7f9837ae73c39837", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "Network Connection via MsXsl", - "sha256": "2a8d4623d634d9ba410321005df48a3d01e6223aae8df69789c9d8d06ba0b095", + "sha256": "1d3c54055176ee07cd35f819d276249cbef1c3a9d0f0f4e1baa830336b20aaf7", "type": "eql", - "version": 206 + "version": 207 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.14", @@ -10988,22 +11043,22 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", - "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", + "sha256": "c10cf18764bba367c5dc4f521024dc94ef68710285c6f90a067c4237780913a5", "type": "eql", - "version": 7 + "version": 8 }, "8.13": { "max_allowable_version": 309, "rule_name": "Kirbi File Creation", - "sha256": "d4bb7b621d40378ce8bd39a87d46ccfedd440b733962e100fa3813f738a80a22", + "sha256": "e4040481f58c3fe815861e36ac5ce0ae5800f0c677fbfe8fb4f3b92a3ed843e3", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Kirbi File Creation", - "sha256": "9c52cab4c0ede53965241d9332ed5d03335a7efa2d96067f2cd95ea3844f3e1b", + "sha256": "4657563a7e924aa8d3e22e93a3d7b63359d96a5f3fca0bcc8b2acf48620e8517", "type": "eql", - "version": 311 + "version": 312 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.14", @@ -11011,22 +11066,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", + "sha256": "58aa89bc163a9683f9b49afe3a23214fc5db86e93510a6cec8b716e16e93cbe1", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "0cf05a58ea4296f5dd53393e3fa87a56decafbc24ed8a95c02173a6278d99696", + "sha256": "cbcbee9fed32c048febce9bb94050b601d2a11f48b70199fced4a32261b24be1", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "214ce6ab3146a3459a0af3b78a456204ac356e19d633e99e5b038f6e42f1306b", + "sha256": "5279287a7c569096f588da6a81739ad2b52940bb1fde4b4cdfc5e18d4c91a8f7", "type": "eql", - "version": 309 + "version": 310 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.13", @@ -11034,15 +11089,15 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Chkconfig Service Add", - "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", + "sha256": "86f0056ad335bea28f944aa15d086beedcd4cf45c699a155c5d200a3c5f35630", "type": "eql", - "version": 113 + "version": 114 } }, "rule_name": "Chkconfig Service Add", - "sha256": "79b56443468b45ce575c9a254a235d16a81c2aa037b5f0b8468ab2ba1ee11c68", + "sha256": "21e5aa78000484a6ec71a88a5576fdb6b587b05dcf7dfce464c4f80c2acb36cc", "type": "eql", - "version": 213 + "version": 214 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", @@ -11052,9 +11107,9 @@ }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", - "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", + "sha256": "19d1c906ae5392003ceb75e3b5029ddbf145381cfd2a57fe149af0c098078bcf", "type": "threshold", - "version": 4 + "version": 5 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.14", @@ -11074,9 +11129,9 @@ }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf", + "sha256": "6eb78e4e68db04a09adf0fdb65a67e357d7241e22256f53fa3efe38323d47515", "type": "eql", - "version": 111 + "version": 112 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", @@ -11084,22 +11139,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", + "sha256": "30d3fcfb86a4c9e23c5563059dc2df4b75f106ceedf2a7f57f7731cb984430bc", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "bda5b68f6a9ce0faa83bde7e30a5eec3d8841869e427b86112cf0f0a52a6353d", + "sha256": "021d6661e231a18c2c0c62fe88c1b3a16cf3dfa20e449e7d6c704c50f70616ce", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "9623c43706d421a241ab6b399c014dbf39d8e09e1801bf1e8527980848090a52", + "sha256": "8448fdad37a26284d2c146a1c6f84be4345849b97567a3c0faf586e92b59aada", "type": "eql", - "version": 311 + "version": 312 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "min_stack_version": "8.13", @@ -11107,15 +11162,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4", + "sha256": "19b3cd102fa17756195c9b9ed7ab06bb5a730f2d79302f0afa39106c89e7525e", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "7290db76baf9144af96253a9ce550a595a2a9f73702c03d611771e991ad38f20", + "sha256": "bf75ba62f1105bfb5b0c1a6818eb8027febd42efb55d134e7d5d25f967e06369", "type": "eql", - "version": 101 + "version": 102 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", @@ -11123,27 +11178,27 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Network Activity", - "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", + "sha256": "cd715d2616e427081beaa901230dba625ab6c14e52d0571ae643a92f04c77435", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows Network Activity", - "sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4", + "sha256": "006889f0bed32a73ed4d97e42325e7b69cd13e35ed45d30f6b58a091b6f54973", "type": "machine_learning", - "version": 206 + "version": 207 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", - "sha256": "58bc4d819e8f3c20c185397da3f15f20e53974723a07372c04ba0d8368367511", + "sha256": "78203718bf9153ae050ec6e0c41b037e34f6916e09b6cfb0d771158a41500c71", "type": "esql", - "version": 1 + "version": 2 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", - "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", + "sha256": "33f5ec32f53d28ddc67a858bea818290a2defa25dbb7487eca3dc127a6b2c2e9", "type": "eql", - "version": 3 + "version": 4 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.14", @@ -11151,51 +11206,51 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", + "sha256": "998cfcfee5231e24bd5fb08c5921e0c9915f8d4b9db65d1b7daaa574cbf601af", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "94ce634225344b3f6df8c3497393fba829c409f0d01520f34d4611a74ed8bea3", + "sha256": "bf12d588236251e2feda39ddb4621aab72de0d06c0cc78366cfb8cde48293fc9", "type": "eql", - "version": 209 + "version": 210 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", - "sha256": "8173c3edd7611e8e6ac7f67f431510c5f5f03b166aebaf51c63f23002e51efab", + "sha256": "5142cc67f154e6eca142e3365f66a98511c0ea7276fa784ece159df9c9204371", "type": "query", - "version": 1 + "version": 2 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deletion", - "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", + "sha256": "ee0a9985f47c61b4899e6db0ffb46a7ecbf7889137cbc89ba4af8a83b184591e", "type": "query", - "version": 102 + "version": 103 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", + "sha256": "38ebab645d36ccdb700fab60ae741b7fc1fdcd857893d3f9a8bd8d8104af6e69", "type": "query", - "version": 206 + "version": 207 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "OneDrive Malware File Upload", - "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", + "sha256": "b6bae391783faf8fddf063267243569a829caea469887045e326ef63f991dada", "type": "query", - "version": 206 + "version": 207 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", - "sha256": "0586e7ec163e6ee3f44ce1f67ad461e83904af39fd44217e236e606f06b3631b", + "sha256": "05243ad8bcf1c489dda20542d41494fe6641f590a7c9163823244bca9ef5e080", "type": "threshold", - "version": 8 + "version": 9 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", + "sha256": "d2591be6119e7fd59bceea00f9241d1477bfca0672c2bddffa9aa118eba5e5a5", "type": "query", - "version": 207 + "version": 208 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "AWS Root Login Without MFA", @@ -11205,33 +11260,33 @@ }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", + "sha256": "0e92d2b35ccf8e91dbd05bb2cf976add13ed7c2ebe9e7b8f3a14e6ba4423ddfd", "type": "query", - "version": 104 + "version": 105 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642", + "sha256": "c495eca6bcb598a318fb77f1671382014e7772f5465284d0f6c25913744e6e5d", "type": "eql", - "version": 2 + "version": 3 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", - "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", + "sha256": "ca00d2bc624c0e0eb4f4138104ba3f44baf33fe7d37ef8b693d45c8809e8f686", "type": "query", - "version": 106 + "version": 107 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", + "sha256": "585daba14bfe511045ed1f9225e2c8ef3004686898d5598678574811ce335190", "type": "query", - "version": 102 + "version": 103 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42", + "sha256": "af251fd5a27dc1da60e95a6f5bd4dcf2a8651ea1becf053232e00e667f4eaac8", "type": "eql", - "version": 6 + "version": 7 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "rule_name": "File and Directory Permissions Modification", @@ -11241,15 +11296,15 @@ }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", - "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", + "sha256": "e63ea7699aec49aa63199a96c6f12b53d541b10b9035007f16c27383a357cd39", "type": "query", - "version": 104 + "version": 105 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33", + "sha256": "4c0f453a7ee9fec7e8d4245344823941109f187ed0b227e6556e050122701cdf", "type": "query", - "version": 5 + "version": 6 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.14", @@ -11289,21 +11344,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", + "sha256": "e65486c1eace3f2cba2f77b32a8523d31ee20a81635805ba14e9344aff57dabc", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f", + "sha256": "f993d429934670b2858130841325ed6efbed63e48d06218e4b98f59688c119b2", "type": "eql", - "version": 208 + "version": 209 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5", + "sha256": "3631d09f36db2837c95c7275f4a50e82f4de95b0d0073c8f8e590b4962170e27", "type": "eql", - "version": 8 + "version": 9 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.14", @@ -11311,15 +11366,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", + "sha256": "c8d4db837c40680f29b2140e0f41995c0ce4aed2dbca551b70894be0abd9fd37", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "648bf202efc778e1ea44b6f4bc7c7ed4bc604a577fcc05f919cf3c4039e47be7", + "sha256": "2100b7b6c9f3ce481f1dcf4333c039e84300cc7aa056627d9862759994df042c", "type": "eql", - "version": 209 + "version": 210 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "min_stack_version": "8.14", @@ -11327,15 +11382,15 @@ "8.13": { "max_allowable_version": 100, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "fa9ae9a7e20aab6c162d2e5a0efe0f3abacb8e51ecc0dfde0e1e9ada66b911e5", + "sha256": "128e25dc4dd9800c4db478e306a37b6768835a4ef62f53f680e0cdd502d7d9bc", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "de2a9f336f392f64c5a8f2b0a31498085b0ef328787d7393babf01a457d396ae", + "sha256": "a97e98b65f9fd4cfb965319493b00bacc31ef7a46fb0a50e22baa11a6fba7ac7", "type": "eql", - "version": 102 + "version": 103 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.14", @@ -11343,21 +11398,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", + "sha256": "a2ccf5e3e960c49d64850d992659f30b31d2b4619143f6ace9586298ada41e55", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470", + "sha256": "9b8577a62bbfbbcec6a5aba3c11a4d4901222b6a7403c548c74dda4a01e5f84a", "type": "machine_learning", - "version": 107 + "version": 108 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "rule_name": "Unusual Remote File Directory", - "sha256": "7b9570bb0ddabacbeccf2b03bf6ea05d0ed3a286165e5b807313c17531ac9116", + "sha256": "02fd93eaee629a0cd91484e1809579b28f142b07255c4e850b358d3255e40870", "type": "machine_learning", - "version": 4 + "version": 5 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.14", @@ -11365,28 +11420,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", + "sha256": "1bf926c25f9a52807b31c6c522765f3687f5c07aded267e5efb051935cd32426", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267", + "sha256": "50a2fccdd9f12b719de8bf5aa6575e9411a70beb5f69f0d624a2d57b94565894", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "f4689b888fd798880d919b9f8ffbd6b0e6a45d941a01ac44077e773d933a4b5b", + "sha256": "760c0bdbfa8e2d2cbd1b79da8d81f2bef5f54a26c29695209f466ed712a2ba4a", "type": "eql", - "version": 312 + "version": 313 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", - "sha256": "0703a09b818a7309df61f2173cfadcdd04899c0f597c70caebec0a6a7a077968", + "sha256": "5ed9f6f791ac753a0f0fa1e54b8d921e255e589b1e837cdbd454b8d4cd6703a5", "type": "eql", - "version": 207 + "version": 208 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", @@ -11396,9 +11451,9 @@ }, "bfba5158-1fd6-4937-a205-77d96213b341": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "c3cf350e861be02338f712fd3772691bcefeb7f7d07e9718eec2fbc3476c707e", + "sha256": "ea23ea39e92ba2c5aa62c8b58b895f5fc1b9ed7e1645e2d1ebdf6f94725f24de", "type": "machine_learning", - "version": 4 + "version": 5 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.14", @@ -11418,9 +11473,9 @@ }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", + "sha256": "d1081bdf15942c3ead0b673aca3c61da00f6a80d02751edf2450107ee01283ad", "type": "eql", - "version": 107 + "version": 108 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.14", @@ -11428,29 +11483,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", + "sha256": "7e6ca9dcd52afbbcb0b9a55e6aa6e2769fa1ec0eea2be911c612512a3d980c07", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "46f5dedea1c425098d98714b5c270d6a19a1448ac58d30298bfc61ed75871e39", + "sha256": "2c89d3ecf4ae5e9471d08131a67258ada5c25e166066700187f8fb376b224e4b", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "22c604dcead155c536a23f4687ff4c4ff12c55e14328e455fe26c9d245f4db2f", + "sha256": "b27fd36d7d58fc1103502201694ebb4f9711505eb7be212b1970a49aa4018803", "type": "eql", - "version": 310 + "version": 311 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS IAM Login Profile Added for Root", - "sha256": "e97ee0da03a10eab7cd326f1e77d4b2c462848200bc15e183a7be0b2074dcca1", + "sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa", "type": "esql", - "version": 1 + "version": 2 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -11460,9 +11515,9 @@ }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", + "sha256": "a4ff1c4f9d920c7e68294561498fe4fed983eb988fb9f5f2b48394a7deebc588", "type": "query", - "version": 103 + "version": 104 }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "min_stack_version": "8.14", @@ -11482,15 +11537,15 @@ }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", + "sha256": "7bfc1be6cb1b3f2bc6acd909ac81053d7da40a859ce32f301f7448b76a17d4fe", "type": "eql", - "version": 6 + "version": 7 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", + "sha256": "ae318338980158a5279e376699053252b367bd3ad4618eeec9bd5f9d18ca9749", "type": "query", - "version": 206 + "version": 207 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", @@ -11499,10 +11554,10 @@ "version": 1 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { - "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", - "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", - "type": "query", - "version": 2 + "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", + "sha256": "d6549a9282b2ef25313f167c7193896b02cb13efe287b26ba00e59de84647195", + "type": "new_terms", + "version": 3 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", @@ -11512,9 +11567,9 @@ }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", - "sha256": "7eaafe9a1859aea975f3a42c61875d9938e374647239d4b28ad396c47e79b439", + "sha256": "639384f73345b48b0a96eb16e0b3f8160d8573e672cdc7743e710a69b00c200a", "type": "eql", - "version": 3 + "version": 4 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.14", @@ -11522,40 +11577,40 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", + "sha256": "29903b3865bb0e5568138436f842ca97f4731359045b7bff776424130946cc06", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "75e92ba876a46ba416822bbfaaed256d7fa604ac8d9cdcaebf4485f15cd91632", + "sha256": "69a7694bbee8a347e6b1f706a60da157e9a3f4ebef346e841475709ae3d55f67", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "6d389db925ca6ff91bfe40b09dda0749379ddfca071421d7cd921cb6eda3b48c", + "sha256": "dab86b9d33245df07123dcaad409fafb00109831e1aaa7d92ab104baa5ac8f46", "type": "eql", - "version": 312 + "version": 313 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", + "sha256": "8d8ee64704769447bf2d40b32ebb9e6d6425a52106d8fb1761fdbfe190f269a5", "type": "machine_learning", - "version": 104 + "version": 105 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", + "sha256": "aebb2d6e14deb297e5776a1b9acbd4365a9ca16d04e7f180425a7d9f597c79e4", "type": "eql", - "version": 107 + "version": 108 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d", + "sha256": "c56c5fbae20de71b0b2282d5c481c2ae900325075c2feb25b32907fb7565593e", "type": "eql", - "version": 2 + "version": 3 }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.14", @@ -11563,27 +11618,33 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Mshta Making Network Connections", - "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", + "sha256": "1df29ad5d0ca0a28702b68944cb3950151ce264faeed1d0cac6cdc59be122b4b", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Mshta Making Network Connections", - "sha256": "9f77b2b2eebd6e08c007e73536752a8651c85bccde0c72303282ccb671a8ed42", + "sha256": "35ebb1787e73b188c74759108e7580f588b69fec28e602e40297dbe2e08a1709", "type": "eql", - "version": 208 + "version": 209 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", + "sha256": "cadcbc3ef71a2fdf85c7b7666569914967f3b8045422bfb42a860c4aa73358ec", "type": "query", - "version": 103 + "version": 104 }, "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", - "sha256": "0708e23a034fee01df470474eaa8c8f2f7a058631b83a0987e39af15bc538007", + "sha256": "18af645751efdccc31b367d06c1f9221851668fc7dabdcc02e9be3bc6d1268f5", "type": "new_terms", - "version": 3 + "version": 4 + }, + "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { + "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", + "sha256": "783dba9bf2adf9672499975f28ca2c251157407146f529383f27229b8b03b597", + "type": "query", + "version": 1 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.14", @@ -11591,28 +11652,28 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", + "sha256": "2f351a320cf7736fa0382f0a514fc587d7a9a6e9df3e0fa798996b1378845e86", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 409, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "3ee641a856aab0e4e1f23e3bb55717a5567eef2d8e52cd2264595fff36224273", + "sha256": "858019a92e6dbfe1af3a06f1d96710314aa12802e6db988f1f4a9c5bd6fbfe5a", "type": "eql", - "version": 310 + "version": 311 } }, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "84190df73efbeee30c435b862e6339cd80ea290b44deb8a5717118537039b954", + "sha256": "aadadca71e75e01e994ff9148f368bfd7b277c1ddfdae04d6f9ea3aecf1e2ce2", "type": "eql", - "version": 410 + "version": 411 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", + "sha256": "280e239c6b53224a5351f5f23e4f4660518500fe9da555ca1218ac45abb6caf5", "type": "eql", - "version": 104 + "version": 105 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.14", @@ -11620,22 +11681,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", + "sha256": "bc1b90a1a5d02845a8233abdaaff8ca068f4d6ccb29b7d6e8df55c25ccc8190d", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "050a77ee2d2b2c854c6320a07694f747e48b09086e2645e5e46e63cda03729f0", + "sha256": "66d36844c67b648b4c4559b7763008bb43f79e6e5a69933731f037b434d1b553", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "d8d527c314b2a860bfd447d4f890c361324c76dafb9094cb24b83ce8992a998c", + "sha256": "72af0267f6d68ef9e8303b0f95ca9b116c0ab53dec1fbb65653f47f1db386071", "type": "eql", - "version": 311 + "version": 312 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.14", @@ -11643,22 +11704,22 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", + "sha256": "04b3ecf212987b57bdaedbb14a301b6f913473e5abb301dc94b6371c56d73567", "type": "eql", - "version": 107 + "version": 108 }, "8.13": { "max_allowable_version": 306, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "8895e76598306332603174aa736fad580b191085cfa16e063a5e68dd62cfd102", + "sha256": "3cde3fd44462edc279d64b412008d521638ddabb0029d151dc594348b04ed627", "type": "eql", - "version": 207 + "version": 208 } }, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "471171679c1f48fa93954b8787198a0094598e326a0f6c24ae1b22c07b40251d", + "sha256": "1ad69e32d7a2cf3559f0ee82cc8620601c5d764ba5c054292e16e4f9e5953fbf", "type": "eql", - "version": 307 + "version": 308 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", @@ -11704,28 +11765,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", + "sha256": "f23375e5d2e676c1e1abe448a171c858dc5ad2300e66ef5c599e7e8325cb3390", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "d7461fda5a82259331589a9df2a3a7f39630bc5f8e08c25f2190e7f8bfb1ae29", + "sha256": "fc5dcf6dd48339a257eefaebdb911d38f7a3a6bfd632423bee74a204c7834344", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "9f78c640ad25e83eafe47ad5226ce12c169358048d03ffb119f9b94df969c3e5", + "sha256": "71cec7c47c2c7d46230f68fe874142b0c1e36dec0aa4bec9023d29d4c4f23a15", "type": "eql", - "version": 309 + "version": 310 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", + "sha256": "ae48749a0c3d555094e1e400445796ffab2c7a22025f4ec856e582107747e9ce", "type": "query", - "version": 104 + "version": 105 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.14", @@ -11733,15 +11794,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", + "sha256": "7e9ee856f86f121f008eb8a3304b4955828d5b4d5333a47de3f36d478e0562e7", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "7c57916d4cbeb0fde51ef91819b1a5011019694b631ce8c734dd6aae5bede3c6", + "sha256": "0fc2faa2b6a15a4dcf2d5aa403a414c13d8d9f33fc943f74616e6d4f067d98a8", "type": "eql", - "version": 208 + "version": 209 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.14", @@ -11749,22 +11810,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Custom Shim Databases", - "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", + "sha256": "e23bdb57b42ec1bbefbace5a408e8ede22db9bd8be59fae66e1ed6803db76173", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Installation of Custom Shim Databases", - "sha256": "71bfefdca279f32dd86cd0b316f2315947b2489ae20e1246bbe17df82f6004e9", + "sha256": "5a38f511fb995bba2a90739bb1fb7a241b0db108f50e9c84fb52f75652a1ab64", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Installation of Custom Shim Databases", - "sha256": "ae8bc9d069de44bffb8c71f3b18a9843bb54f74eec29f1e1cdd40651771676a0", + "sha256": "322920ea0c3accf1a5852f8ffd6d3e8861e45f262314f49ba54569768ea085f9", "type": "eql", - "version": 309 + "version": 310 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.14", @@ -11791,16 +11852,16 @@ }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", + "sha256": "693843ef15d63ac5a1119459660ea9638b60f814907ca37f1dad377b7ee0e382", "type": "query", - "version": 102 + "version": 103 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "min_stack_version": "8.13", "rule_name": "Initramfs Unpacking via unmkinitramfs", - "sha256": "4c57f2ddcfdb1ebc7a9fa5222aca8bbf15a1b5cd862dc64ee9bf4719eee56581", + "sha256": "e0db18142f2246b20e8ced81755abfe720896bdb3f739e08b18c4aab3a6a9f43", "type": "eql", - "version": 1 + "version": 2 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.14", @@ -11808,22 +11869,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", + "sha256": "264309c3db8c109a609e4940bae53e25b00cd85ca02cfd4adbf27f2113815950", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "5ee5259c1f1e782f05ada777a136193574b44d4a693c38ad33781b6996a42ee3", + "sha256": "3e854ebb07cef539caae7a12bdabdbe67a2d9931c64e2558b2fce09bcb270e12", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Remote File Download via MpCmdRun", - "sha256": "a8f43c737d22256ef316daf60178182defb4bff24396c497fb6d3b777514ab10", + "sha256": "c4bcf943fd4ffed84dca06e325620fcd175c62a4953b6070d11085699584bb0f", "type": "eql", - "version": 314 + "version": 315 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -11834,9 +11895,9 @@ "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", - "sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb", + "sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3", "type": "esql", - "version": 2 + "version": 3 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.15", @@ -11844,22 +11905,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", + "sha256": "16dde6466f20cbc871b8fc349b4b46bb900cb9e48a0fd8eff6d2b4d73115074c", "type": "query", - "version": 410 + "version": 411 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.15", @@ -11867,28 +11928,28 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Attempt to Modify an Okta Application", - "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", + "sha256": "7079d9fbf68d6f1ce6eb93ce13bf93d12eb165900aa50027e2212ef5af7dd8f5", "type": "query", - "version": 409 + "version": 410 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", - "sha256": "316a1006bad5109ad8ef036d4b8ba5142bcc0cd4822c7c4c0e3f4852e1860f20", + "sha256": "bd9585b91a7e002b9713af6ecd82da4971298f71e200464b58abff6e760480cc", "type": "eql", - "version": 1 + "version": 2 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", @@ -11896,21 +11957,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Network Connection via DllHost", - "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", + "sha256": "1cd890b963ab7a701f5a6c45943d20f22cb173ff36b6ca80955b13239be44860", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Unusual Network Connection via DllHost", - "sha256": "2ec487d2c8aa01cad9488f877c4a770ba69fb9065a728c79edf06e8c31aaf20f", + "sha256": "dad569a0e953afbb3adc4424aa091610da67d623add251f2f923f920cdba014c", "type": "eql", - "version": 207 + "version": 208 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "3220434ae7ebd56669033cb648bf9d422b8aec1fb59053d8472bcb7a69abf1a1", + "sha256": "c02bd45f7127af6e3e516d36e39ddbf02d871d2d11196309d70a1b09b8e4d618", "type": "query", - "version": 204 + "version": 205 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.14", @@ -11918,45 +11979,45 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", + "sha256": "a3a91a39decef3a359f4dc95bc8be0401664ca49546b526ad694a3154ce425b6", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Unusual File Modification by dns.exe", - "sha256": "84418134bc5c4c6ecc1151adcb9fbc62839c51dd865a24dc270d5f1d3dc50363", + "sha256": "5055c42206d7d3df32f4241bed3b12ec940e263d0cf696d8de05ee4a4b71193a", "type": "eql", - "version": 211 + "version": 212 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", + "sha256": "7e12650d2a7699b7d95e3bd4ed1a6ecf73e9dd59f940d81fea5fface3186e1a7", "type": "machine_learning", - "version": 105 + "version": 106 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", + "sha256": "7b938e8a5930231c6667e1dfb87fafbc50238e0b6a32759a79dfff9a24132c45", "type": "query", - "version": 107 + "version": 108 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "801e97235c25019c80a78237b5ef98ff66883e7e236ae9ff293f74ec6ae09aad", + "sha256": "9ee8e6d69ebda1834191eedfbf0049afb38007ac2ba4e7e9899fac953921aca5", "type": "query", - "version": 104 + "version": 105 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", - "sha256": "5d272b19dcb9cdb2beaf0e6124ebad3b1ecfd48dab9d60987f7ef8bc5bab5318", + "sha256": "43cde79e14c795e66c93f424bb5109e68b3c837ecaa1139fd6031167225af203", "type": "eql", - "version": 112 + "version": 113 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", + "sha256": "ea18c1e7446051bed3554cc614f300bd88307747e1963a329a0971f9ec41562b", "type": "eql", - "version": 105 + "version": 106 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -11966,15 +12027,15 @@ }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "rule_name": "Parent Process PID Spoofing", - "sha256": "b829c4a07bfb5c509b1c4bd6241656300dcb169905e9882e8e5c905f621f03d4", + "sha256": "0dc688321ac70be1762f4deffdd16b19f17b750ce8b9dd956b7aa04592517439", "type": "eql", - "version": 107 + "version": 108 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9", + "sha256": "1c866f4e679c1ff78ef5ea91bd349d56335ecec0516fd39e16fa829dc5b0caa4", "type": "eql", - "version": 10 + "version": 11 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", @@ -11982,22 +12043,22 @@ "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", + "sha256": "b02f2bf5fccfed2accfb810dd6c38be499cc9fd52c4d23309848eb8170f374a8", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d67260cfe20ef2ee8eb9e8acf13d36352e2608a38716e5270b57bd531fec9191", + "sha256": "c33b3be4b6a67c4dae7fba0831280618a7986cfaaebd4795ec7543db5a63792b", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d560617a0b7c26d4a8f02dc76d6e3f106206eddf439a88ea24de0dc33126e896", + "sha256": "ef305abdbae7d8f1ecfb6ca40a4142dd81af12b9b5cdd154e063c7a98a5d8589", "type": "eql", - "version": 313 + "version": 314 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.14", @@ -12024,34 +12085,34 @@ }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391", + "sha256": "5532545b1d0648dc1414555d4be90a43ffb80fef68bc1f2e63af6b28990b4556", "type": "eql", - "version": 6 + "version": 7 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", + "sha256": "99ae1a62762bf7d0262c79b33658fa930f597568a1ae9fc8331c333dfc91bbe8", "type": "query", - "version": 103 + "version": 104 }, "ca3bcacc-9285-4452-a742-5dae77538f61": { "min_stack_version": "8.13", "rule_name": "Polkit Version Discovery", - "sha256": "f71269394fd431ce68136702833ee5771eb6e4bb037e00776ecc9c7e4e4e6a28", + "sha256": "9b78faf57a8b5d10a2f71d6ab2ab00366515792348714943ad1aa1ee2d303d00", "type": "eql", - "version": 1 + "version": 2 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", + "sha256": "f9d687c9e6c694138baa5bac44dcc183c2cb70c69a7580e14fd4188c01bedbba", "type": "query", - "version": 206 + "version": 207 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "0f0023fc74fadd22887ee74c13f93f0c5174f8b66d140965587e4972eb2d3647", + "sha256": "ea099bf7bf302aa4eb27d5adcc8c2e0187e538d3b042ad83abdfaf4e869b5e3f", "type": "eql", - "version": 9 + "version": 10 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -12061,9 +12122,9 @@ }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9", + "sha256": "17830a8c24378fb8ea0b2c0fd6b002089e0761f86d47ae0af127d74ec05489a7", "type": "new_terms", - "version": 214 + "version": 215 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", @@ -12073,9 +12134,9 @@ }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", - "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", + "sha256": "dbf5167ff460dda688296a49e1d5d48d5f1d0f19ca621f413100a1cbb02eedb5", "type": "query", - "version": 106 + "version": 107 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -12085,9 +12146,9 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", - "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", + "sha256": "b89a2b2d3038c777d4599aaebf7e06253ae8c022cdeee090402de4e373b22654", "type": "query", - "version": 106 + "version": 107 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.15", @@ -12102,28 +12163,28 @@ "8.13": { "max_allowable_version": 203, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 104 + "version": 105 }, "8.14": { "max_allowable_version": 303, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 204 + "version": 205 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", - "version": 304 + "version": 305 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "332626f80c0a809547d1b86248b4ac5acc33ad7dd090fb4c94596b699126f751", + "sha256": "c81d5f537f0a2c406763b42d4ef5ef5a4bad745e4d41176ac84c5d34598e6c1e", "type": "machine_learning", - "version": 4 + "version": 5 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", @@ -12133,9 +12194,9 @@ }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", + "sha256": "0f342ddaebb8be170f8947b26bbf9976454a9609a3fab69ef43946340d965b1f", "type": "query", - "version": 104 + "version": 105 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.15", @@ -12143,22 +12204,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", + "sha256": "e077043096bb995208ae7655f2088f680ac0954e54eef38a732a21fbf54027d9", "type": "query", - "version": 411 + "version": 412 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -12172,22 +12233,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", + "sha256": "690e620924cf220b5b56c70024faf4279be53fcb1832f317bd52fd6b70db9705", "type": "query", - "version": 410 + "version": 411 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -12197,9 +12258,9 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", + "sha256": "70003b5b25514505d843dd9aee62ca085795777f69e03784b7df399a89f5832f", "type": "machine_learning", - "version": 104 + "version": 105 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.13", @@ -12207,21 +12268,21 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Kernel Module Removal", - "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", + "sha256": "d72671bd3bab4e18d0837fc746481567bb678e23b73c20159cfbcaa361b9912c", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Kernel Module Removal", - "sha256": "184bbc37170d0bde143713a342eae3b1a1a6b6b01d294dbb267b6043fed984d7", + "sha256": "0d900e5572e3000cc32b07c35ac1201dca0eaa32fb23af0b0a837bd4a66af0ba", "type": "eql", - "version": 210 + "version": 211 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", - "sha256": "96627951c8f79991a7e7ad2d73372aa5abe51ca5b57851c08dd650ab77f12760", + "sha256": "4ea12333f42f437aa58e54d2644f3646936a8a5f93c6814a0ed2c67dff925da5", "type": "eql", - "version": 3 + "version": 4 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.15", @@ -12229,22 +12290,22 @@ "8.12": { "max_allowable_version": 310, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", "type": "eql", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759", "type": "eql", - "version": 312 + "version": 313 } }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", + "sha256": "f642652974fc308178cf8b88483c24d61cae898a7b3b2f9e3254e4dcd182cb40", "type": "eql", - "version": 412 + "version": 413 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.15", @@ -12252,22 +12313,22 @@ "8.12": { "max_allowable_version": 309, "rule_name": "Okta User Session Impersonation", - "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", "type": "query", - "version": 210 + "version": 211 }, "8.14": { "max_allowable_version": 410, "rule_name": "Okta User Session Impersonation", - "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde", "type": "query", - "version": 311 + "version": 312 } }, "rule_name": "Okta User Session Impersonation", - "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", + "sha256": "3aa673f1c0c34cebfc6e3e55a3be648b570843086b6289d22c44ef3c70ff4f0d", "type": "query", - "version": 411 + "version": 412 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", @@ -12275,21 +12336,21 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", + "sha256": "a02aef3d53b50e1841dd01ee25f506dc63a897f003265f8678ef3f82fa618670", "type": "query", - "version": 12 + "version": 13 } }, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c", + "sha256": "ab4ec07b2bdd59f75529ab2b6f8e58098bad8f3f8a08c9e0b2261cf7500d3015", "type": "query", - "version": 213 + "version": 214 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { - "rule_name": "Shadow File Modification", - "sha256": "ab59547a675e69ef560b0060dc95a158b1e98d40da959d1e6102a4474c39afbe", + "rule_name": "Shadow File Modification by Unusual Process", + "sha256": "31811725296500b46a530f4167b50a90a1939a9a30ae575a5f1605db107c530c", "type": "eql", - "version": 2 + "version": 3 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "min_stack_version": "8.13", @@ -12310,9 +12371,9 @@ "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "min_stack_version": "8.13", "rule_name": "GRUB Configuration File Creation", - "sha256": "64ec1097b715394beab2e75a36a9208a2ea026844e9af45605c73a09a0de896f", + "sha256": "cf29eec9c7946126d6e84a24c8c726e02c45cc182ef0dbc48dcb9b388761509a", "type": "eql", - "version": 1 + "version": 2 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", @@ -12320,28 +12381,28 @@ "8.12": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", + "sha256": "d6cd204299d4a7613c0652ab78b54b1b97f5c11b4f208fb0b5fb05d0f142656f", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "3124a4ec07d5162829476ceebb62530a7ed736152f13b37c55791b32ecf351b4", + "sha256": "abd7f59b6a23d28908dddaf17edaa914939c9587f387ef557ca5faaff341abd2", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "306a951d4400b5b1612097ba11a9eeaaa71e1d40a54b3f80d5a82ad3660c4b84", + "sha256": "90451475ce48d53de51f8ef8c31ab01801580c163221def965e9ed6c9b7d3b3b", "type": "eql", - "version": 311 + "version": 312 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", + "sha256": "7917f89564301d83f5dcb2013db39240afa955863bc98f21a1016208a37ea998", "type": "query", - "version": 105 + "version": 106 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", @@ -12367,22 +12428,22 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", + "sha256": "8db9e44ecf31d95be5241f20bf1dda7fee037f97daf672d1c60aa48ed16fa84a", "type": "eql", - "version": 114 + "version": 115 }, "8.13": { "max_allowable_version": 313, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "bb4695e9b2608cae2d13b3bd01ab45072258c75394dfc44f816bf2516ec760d7", + "sha256": "a54a9feef37567feb968c9bb2bbd6e0343c7c1a2371538b9d448e491e4870ce4", "type": "eql", - "version": 214 + "version": 215 } }, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "c89e2ffe082dc78f5ead10fa743f39ea35e1333b8a50a74298ef5d9b66ff1397", + "sha256": "627a9ee7b45a19df7b70233781fb7c76b129346cdb7286aeed83bdc9c87a7da6", "type": "eql", - "version": 314 + "version": 315 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", @@ -12396,21 +12457,21 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", + "sha256": "0f000268fdc695dfbee160cd34e2e1321d37c12eac2a69d832aef01d5306655d", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "239b829877d333ed75985a7eab0c2a2871778d3d0e8c4fea043f8a5f4157955e", + "sha256": "a34a38a2bd69b76b11a281c127669096bb54a71939d3a68397b3b21f872b0401", "type": "eql", - "version": 109 + "version": 110 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "rule_name": "AWS Credentials Searched For Inside A Container", - "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", + "sha256": "b3f0dfc6f24cc6c2787d62f56817932713a1a3feddb8a231273e9a0e3c66a88f", "type": "eql", - "version": 1 + "version": 2 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.14", @@ -12418,22 +12479,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", + "sha256": "4bb55e1f7ac32a17597deba9c24186c785abfcd6953b10305a596ff29a27dd63", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "a6887e5edda607f541eedcf84f05242bf6d66840c91d08ea1cf84fc80283fa70", + "sha256": "c97fbd41a9b9ac3b79c7459e0bf3c636d1652d33043f7e530ccd2e038f258b18", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "fe172ebb9b9cc09ac3418473f8bbbe1fd438fc8c7f5e2711984cb8c781070f18", + "sha256": "0d395b1f9a4f028fc752ec37396aaea0a8b3896f2ac3318fe2edbd6daae092f7", "type": "eql", - "version": 311 + "version": 312 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.14", @@ -12460,9 +12521,9 @@ }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", + "sha256": "232255e1a27a32df53f7b03d4a328673ddafc73b3d701b901c20ab79e1b5e28a", "type": "eql", - "version": 5 + "version": 6 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", @@ -12472,9 +12533,9 @@ }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", - "sha256": "16a5255bebd2dbea413bcd674ddbbe9fc7c0e8a6c372b513b9a452bba2274d8a", + "sha256": "c4baae65ca422ef39a7b46b0def65701fd04eaaf1b938ab2d950984acde5db2a", "type": "eql", - "version": 1 + "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -12484,9 +12545,9 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", + "sha256": "95008cbe23f1fc8380e8181c4dac5e28c0ed9c9315589761e18569e50c4cde9d", "type": "query", - "version": 106 + "version": 107 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.14", @@ -12540,15 +12601,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Remote Windows Service Installed", - "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", + "sha256": "aa6cdcf93a49ab5e86235d0f4bef6b42dd410c7af99275ef526c0d215b127609", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Remote Windows Service Installed", - "sha256": "7483da5c5a66152f79d48484ff586847c93f9cd9f44c51048e4dcdfbbf18bc12", + "sha256": "ca8463464ebf568c419e1064f2ee75dca25cfbe1117c40f7af9a92a48acc6ac3", "type": "eql", - "version": 107 + "version": 108 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.14", @@ -12568,15 +12629,15 @@ }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", - "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", + "sha256": "200625c2fbf06bb29f0c8238d440907deefa32e29cfc3982a544f408d9b7fdd3", "type": "eql", - "version": 107 + "version": 108 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "fc10d87ef74b91aafdf6f789f6c0f7602e2a1f222d20a3433c18424042268f55", + "sha256": "01c816014f421370ac32bb6369f8a83bc036b4cc7a1f817e5f34eed99deaaa01", "type": "eql", - "version": 1 + "version": 2 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.15", @@ -12584,40 +12645,40 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Application", - "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", + "sha256": "90f5212b5d6f828360ef355e1f922212881b33016383d2d9c78719cd37ed1639", "type": "query", - "version": 409 + "version": 410 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", + "sha256": "6ad7ede3c52ca6d191275bc53d5af195bd6c4bac16d37b2a0d2c8431ae4a33dd", "type": "query", - "version": 102 + "version": 103 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", + "sha256": "589f094b4f15686c52f3a6b3e8d0b26b2f6bc93446f91d37f0deed5dacbc30ca", "type": "machine_learning", - "version": 104 + "version": 105 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", + "sha256": "526a1d698d53c469d024aa72d1d2b07ea56ac34aa51fb0104c5f69fdce70948c", "type": "machine_learning", - "version": 104 + "version": 105 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.13", @@ -12625,27 +12686,27 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", + "sha256": "3ac7fcb80411d506306b5e742ea93bc2592f558ea93ac74f82e98b6453cf1094", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "a75a1c1f4f8d7379bddad6e879bb080e101d602e3a08c9e102a3af15d389b70e", + "sha256": "ae69c61f5dab3f5ba9b70f690911dca4cb31c94c9b851172f3093c18ea67a459", "type": "eql", - "version": 106 + "version": 107 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "aa8a522f28deb9884ad3020ca10c320a35f2efecbaa26d0aae94519585b590cf", + "sha256": "6362b1916a2b6791294870b918126ed2b46b5a96f795bd03409f2948502d95a3", "type": "eql", - "version": 6 + "version": 7 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff", + "sha256": "c49807873cce90e54f6113c815e7c5772bf5e8273efeb370a5cb2812efcf171a", "type": "eql", - "version": 3 + "version": 4 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.14", @@ -12653,22 +12714,22 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", + "sha256": "517d28ddbcd9550ac85394cdac2cee0844bc448d4be9b4e4aa81be52e1275002", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 307, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "ccd6f0e1dc7444cd01f7f1273379600f001c8ba2608cd8c1e4744f5de3f677a1", + "sha256": "76d7e76f6c26a0e245b833dbed9be07a49f80004d68992ad351a789ab93f06d6", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "b882bc3921a13712f0db559c292b13772f12aaeb5673711e227685ccad9e7c56", + "sha256": "60b8eec12452b573096d484a711a30dba4b444661e967528e029b47d6ee84f62", "type": "eql", - "version": 308 + "version": 309 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.15", @@ -12676,22 +12737,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", + "sha256": "457f9745d44991b7dbff97c8032d25b5f3d5c631adb8dc0e909ea948b837ae41", "type": "query", - "version": 410 + "version": 411 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", @@ -12699,21 +12760,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Service Command Lateral Movement", - "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", + "sha256": "0d07056086afc2ae7fc3933f654811d9b31cbcf86939f52cea27261c807c0b8c", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Service Command Lateral Movement", - "sha256": "17f85cbe91c6b5fdcfe53a17b2b99e0ecb72d024dd472cbc509963acec2b5ace", + "sha256": "e767e2798904e06d27a494fdecd4eec49bb912ec8b0c6940d3992927ef6354e1", "type": "eql", - "version": 207 + "version": 208 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", - "sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891", + "sha256": "895b0b421e83d0c19bb678d6d2924fd5fabe2fe53d4b1c5bf1ba548d6ffa65ac", "type": "eql", - "version": 2 + "version": 3 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", @@ -12723,9 +12784,9 @@ }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", + "sha256": "bdfafb9c68e9892fa7b9ca7598f201f97e7939ca8ca8c33ffc98baa5c1c46cdf", "type": "query", - "version": 105 + "version": 106 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -12751,9 +12812,9 @@ }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", + "sha256": "64a63407de9de164073767409d81c4ad49dc544271236c164345d1a626d94c3a", "type": "query", - "version": 206 + "version": 207 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.14", @@ -12777,28 +12838,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", + "sha256": "eee49e97f8be4dd945fdd081627a3fa84151189394053407c767cc654b03f61a", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "7c19ee463ecfc62c87fee685189cb441ee9abfb2ea897009a6c11ee131b6ede9", + "sha256": "636a5aa15d3dee30f441ac50911f29d0c8a99035e4b8d1e57294c5957baf6b73", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "17eea5871c73f5fb356a051968d7cb36bd835774aeff070acb752283235c8009", + "sha256": "77f519e1c25064d73042352df755adbf55aaa3901bd4c338ef309863f9b8dbd2", "type": "eql", - "version": 313 + "version": 314 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", + "sha256": "641ef2451b1987a3e9cb28358fcfd308d956ef099cab89e13168b853db4d48c1", "type": "query", - "version": 206 + "version": 207 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "min_stack_version": "8.13", @@ -12806,21 +12867,21 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Memory grep Activity", - "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", + "sha256": "be15becb96ba5f7d3bbfbb8d336acdd122a95f155d4235a4e3941eefa4d8fa70", "type": "eql", - "version": 3 + "version": 4 } }, "rule_name": "Suspicious Memory grep Activity", - "sha256": "f153c6dee45aea70187e026f52bda5867a4d86ac55deeab921bd0b98f1386ea1", + "sha256": "ec4ccab9d3dd84614e45cc02c3ca638790f46ac21b6b52ea32b08885e416649f", "type": "eql", - "version": 103 + "version": 104 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", - "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", + "sha256": "4c5994d232095f98e72abc6b0a4ff08477e6c845b50df9de6e6ae92745f25835", "type": "query", - "version": 206 + "version": 207 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.13", @@ -12828,39 +12889,39 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", + "sha256": "aa0975e7620cba81ba4d6b2b9aa05da8913d3f309cb4803fbff2ac88f7d9a4e0", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "e74a4d15744de9d351b31df43db4c14a3c027cb74eba3f0342dabc2b9d4ae03a", + "sha256": "f2c6a851be425812db9800238f821905d9956db9ec85937da8ce5b2d78f563b4", "type": "eql", - "version": 210 + "version": 211 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", - "sha256": "346cc434526ad0dc7188a5077b3493b8499b644cfa218fe758d584d9f9e9074a", + "sha256": "b6f7d9e1c6d3053f849ee87cdd0567aa3e046fbf9c1400a060021426261838d2", "type": "query", - "version": 104 + "version": 105 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", - "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", + "sha256": "e6d5824de70c85d84e7bf5a4158c0893db7265f5bf6a4310aadd7a4cc1806bde", "type": "machine_learning", - "version": 104 + "version": 105 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "fafc9b93a08a48425d81e9b8d77c65427d4a0059c9002836e7cd43db72fb0365", + "sha256": "dc4aaaebbe30ceb017d1b3100fec840afc7c916a2519037418a91ea060b581ea", "type": "query", - "version": 105 + "version": 106 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", - "sha256": "c22a4b5aaf9a5211781fbafa109ec85e7094f3b473efa585e2dafa6bd86b481d", + "sha256": "9d627c046b1d969fa3cee29c64c2ede631bd7c2f11e2d5b0195467910718d443", "type": "eql", - "version": 9 + "version": 10 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", @@ -12874,22 +12935,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", + "sha256": "a3662b99a5aeaba17b20017e4f74a5a700018221aa4f539eae6586749aef123b", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "9a7aecff18c2b2c03fb09f108eb19cf4062741ef26df0abd91a13a980b793f8d", + "sha256": "6d5f2be14d23c96aec4e7d179a2f0102cb02ce3f198dc30016b6ea842a71fdb1", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "0c9ca98240f1da76e24997c3f0e416ba94169679df7c594faaded88c0928357d", + "sha256": "432106a3b18e6a6c3983f2db37cc0d7c3d3a12ef2622c48805e23e67fc76576d", "type": "eql", - "version": 203 + "version": 204 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.14", @@ -12920,22 +12981,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", + "sha256": "f33fa3c2f6e59b87d777b60c36ca2f7b49b83e7d55fd70bda7b51c5164f2e484", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "4100ea91fd5746ceabc0b3056bf622961cb4e56a6733775ccb8b74fc1394d4ff", + "sha256": "6992b10f898c3dd9c58648107a909375f088a7cbe752dfa3e89ad95f36d12be6", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "f14448c067e0a0e0be1f51976cbc11fff0b37b0f5da3205c8afde1ae167e0eec", + "sha256": "091d2119d9f9bd8b91745b62a2dcab088dd2631acb0cbf1eb5b855fa829ef778", "type": "eql", - "version": 201 + "version": 202 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.14", @@ -12943,28 +13004,28 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", + "sha256": "fc23e41a7d22a46223a5b1ed558336101405e6adad108127504e440c44d82a19", "type": "eql", - "version": 11 + "version": 12 }, "8.13": { "max_allowable_version": 210, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "d9efb6f5bfab991a95e185da00b9c3797f891983b8b396c9d7dbf292e759abe7", + "sha256": "9d490d625ede5483e6874408d935d1e8ae2e654bf38990bd8ec90cac8d61e7e4", "type": "eql", - "version": 111 + "version": 112 } }, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "cf52711a1189dd89d5cc0b35fc53b8cf7cf58f927144ecd794a969dd6245ad54", + "sha256": "0ac7d1624e694cec67982400a822b5692087df342748f9d9b10eebc1de8ffe03", "type": "eql", - "version": 211 + "version": 212 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797", + "sha256": "6f132baef5851efd00f760a31aa6cfdd4a68c0bd286f6abbf8cd245ebc635745", "type": "query", - "version": 5 + "version": 6 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.14", @@ -12972,15 +13033,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", + "sha256": "0d596807e4224d804bdfe2e04ba7a55241ebcd35ec0c8329585b908e6a811d4c", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "4a237b6a951c3e4530bac7e5c14e1b5270fc7263a9cc7b53c6355f05422701df", + "sha256": "8c5a1b27f6a02621b57dc23c369f980d79cbceb34f18024d02dcf75ca46ae963", "type": "eql", - "version": 110 + "version": 111 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -12994,15 +13055,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", + "sha256": "6e675455e0691aa059267316b5c588a3be00378d5ffc8f0d62d327ea9cf9bf9b", "type": "new_terms", - "version": 6 + "version": 7 } }, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e", + "sha256": "e40d42488b5d12045dd32b4d104b2128f4032fc3e2a66c9578576d8f75e093b3", "type": "new_terms", - "version": 106 + "version": 107 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Multi-Factor Authentication Disabled for an Azure User", @@ -13016,22 +13077,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", + "sha256": "f070b0885fd560dca726ee750baad0826feb31d8d40ccb087eb224a1ea7abfbc", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "ea295acc9a2c0d920da2e8cd84ded801c713a06ad473c948126091def230b5ad", + "sha256": "042a48825a4fad14bc7163dd1ec03c4495809a3b597ef85c391fa358b2abf475", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "452e5fbee79ceeb158518545ac367412757396a660f25ecf4e8940a04976f311", + "sha256": "6512a9d12fa4ef27519126e321762a291e72b255d30192405b4cb411001266c6", "type": "eql", - "version": 203 + "version": 204 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.14", @@ -13039,28 +13100,28 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", + "sha256": "1ec2b5f008f9e9bead822c864926d9183431f584d472eb22e8ff3ce2939b9c8c", "type": "eql", - "version": 7 + "version": 8 }, "8.13": { "max_allowable_version": 206, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "7d866450dcc8e535903a7e7d28333859b7c1e5b20cf243b9885c0ba2fd3e3bfa", + "sha256": "daf311a52ba5b293679091a760f4b56a52f62f96e0ab510ea01cd988baa19167", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "d238242db88c4dffe3b45b6338748daa6638b409ae25dcebf555dc5fbd22ef37", + "sha256": "20558f6e7908c8dea171a7635ec499e0ebeccbe62d14d7f06850636afc8283f6", "type": "eql", - "version": 208 + "version": 209 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", + "sha256": "d51a9914cc58576ea6fcc57df0fb35de299f08b8acf0ff37597124b12b9862db", "type": "query", - "version": 103 + "version": 104 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.13", @@ -13068,15 +13129,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", + "sha256": "d4648bbfa3d971cafd0c2664cbb8da0fc57af62582278b2246e279b1c7dcaa2e", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "bad0d95c6a8551468b0c035ca98e1d1f47ec295b1d544833a75c04ae31f18d44", + "sha256": "cfb81693b34a2db216c043943162205581d94349579a2b66a2675e3afedec5fa", "type": "eql", - "version": 105 + "version": 106 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "min_stack_version": "8.13", @@ -13084,15 +13145,15 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Git Hook Command Execution", - "sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6", + "sha256": "dd6719030d3fe2a0ee69963aabd0b10598548861f0ca6a7ce968eb283b8a96f0", "type": "eql", - "version": 2 + "version": 3 } }, "rule_name": "Git Hook Command Execution", - "sha256": "3bac5605f2f7f71fbee8e939fdc4662424cab31681bb8fc5e2dd50983610fdf6", + "sha256": "3ad68272adbc2c5c4f5b945a065b67154c91b826cef8f120af822a44d62724e1", "type": "eql", - "version": 102 + "version": 103 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -13106,22 +13167,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", + "sha256": "e16de17547f45513cc6097ae2c1fafc3fb841a3d7cd4876355dfdce3bd42d171", "type": "eql", - "version": 9 + "version": 10 } }, "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "4ec4efd8bc14d050cda2446ffa046c47cab81bedbea602f51c64f53582b57fa0", + "sha256": "0578fdb139348058c8c4a2e14b5a6ac8ae540f83b3f732433b174db4e0725628", "type": "eql", - "version": 109 + "version": 110 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "min_stack_version": "8.13", "rule_name": "Dracut Module Creation", - "sha256": "51f31e2decacb917b2045e791f5b03e17de861b13042f271441c3df1a71461dc", + "sha256": "af7a3f72ed7f24e50bc14f940937bc9cf2bc1f6872e1d672d463b5165d85d1dc", "type": "eql", - "version": 1 + "version": 2 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", @@ -13158,22 +13219,22 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", + "sha256": "6aecf0b6e2c4fdfeae54ec1cfaa51070bd371c150206b98a27cf2be01bbad3a0", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "ff4e6f8fc8ffdad46c9ca8403e225098989a5548343270fe5420b6a1021d3fbf", + "sha256": "e97febd5beb392ed445ad0e67d7a284e6d6588dd93baad573301b7714cff4c46", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6a04f4ffaa5c40018c58ab7ef7d0b4986d678da98c9dd78706e4c645c8bc71a5", + "sha256": "ab1e64f0d5a84e58ddf9a0fdbe54ccd23b6eeda4909f99483374237a1c2c74c1", "type": "eql", - "version": 204 + "version": 205 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.14", @@ -13181,28 +13242,28 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", + "sha256": "8475f6c6b1206c9fd3c5085bb9b4677b0b6e931699d1763068961d84d8aa46a6", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "db373be5d72255dcfc03d21367e6a23f15576fe50874ec53d75ff7edf26e222d", + "sha256": "c4104efeb172e0634cf59ac025d803d9d3171803756060c76e6bf8cfd3d88a90", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "eb5782b9024f97b13ced9ed9a27e3af47b54101824f8592c383c4fa46f18bcb1", + "sha256": "795b6a57e976d8a06dd804326ac7ea4f673753436de7405e506a7a6ea8d8974a", "type": "eql", - "version": 209 + "version": 210 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "9d09534c9e25cb62cc2ac0983ac2a41afb47c19dfec4625145ed0922d5c490d6", + "sha256": "877ce9bd8dbd29cea230dc9f74e14b082161a6dbe3fa64633fae76d569dc6b3d", "type": "eql", - "version": 3 + "version": 4 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -13216,29 +13277,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", + "sha256": "84f5b0cc9b45784f5f3268b1f1cd252e3e460a30225570b04bd90ed819e7cd75", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 309, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "6581546aba5c9cbdb29e1998c5b3ce1a10bba7abbbdf5036de332cc395e4d74b", + "sha256": "c53af1114c332c599481a0ff4eede6a5a9b7a2b80284a201c3c7c5c3ba9dae11", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "50633d69f921b67ff24e8f6a63aef23b74ed335c0104445871dbc3945e3af63c", + "sha256": "e723d0b3254745f488ccac62bb67e6d2f069196659d17cf778fb42a524933135", "type": "eql", - "version": 310 + "version": 311 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", - "sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e", + "sha256": "c129a707d58db25a4c45591577570e807c1cda2be7e4167c44a922ada89b2939", "type": "esql", - "version": 3 + "version": 4 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.14", @@ -13246,22 +13307,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", + "sha256": "dc59f461ee6eaded59582a8d9d1665d294369cbd7cefb74b93fc69c65b3626e3", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608", + "sha256": "d48e91e2df3b46dddd47dc1f8381eccd2d4ea3654875665feb8871b7f7df2498", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a", + "sha256": "0e4c1d925e33511a5ca1c1b97c6b325baac1871f6c4426d17058007044aadf6f", "type": "eql", - "version": 312 + "version": 313 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.13", @@ -13269,15 +13330,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", + "sha256": "2110c27e62d99781d5a1189a8ed1fe2d6a400568585a8e6573fb473f783f9761", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "46f4ce8dd188feabf7a2bb0fb7aca87218ea33ea2fbd8f82ed35ca46faf70489", + "sha256": "a1fcc107efdf93073c6b20ae1f2c19b8fd281cc4cb1e5877c5c362869279c555", "type": "eql", - "version": 210 + "version": 211 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", @@ -13287,9 +13348,9 @@ }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", - "sha256": "1faad3f27c89ce87b1a4f9ba8d28fcd968f1da207d94216c3e71a09884db6eb8", + "sha256": "6323546ce88a2062ab9b777768a0a4282ac1a74384c1f21449a3262202208011", "type": "new_terms", - "version": 8 + "version": 9 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.14", @@ -13297,21 +13358,21 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", + "sha256": "92bb89bd0e84c9232dcf024b09b211d04bf914a34e8ebcfcc2700c0f9f4154f6", "type": "machine_learning", - "version": 106 + "version": 107 } }, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3", + "sha256": "e7e813348ed80c496689f948ecd7de5edfefb9f63b906114a57bb6798b9253ae", "type": "machine_learning", - "version": 206 + "version": 207 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", - "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", + "sha256": "8fc27e74bfd62fc69cfb08bc0944fb02643fbb3fd3e9b84ef1e6b06e36ccba3b", "type": "query", - "version": 102 + "version": 103 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.13", @@ -13319,28 +13380,28 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Dynamic Linker Copy", - "sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f", + "sha256": "c129b0c687239213e54f4f95219e0ba6f09ce259ad97d16efe4789c56b4c1205", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Dynamic Linker Copy", - "sha256": "15a7a2d4be9e298988ff4d281539bbae818f22ccc5f95a1423e09fdb21f76bd2", + "sha256": "158bf61594522a3d1f0fdde66ec6ddedf8126dd16a556cd2b9a67ea025ae233a", "type": "eql", - "version": 209 + "version": 210 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "0aa047864e74cf8a18fe9dd039cc10fc1cfadcd1b2b98de5cfedf9afe1c98251", + "sha256": "ac73d656120d73f8776a9afbdc0c8a63ba9863321b9153d9529c67e61651a5a9", "type": "query", - "version": 204 + "version": 205 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", - "sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1", + "sha256": "f33b42f628062aaf94789a5880e98522fa684c465bdf6da024d16c74a4f02efc", "type": "esql", - "version": 3 + "version": 4 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -13354,34 +13415,34 @@ "8.12": { "max_allowable_version": 102, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", + "sha256": "f14455fd6ea9bdc73123f4c69cb12843cfcbe7747b51b622198eb087bb953f08", "type": "eql", - "version": 3 + "version": 4 }, "8.13": { "max_allowable_version": 202, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "7b6acf6b548474373227dfe0d95525762951ea112531f064e226bb790080e8b1", + "sha256": "f7fcd4ec131f7e648b7fe8bb86887bfb768bd7bf3a006340a5e9fca5467205bd", "type": "eql", - "version": 103 + "version": 104 } }, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "d0fe93377143f6c21a5d7bacce642eca85c15341cbdd34b6b4254173a819008c", + "sha256": "2b622d8bb5228a5ab103d2c5197eab64a8c1a0977cbc0594097fe979c66d2034", "type": "eql", - "version": 203 + "version": 204 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", - "sha256": "da0cf4affe1558ec93cbb7b96eac795d58a8770bcb564ff0b2021a7f7622eceb", + "sha256": "8b63af67b0b77e5d770c49f6e9a9216ab92f9f7aba27fe58b2f87b38dfd3b24e", "type": "eql", - "version": 3 + "version": 4 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", - "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", + "sha256": "3145c97b2a0f8a3dbe953d706b20b0db89737e622460e8eb92f562e46316b78d", "type": "query", - "version": 102 + "version": 103 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.14", @@ -13389,15 +13450,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", + "sha256": "d66a68b32ae569978a6ef6580b94f0b86b0f34b30ebec5e7173db7138003bce5", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "d73db62405efc39a8ad58641974ba0785e0ae2f01440c19c88e84e81a194593a", + "sha256": "93383cc44307548a071047b61fc0df04c3b9f6b286e64e7f6d26fcc4f6e1b84c", "type": "eql", - "version": 208 + "version": 209 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.14", @@ -13421,22 +13482,22 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", "type": "threshold", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5", "type": "threshold", - "version": 312 + "version": 313 } }, "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", + "sha256": "0f1797f4458f41926c4fb9920e9bad30476efd48173d83db37c845ac553c2e1a", "type": "threshold", - "version": 412 + "version": 413 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.13", @@ -13444,15 +13505,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", + "sha256": "6147022642131c87ac6702fa482fbae2afa75394591d2a12545a08d85336f5f2", "type": "eql", - "version": 5 + "version": 6 } }, "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "a94c98d17b9a4ba79fbd2db8a440aabe9f52a55a651464571a9bf18937b49a4e", + "sha256": "10bdf2a8cb060ef98b459f111677380e45c54d687124dbe465153fc00b2a538b", "type": "eql", - "version": 105 + "version": 106 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -13462,21 +13523,21 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deletion", - "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", + "sha256": "55c15bc0ab3e65a9e0dcb4e9babf915de29b34b26b842fe6ad70c153dbc50212", "type": "query", - "version": 102 + "version": 103 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS Route Table Created", - "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", + "sha256": "c76bc6e2331f0b9bbf3d8f05a6f363c267e1509a793f6949082fc196e12f1fc6", "type": "query", - "version": 207 + "version": 208 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "AWS RDS Cluster Creation", - "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", + "sha256": "7b5a2e8745804344d0c558af38ae871fb0c48a51a92c943f98830876bce353b4", "type": "query", - "version": 206 + "version": 207 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.13", @@ -13484,21 +13545,21 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Connection to External Network via Telnet", - "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", + "sha256": "28c7ce83de51514d2b297b6590e71038a20120a59fd3f1b8f1693e98dc5c1d7d", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Connection to External Network via Telnet", - "sha256": "eb720eb1df39451162379dd73ebb8021f2d6d061f11536dd6890358652908bc0", + "sha256": "d720edce6b79fc47c791e12e5f56665107bda8a672446989a274d7b62d630320", "type": "eql", - "version": 207 + "version": 208 }, "e1db8899-97c1-4851-8993-3a3265353601": { "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "18d369e85745dfad874fe33bb6e7faff482e843a231c6c456cd2668d675040bb", + "sha256": "79e7d8b6c91ff85bfe18be26bfd2bbe3de8d62a447c19e86c2250d6f10e25dd6", "type": "machine_learning", - "version": 4 + "version": 5 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.13", @@ -13506,15 +13567,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", + "sha256": "2e1ea018087510cd48cb9978f295dfc7ae3df5e33ae6087605fe0c171ee6f7af", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "a9d9a985224bb2c25aae53626c351423299271473fb94800bbec865b77549cad", + "sha256": "573c1614e9fd8cb5c852934bb98d126cd819067b93989525581aa5526b540646", "type": "eql", - "version": 106 + "version": 107 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", @@ -13528,15 +13589,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", + "sha256": "aceeffb1d2d30da61a5c975b4c978c1a8dd0687ddac7214c80ae21c9067eadfc", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8", + "sha256": "ed908ff078c5a2e7569fc9967c30cc040397ed9122a09287031c0a4e5d04e377", "type": "query", - "version": 316 + "version": 317 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", @@ -13546,9 +13607,9 @@ }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", - "sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02", + "sha256": "2190e84f9e7192e1648c8b1673576f046c4e03d475bb75045c7b9e2e12bae237", "type": "eql", - "version": 1 + "version": 2 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -13568,22 +13629,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", + "sha256": "8d70b76836720ce1d1bfc90c83ef511c63192ceba13afe89de6d4bd71db8d10c", "type": "eql", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "e20728e2d7fdb11e0c89fe8b59339217c06311f3e887ecc68c878ac02e342c43", + "sha256": "8c937a63efdd09c306a4b062fb0111216523fadb6b29f8ddd000fc831dffb3a3", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "e700c3aa1868cdab411187bb9463c15130cb104b333c4aeca0f322d52bfbe885", + "sha256": "16d97ecf035e7b51f4cd64bf55a659d5b15dd93323fc78280d023922c5e1d00a", "type": "eql", - "version": 209 + "version": 210 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.14", @@ -13603,9 +13664,9 @@ }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", + "sha256": "44411255b771a99faffe0685c0f5e63977818e21d073d24091ff91bd9aa33b51", "type": "query", - "version": 104 + "version": 105 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "min_stack_version": "8.13", @@ -13613,15 +13674,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Potential Data Splitting Detected", - "sha256": "e9c73adb2c1f6cce1863d61a9079baab27593eb754bed9dfb7462a2a0e757dfa", + "sha256": "7b1c198e74d0e4f3d7b01f471cbcaf92ef595343883d73f4bcca641970102396", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Potential Data Splitting Detected", - "sha256": "c08a0ecf0d3956e8250d8f80883239a461489dd8a2b1a3f25bf3ddee0e528d5f", + "sha256": "e5a627c8877854a1743a8653bf701e6a542b29ef63ac512764742090ab97f019", "type": "eql", - "version": 101 + "version": 102 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", @@ -13629,34 +13690,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", + "sha256": "c66a168ed3b1aa0efc9fd8a2c7f723b9b814fd5d0c3d2b6f04b437cf128a89ff", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "b2ec162d5e1153e3aec75388d239610723efecf8e84f07bed191977174467f88", + "sha256": "076f262b0c9c62805bd7d969fc2bc5a6e3ae9dcbfa5c30cc922041a3087b7a7f", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Process Activity via Compiled HTML File", - "sha256": "af6bff4d9b0f88e5cadd6ce1f24e77dac8a706d375a23109a8c681c97c6b4706", + "sha256": "77d77852881da5c7de3250605cbf8440cfb6dae48e1b9b767e4aad194d02688d", "type": "eql", - "version": 312 + "version": 313 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", + "sha256": "f2d736a544e71eb0be5118b7e11cc5ca78ef900a8f8d7225e8c0b03ad08c6587", "type": "query", - "version": 206 + "version": 207 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", + "sha256": "6b3dadd40aa120848fae2bf405a3e564a4f8f1f135f3e43273c9a5990cce5592", "type": "query", - "version": 103 + "version": 104 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.14", @@ -13664,15 +13725,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", + "sha256": "15425280f466c2729b02c0af122c6c595b30165cd51c4f683fee546070d396a0", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "b96e61601debc0c2b8731cd56031412334418497e035336cb8c471af5f70b60f", + "sha256": "151650631c31a43c201b4eaea3749b4f13790dd576c4420057b75b9cd51c740b", "type": "eql", - "version": 207 + "version": 208 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.13", @@ -13680,15 +13741,15 @@ "8.12": { "max_allowable_version": 213, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", + "sha256": "3d6b19ea3b397ac9a3e1d4779f0bfbbbe891a2b9352cc8331b3d1b21b3492f86", "type": "eql", - "version": 114 + "version": 115 } }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "8af95982bc5bf6ac79c1640581bac78450e3467512b7640c60b0ecf139a19a45", + "sha256": "55762f454327d9065371b5165062d4e75939cd27c5a7b9d08a60987b18431cbc", "type": "eql", - "version": 214 + "version": 215 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", @@ -13696,15 +13757,15 @@ "8.12": { "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", + "sha256": "15409282fc22300e62bdd9cfa9c3699264d000fb84da5ff6405ad81aaa842305", "type": "new_terms", - "version": 5 + "version": 6 } }, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639", + "sha256": "e2d4147e9b55b1a927716d2a92ff1672ed2857f83721c419e597fac90cda2559", "type": "new_terms", - "version": 105 + "version": 106 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.15", @@ -13712,22 +13773,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", + "sha256": "e7a1afdd3aed5b8990f25c5c3ebc89a3d4e1911e68296667f6b6e4cc13e21407", "type": "query", - "version": 410 + "version": 411 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", @@ -13735,15 +13796,15 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", + "sha256": "efce8f9ccb0652297ffed54f6d3ccb3c621da9704c8b1a147357fe1b2dec9780", "type": "eql", - "version": 106 + "version": 107 } }, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "9eb77e0dda391b5aa9d210c7d318596248ca59b969e138c7cfa6d9a2fcfd72ad", + "sha256": "beac001dcd5095010c452fd5a86f0733003a76aa6c8e8f3de2c8d7abef8fa9e1", "type": "eql", - "version": 206 + "version": 207 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.14", @@ -13757,9 +13818,9 @@ } }, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb", - "type": "query", - "version": 213 + "sha256": "4f3219372b857ac80a9bfa981a981b8fca89e436d209e90b51d436bb7e8becbe", + "type": "eql", + "version": 214 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", @@ -13775,15 +13836,15 @@ }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", - "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", + "sha256": "8893356dd5ca661718d8f5c32e3d5b4e2e31ced5866bad1aac12f2ae4b1837b8", "type": "query", - "version": 104 + "version": 105 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", - "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", + "sha256": "abc854ad84c4df75f33b8a3ec0b322047c931d738de30da1996883afbdd7b799", "type": "query", - "version": 107 + "version": 108 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.15", @@ -13791,34 +13852,34 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Possible Okta DoS Attack", - "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Possible Okta DoS Attack", - "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Possible Okta DoS Attack", - "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", + "sha256": "d31797a2a9ebd8114c915f01f1b7222689f61769135d5406738283834a175f72", "type": "query", - "version": 409 + "version": 410 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", + "sha256": "3dbf9bc9fd85cfb35ac80dc541572c5d63b43929630586389dfb4d21d5f3abea", "type": "eql", - "version": 107 + "version": 108 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", + "sha256": "a33b86d48c3d3d62db7a1fa07ff45e3dd2ec92fa332099989635eeb934db5345", "type": "query", - "version": 104 + "version": 105 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", @@ -13832,15 +13893,15 @@ "8.12": { "max_allowable_version": 206, "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", + "sha256": "8e916c6e5e28236cf4e78bb6c9a7cb8991800d108c6dce8a147b6196ae27b89c", "type": "eql", - "version": 107 + "version": 108 } }, "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "a7f9e12e26f22539b2c1e4f2c784361d72a1bbc261ff0bc1fa9ba30bb48845a1", + "sha256": "745553dd4b4f167afb3f9d8aa2a73cb88e8a9984dbee97b741c011740ea72306", "type": "eql", - "version": 207 + "version": 208 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.15", @@ -13848,28 +13909,28 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", + "sha256": "0eb9b50416c959551b3b273ef5326ae8b96145ec4ea717bee0033ea99d133af6", "type": "eql", - "version": 106 + "version": 107 }, "8.14": { "max_allowable_version": 305, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c", + "sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164", "type": "eql", - "version": 206 + "version": 207 } }, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "c27d3d535d30d3af01b3d9c4fefd1fffd5d4aece3da4eec4fdcdd0ee716bdd22", + "sha256": "b11cb97ba4927fbd34141d3a5cc49333cbae82890c27eb7731e165ed71b3cdbc", "type": "eql", - "version": 306 + "version": 307 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", - "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", + "sha256": "fc6696281aaff38aabf5ef6dfe7b56c731c027f5daa36aa8fa27db356d1836cf", "type": "eql", - "version": 1 + "version": 2 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", @@ -13883,22 +13944,22 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", + "sha256": "0bea98ee6e9ce10eac166784de0d4aeceb2b4e690051357201bb91cffc7e5edb", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "8aa16b6d5c72cbd8db236cecb394fdb3419409a9334e5de3e489cba322b17da1", + "sha256": "5ff7838c257d23a22ac81dc996fa1bba6e80734971669cbf6c8f5bdfa6314f5f", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "91c9567bb907691834edbcbf81478eea228783238516ba4840d2a6678945a3f7", + "sha256": "8b9fb79800f9757717537734e0e8fd81eb27c77c51f3bea4933b4026af77e360", "type": "eql", - "version": 201 + "version": 202 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.13", @@ -13906,27 +13967,27 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", + "sha256": "ecaad70591f430b71f38353b51514e955299f312f6299c043edbe78296d96c47", "type": "eql", - "version": 8 + "version": 9 } }, "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "33f6b8d02db10f4facbc48d16e77be33e52f39438aef54bf79c28fac85947e83", + "sha256": "6863009c2b3d1dcd070aa298d0dd85428eda56639d10b0cd9df2fbf806b56ea0", "type": "eql", - "version": 108 + "version": 109 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", - "type": "query", - "version": 207 + "rule_name": "AWS EC2 Route Table Modified or Deleted", + "sha256": "e56e718a9723a794c9e062425a957d4e952f2a9984792aa9df06ea86c7310dda", + "type": "new_terms", + "version": 208 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", - "sha256": "5537d2a44f881bfebdb8606aac6d5674c620607d55bb4822209da2cb5f3caa40", + "sha256": "a8e2f8106c708db68e63844ac1cc428b8667fe3c36c280e89ff02504ec867eeb", "type": "eql", - "version": 1 + "version": 2 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.14", @@ -13934,15 +13995,15 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", + "sha256": "32055c8d4af293ff9a8be66666fca76693403db6496116430450aab41050d035", "type": "eql", - "version": 112 + "version": 113 } }, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "a674e578cfbef5b95a62b11671aeca823f09b5f2f63129f91f2557fa46d972e4", + "sha256": "90408a5fd78cdaf27de15d201a1c9a85a6ef0ded0315d91be4d71a8ad7f8ac51", "type": "eql", - "version": 213 + "version": 214 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.14", @@ -13950,22 +14011,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Security Support Provider", - "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", + "sha256": "b539da6b7c1b1227bdb42936daceee9540ba7d0f3605ee4daa85bd0c836ac05a", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Installation of Security Support Provider", - "sha256": "3d579bb92fe8249d3708f287ce73068e3e1eb7d3da4d7457b71e6c95ec5e6491", + "sha256": "4921dd59a49f0857c4a5a11360976efc71f083994125f28706e6071dc19c7473", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Installation of Security Support Provider", - "sha256": "e863b1547c1a211479f64783701a48f31459decaff80471ecc40d7b3f7d64f0d", + "sha256": "d3e972fca563427e3d76bb4395afc5f71c455501294696f9dc6df982b1d28abe", "type": "eql", - "version": 309 + "version": 310 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.14", @@ -13973,27 +14034,27 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", + "sha256": "e8fd6440c6d6d88986539c259693d1ee14c53bbebd9bce21eab23ced642d5c02", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "a8d0addea981abc201c8075ddf84cc71cf8e889932f1c06e212d64d43a19f083", + "sha256": "a50076fcb40d588e056f081e1168588950939d6c95a97f2facfed56882ce6f9e", "type": "eql", - "version": 107 + "version": 108 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "14242eb38154b8a8e1a58bf61c0bfb74b5979a402c8daf3ac16d945e00cfd816", + "sha256": "a666b794f171a1a2c008b39794d12cb837d0fee82e293f8dc6601f749a723645", "type": "eql", - "version": 2 + "version": 3 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753", + "sha256": "b54a9721e854b951bcffd517564dba55d3d9f5a1b13ff4bc738ee5aa7e4f9bc5", "type": "new_terms", - "version": 107 + "version": 108 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.15", @@ -14001,34 +14062,34 @@ "8.12": { "max_allowable_version": 310, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", "type": "threshold", - "version": 211 + "version": 212 }, "8.14": { "max_allowable_version": 411, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4", "type": "threshold", - "version": 312 + "version": 313 } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", + "sha256": "18719e990037ed4bcedb7040cb575b1b244fdea008bf902c36de0c0dc87262d9", "type": "threshold", - "version": 412 + "version": 413 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", - "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", + "sha256": "0cc0882f3f4079767583e56fd8ac76f94fe773a3ad47b80a5c7ef1f07e5afcd2", "type": "query", - "version": 206 + "version": 207 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "97e36f64a18b7742354c75783032d8c937129028e729388f75253413f03292d8", + "sha256": "b7a20dbebcf0f6ecd941a69b135191989886cb45781f0e23444e523bfaa03208", "type": "machine_learning", - "version": 4 + "version": 5 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.14", @@ -14036,34 +14097,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", + "sha256": "6ef104d85ec9575226338908f304d5def68a7412883399913f6bb68378d6decb", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "9273914a7b7945fd48d1b65cbaca22cac9b1a363e215a919dfc7d7f2023e6a9b", + "sha256": "5f4f414a3ae8185a194ee698b33f60372d7733ed66e23b8ef56fe4c06edb3dbc", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "3472059c099b888efa866c73f5ebda8a7cdd81a96a7c4c6c01e327c1d1fa2aa6", + "sha256": "2ec2b40b6d719512b8aedec3c65efa2e1ce6b38aa2dfb387edf32b43516c9421", "type": "eql", - "version": 311 + "version": 312 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "85a69d2c3599e4ee1bee8122b9a14c0b9148c3db5d510013e18e96dd0f9ec389", + "sha256": "5b5c778062c60175f66184a03ec8cc58deaec9c8d47e50b7e62d75b592eb203e", "type": "eql", - "version": 106 + "version": 107 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "rule_name": "Spike in Remote File Transfers", - "sha256": "f9cfa49163402d6de09bf8956e320315bd0c937785ed3267ad306470bc834a69", + "sha256": "8d2b4cd0d07e0114cbfc97e7836712efaedb13d7941b49ba32df06344bed130f", "type": "machine_learning", - "version": 4 + "version": 5 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -14073,9 +14134,9 @@ }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", - "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", + "sha256": "ca8b561fa907119476109df0f7f86007194ffc80c3b614c4f69522d366f15e92", "type": "query", - "version": 102 + "version": 103 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -14089,15 +14150,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", + "sha256": "9305b82ec96b801a1ce3d03306069610691b62051ca30252e654c38b624f7c55", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336", + "sha256": "263dc5090dd778a47400fbeb93a47512defec5bc3e78d7bdd173ab8dd1c95910", "type": "machine_learning", - "version": 107 + "version": 108 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Brute Force of Assume Role Policy", @@ -14107,21 +14168,21 @@ }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", + "sha256": "fc408da92fc5febf3e95b3e4466fadb5f9c59ff6f98e5b71c5ba830dbebc52f3", "type": "machine_learning", - "version": 104 + "version": 105 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "805fa189545f981d575ddc36086ba698c6cab425b1ecf2c09c8f857aa7db539f", + "sha256": "709ead5c81ab3e462057c1d8214a1ba0a83c82b80ff27328133a1e0faf4c29d0", "type": "eql", - "version": 4 + "version": 5 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", - "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", + "sha256": "cfe3ec83261ca32ec7fa6c3ec8fe8c6d8b42361b74fc363e99795dcce182badb", "type": "query", - "version": 103 + "version": 104 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.14", @@ -14129,15 +14190,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", + "sha256": "0df8fef46aadb6e55f99fcb160c20a7c50b5b97687a0ae824409284676656051", "type": "query", - "version": 6 + "version": 7 } }, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a", + "sha256": "34b8cb6cbafa6c8284ce99c7c6cc95be28e2423a480b5e56d46de73e21ecb72a", "type": "query", - "version": 106 + "version": 107 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.14", @@ -14164,9 +14225,9 @@ "eb804972-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Behavior - Prevented - Elastic Defend", - "sha256": "ec5e33322a047ec2ab8e5339bcbc0a666083f428226a5c77f0384a4fc1d25e4f", + "sha256": "a02516be221389871603168f7a42128228b546471c99d60bbf22ea310f6e54e3", "type": "query", - "version": 1 + "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.13", @@ -14174,15 +14235,15 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential Disabling of SELinux", - "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", + "sha256": "68bbdb25d3a0f0d088bd7072fdefec01a701b6549176297cee71b31463d90ffe", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential Disabling of SELinux", - "sha256": "7c9c059e8f30a4e218760af3d2ca27b7b63469eee383e2e939b224fa3db2c470", + "sha256": "ddbc5c95a5cd722eb6547a67e6e8d7f04835cb44907b7480f2c46b5b94bc56c7", "type": "eql", - "version": 210 + "version": 211 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", @@ -14236,40 +14297,40 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", + "sha256": "59220b274ab98c211eafbd5205e41e943cadddbebe78776bd28a88a2b38d017b", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 311, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4", + "sha256": "dae2d05e8c9a23744a3d55ec56c1540501141276c8789e74c7e1aa33e787721d", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Process Execution from an Unusual Directory", - "sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2", + "sha256": "76b8d3439003b72e5e932ff9c74478b5688253f8092575aea6c69d58e043bcc5", "type": "eql", - "version": 313 + "version": 314 }, "ec604672-bed9-43e1-8871-cf591c052550": { "rule_name": "File Made Executable via Chmod Inside A Container", - "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", + "sha256": "c4678239b073c9e1c28fd96f625436ef8f93ab27e0b80d9d2da6d39d0ced459d", "type": "eql", - "version": 2 + "version": 3 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", + "sha256": "4572e35abc9f3fb1f7be34775ed498cbbbca8890182cba8ca5beff3a53bf673f", "type": "query", - "version": 206 + "version": 207 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1", + "sha256": "5a63abf64de763c9eee2d8689dc1c75693f79b684903c4b6cb6941ea024892e0", "type": "eql", - "version": 2 + "version": 3 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", @@ -14279,15 +14340,15 @@ }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", + "sha256": "35c7505a4a7e2503e09a6d55f986977e180f79e72dfde6b46e17c48fff3342e3", "type": "query", - "version": 206 + "version": 207 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", + "sha256": "31edfa8b99be2305a6bb1447799c69cf2f60e5a834ce4b064a4b4665bea80dd1", "type": "query", - "version": 102 + "version": 103 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.14", @@ -14318,22 +14379,22 @@ "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", "type": "query", - "version": 209 + "version": 210 }, "8.14": { "max_allowable_version": 409, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94", "type": "query", - "version": 310 + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", + "sha256": "f254d125f5da752be3671f52f44af3671f6730739ac5e5fe785f8bd0f831b628", "type": "query", - "version": 410 + "version": 411 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", @@ -14341,28 +14402,28 @@ "8.12": { "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", + "sha256": "495c9c3c998abfebae7ebc1d58f5d3fbf791ad4eaf2718e83c11d65598b43fe3", "type": "eql", - "version": 113 + "version": 114 }, "8.13": { "max_allowable_version": 312, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "bdcf41c9d261562501f02bbc0fdf00741c278f827f8c4b389c9b44351aaa466b", + "sha256": "3b0ac08f7d0c601b06e44b9edb38650af8ddbdc85f786151f275fa96f595fe72", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "b1477cad6a3940c5331b5aac48248d75f2d9628f206c15ca3a83c52a0f2fde0d", + "sha256": "9a796bd4864dce9764f4ff2cbf3bd4ccb3217521e23209f69c4e18ecf9ad41d1", "type": "eql", - "version": 314 + "version": 315 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", - "sha256": "4af9d5eb4553ab22a10d185542796bf3827c9c57126d958da584089a9b4181a6", + "sha256": "5147bc8232ad7a92a84e036bdd81d4fcbcc9ce09fe2b0a2697ae01769ec50e20", "type": "eql", - "version": 6 + "version": 7 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.15", @@ -14370,22 +14431,22 @@ "8.12": { "max_allowable_version": 205, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", "type": "query", - "version": 106 + "version": 107 }, "8.14": { "max_allowable_version": 306, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24", "type": "query", - "version": 207 + "version": 208 } }, "rule_name": "Okta FastPass Phishing Detection", - "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", + "sha256": "7ff673016488bafc9ac4a344918957eda1629b68b0dd51bdc773ce2f9ace05a3", "type": "query", - "version": 307 + "version": 308 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", @@ -14393,15 +14454,15 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", + "sha256": "0c4cf82321253f33a4bf12dfa7306b7c39b7082304cab83766ef69126f83169e", "type": "eql", - "version": 109 + "version": 110 } }, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "986186036dc086ae57af371ae59653ca11d16660a1311a709a7137fa6c7e6fd5", + "sha256": "83d9b00ad3282d46a266bd3524f468f382c3f23737c05e7e9196acf838551cdf", "type": "eql", - "version": 209 + "version": 210 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -14417,9 +14478,9 @@ }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", + "sha256": "ad6a020e96bacaa9b0609d324df1d4bede5193713d80abfaa29dd4bb5b83370b", "type": "eql", - "version": 107 + "version": 108 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.13", @@ -14427,15 +14488,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "BPF filter applied using TC", - "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", + "sha256": "446f19bb2ea5d80c1e18160601ba2b38ea8e81328974575d0c5369662901dfac", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "BPF filter applied using TC", - "sha256": "6084cde353a59189dfa571e84e654b91e3ede46be8519e25dbf59b69aab4724d", + "sha256": "d93beefad79cf7690a39e4923afdc93fe4ed9d5dcd991c142db3b53b8c7edf28", "type": "eql", - "version": 208 + "version": 209 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.13", @@ -14443,21 +14504,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", + "sha256": "f4ee5791bd579b8b6592dbca0af0c3eae7553a3f4d087397f873f3621c85d929", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "207a4a55c909e48b5ef7acf11d3790c83f34a5e398cc4094eeb9346d2dd39c97", + "sha256": "a6758e15fce5ea6d93d0095eea2a912b516de9b55a219b77b27a978d7f17f588", "type": "eql", - "version": 107 + "version": 108 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "rule_name": "Potential Container Escape via Modified notify_on_release File", - "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", + "sha256": "f08d245a0e30752adf439c2153063782f96520a044e2dda10798503db0580fcd", "type": "eql", - "version": 1 + "version": 2 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.14", @@ -14477,9 +14538,9 @@ }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "90d364f8a22a46e10400502782f9e63b502856dae193ee242c9df80b475350ca", + "sha256": "deb097d91aed42823bd3a3204774168f890ba2423ac4e4253b9d060f32f50e79", "type": "machine_learning", - "version": 4 + "version": 5 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.14", @@ -14487,21 +14548,21 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", + "sha256": "23beebafef0bf295f6aaf5f99044dc15f8db23dfc7a6f68d46c1cb7a9416c43b", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "c27a1557272e16660b29e32abdf339448cda357be42a5df8ff09e7cd7089e867", + "sha256": "6f3bb7099a9a769fb898a67560799db56ad58c5624c016b1d46a98b1bd12e651", "type": "eql", - "version": 208 + "version": 209 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", - "sha256": "30a4a9a823ba20654cac348d46d6ed2d266e48a105d74d2b07cd97485f45e644", + "sha256": "2d7643f5258ea00499f6a724d37680b18ea9e51cff76a508b397813d06cc2023", "type": "eql", - "version": 108 + "version": 109 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.15", @@ -14509,40 +14570,40 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", + "sha256": "7dec7b69a9ae716233a2cc4ee0bf5ce3e8f108b425d0be073ef6d211e7eaeb3a", "type": "query", - "version": 409 + "version": 410 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", - "sha256": "910384ce8b7a90baf6621c861b7a046f4764fa0a712b0a51e2aaf95bc8363a39", + "sha256": "f28f5314da6a041075848884c58593ba3bf4868e10c7789f92de570c17b6a730", "type": "eql", - "version": 109 + "version": 110 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", + "sha256": "dce40c891055fa59c868c0409223dc95efa62252fab387bc182bf9ad3f30eb55", "type": "query", - "version": 102 + "version": 103 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", + "sha256": "ddd5f8f0b1dbde6fb7d9d9802b9190fa54d38d94c423afe4c859794d73da4720", "type": "query", - "version": 106 + "version": 107 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.13", @@ -14550,15 +14611,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", + "sha256": "c678c2e4d480d9276b6bc7967e6eb21e4cac673058c59d4b70b8be8b00bbf699", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "8067c8aa2719fd9d74fa030a8d363993b52cd2f7157cfd90c33082869504b004", + "sha256": "8f51b11fbb85ef6502fd4aeef70d40c1a0a94600569968410fcbcfe78e864fd2", "type": "eql", - "version": 107 + "version": 108 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "min_stack_version": "8.13", @@ -14566,27 +14627,27 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Process Capability Set via setcap Utility", - "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", + "sha256": "8104467acd6f82c9b69239d6bebc8750dcce6da3f4f4efbad4a57197063174ba", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Process Capability Set via setcap Utility", - "sha256": "d5f6b2267222943dbe00ff7f33af89e030ceabde1cadb4e0ee50680d0305a6b2", + "sha256": "c7c1780ea2c3381899f8df2aca24d636619832fa7d0cc4a7637a1b519513a2b5", "type": "eql", - "version": 101 + "version": 102 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", - "sha256": "da7ef3b91f3643cdf38700c894afdb9c990e17ed9711f5e4a7e4133589c98b04", + "sha256": "53a99b49697dcd944871a7610cafdbf834659d68f5631056a35cc52f1c8e1aab", "type": "query", - "version": 3 + "version": 4 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "4e740008509defdc52f3ce580a43a0c02b9f679ad77ebf0f4136253adef5b1ec", + "sha256": "684a674daf52a0659d98f70c6854676100390d6c0cc41568e4450ec8568d1115", "type": "eql", - "version": 2 + "version": 3 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "min_stack_version": "8.14", @@ -14606,9 +14667,9 @@ }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", + "sha256": "ef281309a553487eec147442e89518ebb16d626f9c63c5ffd94663b7a1e6fd89", "type": "eql", - "version": 108 + "version": 109 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.13", @@ -14616,29 +14677,29 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", + "sha256": "d34b536f30334984723914ab4d44bef45a48785b1ce33846ea6fa8169f40a9bf", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "809020a2abcd5cbc4905175fa9c340ce4d03a5badb092749e5582d500fe84741", + "sha256": "6779913c9f6aa81caa57d89b94072b01b0638454d4faaa9433f37e902cd65b5a", "type": "eql", - "version": 210 + "version": 211 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Detected - Elastic Defend", - "sha256": "7b9a35f4a8a0e47cd62338e301fda982b665581e69582f6f07a420516a7c5d81", + "sha256": "b483ff55b947e2e93555fb3aa39f1789262e4edb4e5694c10bc19b8a2c486dbf", "type": "query", - "version": 1 + "version": 2 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", - "sha256": "c38cb3e116786c25852f4790593e82bfaff12642ff456bb3fa6fd5dab8596b3c", + "sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23", "type": "esql", - "version": 1 + "version": 2 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", @@ -14646,22 +14707,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "SIP Provider Modification", - "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", + "sha256": "3171aedb786a6c4346ca2d6e875c736ea14d23e12331aeea3c994e5dca963238", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 308, "rule_name": "SIP Provider Modification", - "sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832", + "sha256": "29662765828508b5d2ddf5905237089fde83513f4c34bd44c93f0e27849d77c3", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "SIP Provider Modification", - "sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72", + "sha256": "e0ac3c29d4a3e05055331a8c99eae6dec675fdf4637d6585c80557b3dc879681", "type": "eql", - "version": 310 + "version": 311 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.14", @@ -14669,28 +14730,28 @@ "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Creation", - "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", + "sha256": "f8cbd6a379d828f24d80c53ac9f923bccfcf5f6db7532cf8567c55c09446dae2", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "LSASS Memory Dump Creation", - "sha256": "14a9d741acb3030e8466bf9a59a206544298e89f5fc3fee49bf83f99a7e052fd", + "sha256": "c0268c1e96cb8a7dfec0cb7f803ec42df015cf80a71719b1a544cc4285ed0087", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "LSASS Memory Dump Creation", - "sha256": "254a89261a7919cd601e7aa8a8c9aafa993f9a2f38062b4f3f6b1839c39a0993", + "sha256": "accf15ffd7f736c713d38e6f024889430d4031685a6588588249bb092332d720", "type": "eql", - "version": 311 + "version": 312 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", - "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", + "sha256": "3bb082fe7f035d7f0edb310d42459b011a6ecb97c9b46e008e1c1434840e95a9", "type": "query", - "version": 206 + "version": 207 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", @@ -14700,9 +14761,9 @@ }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321", + "sha256": "84a652c9dcb5ab611cd8888bcb7def8d9e6ba1a10712c28017fe35cceb6d07de", "type": "query", - "version": 5 + "version": 6 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.14", @@ -14710,46 +14771,46 @@ "8.12": { "max_allowable_version": 209, "rule_name": "WMI Incoming Lateral Movement", - "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", + "sha256": "bf322fd08b8f2bfd47228ee56470b9301a500aa181f75f9594d50ed79033e3a5", "type": "eql", - "version": 110 + "version": 111 } }, "rule_name": "WMI Incoming Lateral Movement", - "sha256": "f68bad409924e59b8443d6a7bfa105b2b48cb4d88da36172d95d7094cb3a3375", + "sha256": "3ec45777f4c943a7de5082d971bee5996e5cf726ae6f42fc987b77c52f13bf8a", "type": "eql", - "version": 210 + "version": 211 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", + "sha256": "ee7bf6773bfbc573d11e5c0660564ca53d3a9b917ec5f64c87a3b7e9d4b86fa7", "type": "threshold", - "version": 104 + "version": 105 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", - "sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598", + "sha256": "d1171e16d5e8259411aec72aea33cb1c2682fd2d4af82e789944805eceac591d", "type": "eql", - "version": 3 + "version": 4 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", - "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", + "sha256": "d523f9e7b0b0a672bde61148eda10896934ae0f610892a879adf5a29cd789057", "type": "threat_match", - "version": 7 + "version": 8 }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "min_stack_version": "8.14", "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "cf963b5d775862505a178cb58178b33fb23107afcc00e561160961a865e46b4f", + "sha256": "903fd6d4ce8c22d0a4ed7c11940e77eca417f1bc8b231482bebb4e46f6aad27d", "type": "eql", - "version": 1 + "version": 2 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4", + "sha256": "75349fcdfe56a8631cc9346fd2f8623691f57c7e7fa533feab6431c354a3b8e8", "type": "eql", - "version": 6 + "version": 7 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", @@ -14757,28 +14818,28 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", + "sha256": "d8fa297a02bd05755728ee6202070fef2ebc8f2f5ae3d46617d78034d80e24bd", "type": "eql", - "version": 108 + "version": 109 }, "8.13": { "max_allowable_version": 307, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "c065074afa1efd59796f42921ce27c145b88b963e7472fa5c5269c74503e3647", + "sha256": "111139bb2a9a56c179012f91b0e217c614e1527fc3eb2a4b713943763e5a7a40", "type": "eql", - "version": 208 + "version": 209 } }, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "0ceb15eaac8188f45c14c3dd7bead9ba70e09eb4b5f51deb6b9a8c126b63c78b", + "sha256": "67cc9ea0dae5af83aac83f80454998408a24eeb1e521ae441963e51278f54b7a", "type": "eql", - "version": 308 + "version": 309 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "28451a124942aacc3132dc4aa9cf07779c9879d2e81581d9a09e0715aa18514d", + "sha256": "6f77b4339b6982feae60ae38491e22c8bf8931801527efe93368ab2d675017c6", "type": "eql", - "version": 3 + "version": 4 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.14", @@ -14792,29 +14853,29 @@ } }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b", + "sha256": "98da37735724187372bf1f311df3eb82e1dcc9d8792eb8c6faa5d20cd518c69d", "type": "query", - "version": 213 + "version": 214 }, "f4b857b3-faef-430d-b420-90be48647f00": { "min_stack_version": "8.13", "rule_name": "OpenSSL Password Hash Generation", - "sha256": "effca7dd9c856bc18468aeecb9135470738b7c71ceceb60943c78cbeeb3f8f8c", + "sha256": "04b4c9ecf43e0acf3fa6b298371accc63a200e07eb118a4d5edc9430aaca263a", "type": "eql", - "version": 1 + "version": 2 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "e018ec0346e1abac5468b4f741a4a3036311473e101a7ddf11bca9b702e142c0", + "sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc", "type": "esql", - "version": 3 + "version": 4 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", - "sha256": "c9f84cce8696eb7c2dc198d566da5e106e018e6fe6cd9e016fd243ae72c741b4", + "sha256": "aacfd52ed0aee2049e2ec00c2475153a185d83bbdd407232e9012a142292ac95", "type": "new_terms", - "version": 2 + "version": 3 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -14824,9 +14885,9 @@ }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", + "sha256": "89e1134e735b229a7ad239acdb9c85a68c40b34f96a19fe908c12ded3f7e5410", "type": "eql", - "version": 6 + "version": 7 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.14", @@ -14853,9 +14914,9 @@ }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "SSH Connection Established Inside A Running Container", - "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", + "sha256": "9d8c510e4b95da8e5072e5d93be80f049c9f4ed253d40845f7ac67920ddf4158", "type": "eql", - "version": 2 + "version": 3 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.14", @@ -14863,22 +14924,22 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2", + "sha256": "1a52a9efcabc5597110829afe735c6831cc9b2e64ed6169e8e81459e8669c83c", "type": "new_terms", - "version": 8 + "version": 9 }, "8.13": { "max_allowable_version": 207, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d", + "sha256": "0002a051fa57648d20e54eaded6c44a1f3bf1c307e7e8ec68200ff562fd22790", "type": "new_terms", - "version": 108 + "version": 109 } }, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289", + "sha256": "b913881e92e1a38bf6737390fd81a1138292cbd48aa0fb8c2d3c85957650ad7a", "type": "new_terms", - "version": 208 + "version": 209 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.14", @@ -14918,15 +14979,15 @@ "8.12": { "max_allowable_version": 105, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", + "sha256": "3ae5e32591f980bca7b3064fb9a680b9329a75f4ddc4dc888391659a4c1f654f", "type": "eql", - "version": 6 + "version": 7 } }, "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "01204cf3f85db104581872555673b018a1419abdbcce249e52f10ae764026cf8", + "sha256": "6ecb726bdefbe3899c1e739affa928cfbfd0e6eba44de225efcc3d904dab6007", "type": "eql", - "version": 106 + "version": 107 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", @@ -14934,21 +14995,21 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", + "sha256": "a3bc6cca188a55aa33021f1b9c7d396bdde78a3350f1c4fabb974a4fcffa5ca4", "type": "machine_learning", - "version": 7 + "version": 8 } }, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3", + "sha256": "b133ffedcacb83e511e320e25d6f4afc9f2d638fa12afbe470fab88a6009d07a", "type": "machine_learning", - "version": 107 + "version": 108 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", - "sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373", + "sha256": "05d412610d0acf976c64885d739c2519d44630cc8036b7dba0c8533c92385d15", "type": "eql", - "version": 7 + "version": 8 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", @@ -14981,9 +15042,9 @@ }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "e4f93dc05162bf6cad753a1327db0e023df793034c6204d0b08a1d15f6d23b4b", + "sha256": "aa4abbe944c50eb6c464d33d4880bedbb1778ff5139693b5f95e1f81e54a05d4", "type": "eql", - "version": 2 + "version": 3 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.14", @@ -15010,15 +15071,15 @@ }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", + "sha256": "076beef00e93e7c5cea8221f52feed6734107ad9cfb9a62a293d50a066132e1d", "type": "query", - "version": 106 + "version": 107 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "791121ea6aec69d7039ecb415a62b0a87915433516a225fa0103e30dc1fb3eb9", + "sha256": "de4cb537409466e76a7f865cb93e0842a6fc8f04b9402caaa3b8f56928916711", "type": "new_terms", - "version": 1 + "version": 2 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", @@ -15028,9 +15089,9 @@ }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Azure Service Principal Credentials Added", - "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", + "sha256": "901f5b0b8cf2e223bd55f2b15863c0285e7df7dbae24b8ae528572bd52df13a6", "type": "query", - "version": 102 + "version": 103 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -15040,15 +15101,15 @@ }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "rule_name": "SSH Authorized Keys File Modified Inside a Container", - "sha256": "7447ba66f5bb3a7f75ebfa0ec16f2c79965e3653b03fc3f3a06ec4e7dc27ece8", + "sha256": "dbb02018892869ad01ea50413f348fb8681007ab55495ec2669108a301956156", "type": "eql", - "version": 3 + "version": 4 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", - "sha256": "9d9ea4b2bef0475b57635433aa6c30663d72eb3226baf7e94587e17374f9c08e", + "sha256": "135091eba79744ed7a55ef7e0825fb4a5189f443b6940d9f322b755d28b98d0f", "type": "new_terms", - "version": 1 + "version": 2 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.14", @@ -15056,28 +15117,28 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", + "sha256": "3bb11d5684b0514f8d1a5326d1645b8787ea37ae7731db6df5e7d94945f6ef1c", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 311, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "19dabb4cdeb3093420fb56b9c94ca6687ea7ee3479e605b8b9f331cdff2466c3", + "sha256": "4cbd3242743b94fc54ec1eff6658bdf2a9009dad93fccbc3354272cc5c10196e", "type": "eql", - "version": 212 + "version": 213 } }, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "07caba511c046edeb032f0a4b75979d94cf1cadf75a7bfea159e175815bb0c48", + "sha256": "0265f205075afb8a44fcc9339b9b8e7819b11ee960a7fcadff4ef19c40407944", "type": "eql", - "version": 312 + "version": 313 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255", + "sha256": "6a6d4fc7401921ef468189f6dbd0c74591dd1d15fcab4c0f5b4033610123be2c", "type": "new_terms", - "version": 3 + "version": 4 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.14", @@ -15085,34 +15146,34 @@ "8.12": { "max_allowable_version": 208, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", + "sha256": "e36c1fdb2b34568b5431017b6d35a86a116bc34c7b9af52fbfeaf4548233dac3", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "c4a613fb04e9f97b6a884009449a139ee5a135556512ca5bf96bb5b803db7d8d", + "sha256": "a577211254c57b0fba47713de661ab81bc197366995a8d14d939f8667dde3ffa", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "41f949b2f55eaabf986b67891e7037a89ce1a7964a42ef6e88352b92d52778bb", + "sha256": "fc3a25445b0ecc88878661c840092042b33a21a6b66a2307253219ea04c67913", "type": "eql", - "version": 309 + "version": 310 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", + "sha256": "402f5404fef876bbbd2aba0a471857bb32c2a7c711af599817c9834d0db5c2be", "type": "query", - "version": 106 + "version": 107 }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "187045fe170ec5d73a01ae484c2beb785ba6d685cf6973c52d6dd63393600eaa", + "sha256": "deffcca6a713e80f7c6197c17ee1be6a9f98b582e6c922548acf9ab45a49f882", "type": "eql", - "version": 3 + "version": 4 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", @@ -15140,9 +15201,9 @@ "f87e6122-ea34-11ee-a417-f661ea17fbce": { "min_stack_version": "8.16", "rule_name": "Malicious File - Prevented - Elastic Defend", - "sha256": "9b4dc0fb3aa575631ab1f19f6059c644319158dc055b3ebf6dac4148d593c119", + "sha256": "67ffe83c5432e13fcf6b7e4cf476f32cfa6c44e604a32fe07f2cbb1ac508042b", "type": "query", - "version": 1 + "version": 2 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", @@ -15150,15 +15211,15 @@ "8.12": { "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", + "sha256": "de3cf59b7dd66998abe201a8eaf36dbba367e448780f8d30c428d89610b5c18f", "type": "query", - "version": 4 + "version": 5 } }, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5", + "sha256": "bed1ed023c04637d3664efd5fbb73d3aa0cfea24257dfb18a925fea3d2cbef3f", "type": "query", - "version": 104 + "version": 105 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", @@ -15166,15 +15227,15 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", + "sha256": "e26f15abdf56aa1b61415ba7dc51da814455d36335a30451a9089c7e28074d99", "type": "eql", - "version": 1 + "version": 2 } }, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "c4508dc7b6251d648197e8d7704c8fdafc973a1a99006c1475d76e67e7d195d3", + "sha256": "f38f93c88e156a79c010dfad2f862d22927fc7fef7c08ca2dfa59a780b3d8e9b", "type": "eql", - "version": 101 + "version": 102 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "min_stack_version": "8.13", @@ -15194,15 +15255,15 @@ }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", + "sha256": "d11d9b7a7104ede9ec52c99b7a22fda51997f927c44ba71a8317a0870bf39b4d", "type": "machine_learning", - "version": 105 + "version": 106 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "85e0e9eb2f56d40ea5aa97a05e3c9ef70749ffbf72276dfe626c72d1889217c6", + "sha256": "a65eed2cc5b097a57b4e7baac0a286e05e9272a546e2fa4ef98c84b45efbaccc", "type": "eql", - "version": 8 + "version": 9 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.14", @@ -15210,22 +15271,22 @@ "8.12": { "max_allowable_version": 101, "rule_name": "Browser Extension Install", - "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", + "sha256": "13264d82b596b30f4a39bca88800139df7d59f7e5714ac3294aecb8adb693f2b", "type": "eql", - "version": 2 + "version": 3 }, "8.13": { "max_allowable_version": 201, "rule_name": "Browser Extension Install", - "sha256": "33fea2e19640fd39808aae6bf7267174995cc0a7e7973f07a4b21fbb2b842970", + "sha256": "2813c84680c133570b552af8010cab5df5b2cf9ce045b7cb05716d286729bcdf", "type": "eql", - "version": 102 + "version": 103 } }, "rule_name": "Browser Extension Install", - "sha256": "cdd8f7c92285ec6406bbb7e06fef02eb1458895deda96a9bbd299be408be2026", + "sha256": "420b3c2fb3cad25f5312065eb38e2944b8220eac1111dba2dd1088b95141b687", "type": "eql", - "version": 202 + "version": 203 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.14", @@ -15233,15 +15294,15 @@ "8.12": { "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", - "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", + "sha256": "a3e155da55738446b14a3519a8631b9d6a3f2a2420e7abea9743574cfa5a699f", "type": "eql", - "version": 10 + "version": 11 } }, "rule_name": "Privileged Account Brute Force", - "sha256": "8237fdea989fedadcbe0c3d264d0f2e33c15879386f11721c8effccb0b5a1d28", + "sha256": "d609cef02e743a187baf0068f42fe95b28bef7bee1d26bb067e3d09188bf7281", "type": "eql", - "version": 110 + "version": 111 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.15", @@ -15249,22 +15310,22 @@ "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", "type": "query", - "version": 208 + "version": 209 }, "8.14": { "max_allowable_version": 408, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47", "type": "query", - "version": 309 + "version": 310 } }, "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", + "sha256": "9f8a0e0868d43b262c98653adb7bed57c23c2509b0fec88ebeb33b1a92853293", "type": "query", - "version": 409 + "version": 410 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", @@ -15272,34 +15333,34 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", + "sha256": "38cd36c0e10b5e71de73e548f13243d29e06b1bab2ca10c74ae875da1606664d", "type": "eql", - "version": 112 + "version": 113 }, "8.13": { "max_allowable_version": 310, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "c57ede22981de8ec65a677f491d04e110c3dcbe758924fc37fc34e2b031677a2", + "sha256": "2ec223a448f81f94a8f428864b7dc4f7b173fb01a997740f6f29143c0496219c", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "e2887448f525e4d2fc06229b8d743d4dca3c5ec090ff66e1b0395b0a14a6ffe1", + "sha256": "4300b10c7504d0440412581634a019e1a6e58f0db412301ee1b20b04516532bf", "type": "eql", - "version": 312 + "version": 313 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", + "sha256": "c8d1d95ef6525a3da18e35d890b332565c8b7453a7c89f16c87080264772d9ac", "type": "eql", - "version": 7 + "version": 8 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", + "sha256": "cd83e2dee4122108d811abf45e532d0dc27fdac8ec1673c2ad306e85c97819f2", "type": "eql", - "version": 7 + "version": 8 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.14", @@ -15307,22 +15368,22 @@ "8.12": { "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", + "sha256": "e416bd900c26017a9a2e60990ee7ae09ced3df13618bbbc45b29fb2340de74d1", "type": "eql", - "version": 10 + "version": 11 }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "e76797913ea8f33de2a02341ab5af40b4efd31ccdadbb67daf8fcdf5281830bc", + "sha256": "34eeb28ee7412555964397a4969d1d55098b05a4107dd4330ea8ac5dd242d54e", "type": "eql", - "version": 213 + "version": 214 } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "d31107882201846433a5c59aa2d72a82cb14836b79e86eb8a93521116638d30a", + "sha256": "d4eaa3dfb8b078f3a464ad91d4dcd5424f2faf343c977d6dd7df44cc08e87065", "type": "eql", - "version": 314 + "version": 315 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.13", @@ -15330,15 +15391,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Disabling of AppArmor", - "sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e", + "sha256": "dcc5486dac299e23f474eb39e2b40231213ec061f4460cc66cbd25bc8ea1b927", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Disabling of AppArmor", - "sha256": "01508640f0055cb89a305cbdf1ef43cd6f104545bfdc21eea76eaaf2e7e7909d", + "sha256": "dd0c697b12d206fc9f3004381077e6f7a2367ed6acc0112544ccd443afccb2f3", "type": "eql", - "version": 107 + "version": 108 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", @@ -15352,15 +15413,15 @@ "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Registration Utility", - "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", + "sha256": "b4eed2ddeb40f2bbedc702c4789e5748c0f303fb263208a2bdcd2974c12346b5", "type": "eql", - "version": 108 + "version": 109 } }, "rule_name": "Network Connection via Registration Utility", - "sha256": "8aae81ad83c8f0921e01112594259350cacae84e8b7a5991c5774c2b12228d7c", + "sha256": "c04bf7494ed4c20a8a87bbe9bb3f2876b8e92b7af292dfac1b2d2f847593dcad", "type": "eql", - "version": 208 + "version": 209 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "min_stack_version": "8.13", @@ -15368,15 +15429,15 @@ "8.12": { "max_allowable_version": 203, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", + "sha256": "1b149111089ed10df74c8975a4801b321f429cbc00bddf77eebd2f154d5355e0", "type": "threshold", - "version": 104 + "version": 105 } }, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "aa706a6df1832c500f882ba46028eb2732a866b5e6335c33fd62c18d90a7d870", + "sha256": "babeac41d262653f7ef7c8bddf78a7573fb7894ae7b8c2c9b3f48fc07ef6452c", "type": "threshold", - "version": 204 + "version": 205 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -15386,15 +15447,15 @@ }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", + "sha256": "7953f99ece9b3629d330947f9c59294d7504c35d5eb9415e8410833f95063b4d", "type": "query", - "version": 206 + "version": 207 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", - "sha256": "817c1bcd002aee4e4e20b0ec867435b39e734957b1032925a405161c91e1ff2d", + "sha256": "0463c0b25ecbc17c558c90dfd80f29d64776de9fba2451a8768448d09293b378", "type": "query", - "version": 1 + "version": 2 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.14", @@ -15402,22 +15463,22 @@ "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", + "sha256": "59543020be10655d8e81766d6a80fb95792cda6820556f739905cb54943ddbce", "type": "eql", - "version": 109 + "version": 110 }, "8.13": { "max_allowable_version": 308, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "4ad908e9c0e001298a239314cbd4fc39fb76e0789a62456d4601e31ea266b35e", + "sha256": "80e05f76dd4e8c2e94bdbd3924f85a5877d9ff5a47c410d308b96f7a1d390525", "type": "eql", - "version": 209 + "version": 210 } }, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "db69f7867e43c1d9991d02ca50a537f1688974ffa821585058e225fa254dfed5", + "sha256": "afa60af2586a1e3458855aa64f4d3fbbfe063c3f35b3abc5a840d616f77d9841", "type": "eql", - "version": 309 + "version": 310 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "min_stack_version": "8.13", @@ -15437,9 +15498,9 @@ }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", - "sha256": "d1ea785176a27ff76f628305fa1d57041f59595f8b6e09f99b4b4349c18f1811", + "sha256": "e492a1d379ef0524d4b531024a7edf8a09e7b8174850fd8fd2d8824d76499df7", "type": "eql", - "version": 3 + "version": 4 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "min_stack_version": "8.13", @@ -15447,21 +15508,21 @@ "8.12": { "max_allowable_version": 203, "rule_name": "GitHub App Deleted", - "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", + "sha256": "c0689f3c0e7636572f0800557c0480309dbcf71e0107dc51b0ed362728a0c927", "type": "eql", - "version": 104 + "version": 105 } }, "rule_name": "GitHub App Deleted", - "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", + "sha256": "77d5e70dceb83e72c91dec0a125b56e67e4f66b20ca31374060260c91887c03d", "type": "eql", - "version": 204 + "version": 205 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", - "sha256": "6e4722f7391334da9fa02d2bfe859e94a1110c6b78b728f62607aaa9380b59e9", + "sha256": "7c1af1a785726996f19edad02af0353a331e9ccd7a6095127460e2ee4da6beb0", "type": "new_terms", - "version": 2 + "version": 3 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -15475,22 +15536,22 @@ "8.12": { "max_allowable_version": 210, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", + "sha256": "fb02d9d052a80cb71ebc3d197b2737a8bb72f875dc6f26fcb777715dc8ea8007", "type": "eql", - "version": 111 + "version": 112 }, "8.13": { "max_allowable_version": 310, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "0c0fb67b6f1fbc64b54c4eaaaf3982e6abd871234c9d741e32cf6111a4b95348", + "sha256": "003cbead1025ca8c3bb1f33eddf4a98de00f555cb184077b194142cc838263b0", "type": "eql", - "version": 211 + "version": 212 } }, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "3a5c29d43ebbadfb3a010e164c997dcdbc2c550226c3129d9f7256ad4204f204", + "sha256": "8d5354802a1da8218bdca789c1118dd3c0e75072f015978e3ce65b239357204c", "type": "eql", - "version": 312 + "version": 313 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.14", @@ -15498,22 +15559,22 @@ "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", - "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", + "sha256": "13dd1c7c1c9bea325d7f705da1527335b7e0e12d8f5e7d942ed99c6b9d1a7a5d", "type": "eql", - "version": 110 + "version": 111 }, "8.13": { "max_allowable_version": 309, "rule_name": "Suspicious CertUtil Commands", - "sha256": "d5f199269d0b8d8ffcb51d4a5be03858a06c561d4d7b5e76ccdb0730fbf5212a", + "sha256": "2ab5b41ea028baf2c8143494762615137f2d9daec219a470c3ac43a8dc70d0d5", "type": "eql", - "version": 210 + "version": 211 } }, "rule_name": "Suspicious CertUtil Commands", - "sha256": "d283778b33a2eb881ef6542154d6a7a4f20f42620f533ab95ac6e3d92989605a", + "sha256": "9e178f0e88993fc08a6e3bf41eaf0502281774f9ebbfe9477e09a20b55e8fc8f", "type": "eql", - "version": 311 + "version": 312 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.14", @@ -15521,22 +15582,22 @@ "8.12": { "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", - "sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f", + "sha256": "fd2168d3b0db808329e092b89905660cf80f6a564f9e3218506dfba05e409c61", "type": "new_terms", - "version": 218 + "version": 219 }, "8.13": { "max_allowable_version": 417, "rule_name": "Svchost spawning Cmd", - "sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a", + "sha256": "89907452efa6d5a092c9819fec02d0a27a824e7e526e5a031f271cd0a9cce5be", "type": "new_terms", - "version": 318 + "version": 319 } }, "rule_name": "Svchost spawning Cmd", - "sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83", + "sha256": "e648c831b55c6701ce80a615623526f8eb2024dd98dd5a6caaa49692191e85d8", "type": "new_terms", - "version": 418 + "version": 419 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -15546,9 +15607,9 @@ }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", - "sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39", + "sha256": "3f455b9a9fc20d9dca4d989e3236437d2b7c702d96e34fe01c0e21181bd9cc34", "type": "eql", - "version": 13 + "version": 14 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.14", @@ -15556,15 +15617,15 @@ "8.12": { "max_allowable_version": 106, "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", + "sha256": "87b8915f4df4e07283d519a5459b89600a2e9018c07136f10a454968ecec7522", "type": "query", - "version": 7 + "version": 8 } }, "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1", + "sha256": "21800d17e1a701df364ecf5e4dc921c47a9978bd53f4290052756476349613b3", "type": "query", - "version": 107 + "version": 108 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.14", @@ -15607,9 +15668,9 @@ }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", + "sha256": "6d71e2f5b064aa990886b9f8855595def2146202b93e657c62c021e3bc852c84", "type": "eql", - "version": 4 + "version": 5 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", @@ -15642,45 +15703,45 @@ }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", - "sha256": "6d66bac41360553f30a7ec77711cac7525469a4649853c093e54807182e05880", + "sha256": "4f8d4f17d7899a44961b0ed15bd61e32234c08c800dddbae9b75aa238bf40541", "type": "eql", - "version": 1 + "version": 2 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b", + "sha256": "7c706cb36925b68e3326c38052f0bc6a5afdfc8ef02a33dc200e92fae09dbb2f", "type": "query", - "version": 104 + "version": 105 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "rule_name": "Potential DGA Activity", - "sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758", + "sha256": "ef8f045d4a373ebb67741cef329ed0e2b3a356b64978bd6dcad9716fb2f3f592", "type": "machine_learning", - "version": 5 + "version": 6 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", - "sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90", + "sha256": "2bb9047a12faecde8952e7f0bfe8c12187345c8e1016fdd19c1ebcfdb379f298", "type": "eql", - "version": 14 + "version": 15 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "7842115a7191021a44e61d69bdc1563edc6e9d471a1237af41d228647df07824", + "sha256": "cb20be6b7c6db1a5ba68b0ab829e75e5faad09e13d4ad4db8d1d303a36958a26", "type": "query", - "version": 2 + "version": 3 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "7d8c295d9d5382ec04a6755af94ef4b2f9e3a87942594dc7a1708854f48db9bf", + "sha256": "af8119ce553fafb567f949620657a037808e29169ff198277765c4f54f6aea09", "type": "eql", - "version": 10 + "version": 11 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", + "sha256": "fd7869fa1dfb7814d85e599eddf43e2fe64eeff6d58e4bc655b81add4f748fe5", "type": "query", - "version": 206 + "version": 207 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "min_stack_version": "8.14", @@ -15688,28 +15749,28 @@ "8.12": { "max_allowable_version": 100, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", + "sha256": "142aa8456d0c3151257b8d40bb29b00d7880561940ea1366b6c850725a7fa90b", "type": "eql", - "version": 1 + "version": 2 }, "8.13": { "max_allowable_version": 200, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "a5dc5c08ba531d44f22ea6769d5c2df16f15453f794a715ed59b46054ce95996", + "sha256": "593b01d8d7d60109ab9ad569f65be57c3c9e8efb4590d58f871e61d7ba6a8cfa", "type": "eql", - "version": 101 + "version": 102 } }, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "fdeb2235369b54f09b8e618dfa7db46fc187a691bc5b60955e67e9bfa1d1a008", + "sha256": "1b182aabc1a25362770238d8e6fbd5d91def7ad420cbd29f0ec914985f603673", "type": "eql", - "version": 201 + "version": 202 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", + "sha256": "dbdeafa2e40515c24f4df798e5a2d653973541813b5f25cad1c52cf8e334f69f", "type": "query", - "version": 104 + "version": 105 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.16", @@ -15717,14 +15778,14 @@ "8.12": { "max_allowable_version": 106, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173", "type": "eql", - "version": 7 + "version": 8 } }, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "d9a50180875a16c7d3cfedadf27a0c3bb75bd18b950d188993f9ba0f43f504ca", + "sha256": "b3a0fb9a91e96e465bf2e1a9c90fbdfcd2446a6bd3d40d9b7b245f49e82a8155", "type": "eql", - "version": 107 + "version": 108 } } \ No newline at end of file