From 823e8fd1402421f3c066bcf748e35d4503d71b8f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 25 Jul 2024 18:38:08 +0530 Subject: [PATCH] Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3926) --- detection_rules/etc/deprecated_rules.json | 5 + detection_rules/etc/version.lock.json | 424 +++++++++++++--------- 2 files changed, 264 insertions(+), 165 deletions(-) diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 7753c99886e..218ffe28333 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -69,6 +69,11 @@ "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", "stack_version": "8.9" }, + "28738f9f-7427-4d23-bc69-756708b5f624": { + "deprecation_date": "2024/07/18", + "rule_name": "Suspicious File Changes Activity Detected", + "stack_version": "8.10" + }, "28896382-7d4f-4d50-9b72-67091901fd26": { "deprecation_date": "2022/08/03", "rule_name": "Suspicious Process from Conhost", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 20cd02480aa..a9a449bd20f 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -162,9 +162,9 @@ }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "c460de6633708a3c05bf2968843c4ddbf305a7053f9698f6a1396a20113bb23d", + "sha256": "18206de4f5ccdad5336624f845d49008e9b9465a9a28c027d0ec8ac13f844587", "type": "eql", - "version": 4 + "version": 5 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", @@ -370,9 +370,9 @@ }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "3a2bd6c4c3a22a51b9ccc02420cce8fbbf1827c026e43f7f8b04905409711bf7", + "sha256": "2b69a06ea7781c0a41b34c7cadba4aab83da534af3555d02cfc9279096625c38", "type": "eql", - "version": 1 + "version": 2 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", @@ -382,15 +382,15 @@ }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", - "sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3", + "sha256": "c7a11d6c30f396ba7e69c91e0e56d49ac0e878c26d2af7da536e843920d37d53", "type": "query", - "version": 109 + "version": 110 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca", + "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", "type": "eql", - "version": 5 + "version": 6 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -473,9 +473,9 @@ }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", - "sha256": "85ee9b791a4c7e68fa137cb3157d12117568d3c28d86fe9d8fcec00fc60e084a", + "sha256": "2e7d124198761afda3e1b48035ab8b166f486e36af3dd5be2f69f1783d13b0d1", "type": "eql", - "version": 112 + "version": 113 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", @@ -551,9 +551,9 @@ }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a", + "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", "type": "query", - "version": 11 + "version": 12 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", @@ -605,9 +605,9 @@ }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7", + "sha256": "6f467e2189a55fb44966834223c32fb6509c57dd21bcdff69b4f6e2ec920aeff", "type": "query", - "version": 203 + "version": 204 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", @@ -809,9 +809,9 @@ }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "f39790b9b3abb2ae93c8dd17424d49585bf433630f77d22f8e71e727ded3ef05", + "sha256": "e0a46f4010f06fe2f8820ab81c9d77d43d93649c54d8aaca262b90a585e03641", "type": "eql", - "version": 12 + "version": 13 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", @@ -851,9 +851,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "328df92dbc73dc43154f8b6998e6a2201211089ea4fca02386b1d1180d51cf36", + "sha256": "d1c1f1dbe854e24a206291ce09a0b5a7d0a3edd11c3de760e2ff9e5560924100", "type": "eql", - "version": 2 + "version": 3 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -977,9 +977,9 @@ }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "f668e7947688e878a2b5f5aa8a3bc7f30cf777776b49855a8b5e2c7e3b8e2449", + "sha256": "becc05324f5f605086badfd23a1e969801e19931eb7ae06312657e19eac4175d", "type": "query", - "version": 1 + "version": 2 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", @@ -989,9 +989,9 @@ }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100", + "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", "type": "query", - "version": 6 + "version": 7 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", @@ -1041,9 +1041,9 @@ }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", - "sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75", + "sha256": "6d7f966ffe9ca36511ff1fb7eb1e7f4af720e8751c62e720cddaea863d3f33b8", "type": "eql", - "version": 1 + "version": 2 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "rule_name": "Creation of SettingContent-ms Files", @@ -1165,9 +1165,9 @@ }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b", + "sha256": "5236a7331c35e34f2f5e5e0370db337e199dd5660d918ca0c21209ed25ca13a9", "type": "new_terms", - "version": 3 + "version": 4 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "rule_name": "Full User-Mode Dumps Enabled System-Wide", @@ -1219,9 +1219,9 @@ }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", - "sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1", + "sha256": "52e498b76b1bc795b18dee476e1e03b1712563b3138813bf79295c071dd6adb5", "type": "new_terms", - "version": 1 + "version": 2 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "min_stack_version": "8.13", @@ -1244,9 +1244,9 @@ }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3", + "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", "type": "query", - "version": 1 + "version": 2 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", @@ -1268,9 +1268,9 @@ }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c", + "sha256": "6c8cf1738016d2de5acb239d04a90ee51862f9548c95ecc55be6dca60eb9530e", "type": "query", - "version": 1 + "version": 2 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -1320,9 +1320,9 @@ } }, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "a3c97823d3b6940c64c3cd69101e314c8bf84a5c63e6f3ac1358259b034546cd", + "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", "type": "query", - "version": 105 + "version": 106 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", @@ -1412,9 +1412,9 @@ }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", - "sha256": "26fb29a8c8c328b8e46ed17a8fda1d07250948bb305e19031173410ae35d3669", + "sha256": "a0220f32050291d6181245d119ff13f27d11d6776fab0aeef7a933b2fed998f5", "type": "eql", - "version": 2 + "version": 3 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS Security Group Configuration Change Detection", @@ -1493,9 +1493,9 @@ }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0", + "sha256": "dc8b0a2fc0d7fa52084bd9ff94ef01de5dbafce96fa29a0e89c89ef27ab8e9a7", "type": "query", - "version": 203 + "version": 204 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", @@ -1576,9 +1576,9 @@ }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d", + "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", "type": "query", - "version": 110 + "version": 111 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", @@ -1662,6 +1662,12 @@ "type": "query", "version": 104 }, + "30b5bb96-c7db-492c-80e9-1eab00db580b": { + "rule_name": "AWS S3 Object Versioning Suspended", + "sha256": "4852203398c11a4639cf6b6e5a60a3f6076a2888bac58d701a1229bbd0f44f33", + "type": "eql", + "version": 1 + }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", @@ -1669,10 +1675,10 @@ "version": 8 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { - "rule_name": "Suspicious Network Connection via Sudo Binary", - "sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058", + "rule_name": "Network Connection via Sudo Binary", + "sha256": "b469b8c3a65e085d1a09370ef4bf02f1feb2e98f438d6af4c42d1495c1959385", "type": "eql", - "version": 2 + "version": 3 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", @@ -1972,9 +1978,9 @@ }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", + "sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99", "type": "threat_match", - "version": 1 + "version": 2 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2059,9 +2065,9 @@ } }, "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "afa86911efb5e954ddd5ac66e6ff98a64832328ccdd43ef5c3a5c73ec1172297", + "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", "type": "query", - "version": 105 + "version": 106 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", @@ -2149,9 +2155,9 @@ }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "a84dfe6ccc1996ada49913439cc47e7a0a10d463f3385caf7a4f35804f884888", + "sha256": "fa6f9f682ade91c9ceb999d3536002bf17197697e5b132fe1ee39ac7bc15e6c9", "type": "eql", - "version": 1 + "version": 2 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "rule_name": "Unusual Process Spawned by a User", @@ -2294,9 +2300,9 @@ }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "97a9bbc07dad0412d494a96fa565a7e2555e661c1e57eb06101029572ccf891a", + "sha256": "bc96c80774873e20fc93cc0aeb3cc34e08ce5f4b3109b4218de43a44228be7ed", "type": "eql", - "version": 1 + "version": 2 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", @@ -2610,6 +2616,12 @@ "type": "query", "version": 104 }, + "5188c68e-d3de-4e96-994d-9e242269446f": { + "rule_name": "Service DACL Modification via sc.exe", + "sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4", + "type": "eql", + "version": 2 + }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", @@ -2678,9 +2690,9 @@ }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "cce1af93176b643f8c69e79b1ef19c94e25df9e6f6607ba60b50433fd8914264", + "sha256": "abbed0de67d7ae950dd29ebf82d8d832f7075ebdd3b1ff3841b33f154df5f96a", "type": "new_terms", - "version": 9 + "version": 10 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System or Mount Deleted", @@ -2817,9 +2829,9 @@ } }, "rule_name": "PowerShell PSReflect Script", - "sha256": "feeee2403f399c6d729c001a0178272237732cb46fe4d292f1b595d7910f782b", + "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", "type": "query", - "version": 210 + "version": 211 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", @@ -3089,9 +3101,9 @@ "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "min_stack_version": "8.13", "rule_name": "AWS S3 Bucket Enumeration or Brute Force", - "sha256": "929a9ca39ab9fb396533d10f723899fbaf9225968c94ae0f32e20a189d2c7827", + "sha256": "071ea0ec03009a13928231287c341607f6c9f838c32f33dbc078bccdd880b482", "type": "esql", - "version": 1 + "version": 2 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", @@ -3099,6 +3111,12 @@ "type": "eql", "version": 1 }, + "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { + "rule_name": "Docker Escape via Nsenter", + "sha256": "11c34c854e425416671771fda4ebe364a729e7203d287c32837120c5426ec678", + "type": "eql", + "version": 1 + }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", @@ -3147,9 +3165,9 @@ } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "8a06a6df25f7cd9d46fb890b91a35822e95e9ae636069608964018f12fa37d41", + "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", "type": "query", - "version": 213 + "version": 214 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -3159,15 +3177,15 @@ }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0", + "sha256": "75982bbce44c725ebe7454741f8f2f16bf44540a5eab19405c688ed67029cd86", "type": "eql", - "version": 110 + "version": 111 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e", + "sha256": "f25e451f9d9c08126337653c9ea7995d2e51c96900a93ceeb7efd560d4a16d08", "type": "threshold", - "version": 1 + "version": 2 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", @@ -3189,9 +3207,9 @@ }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "3ad6907db92363c314c35c6ee182f278b6d7de0e04a7d36e14b398a4fcd2146b", + "sha256": "026a0ff9383f49a20b58463f40f14c0331889526d60ee9e89e1e8d14c0772894", "type": "eql", - "version": 1 + "version": 2 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", @@ -3279,9 +3297,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18", + "sha256": "2dce2a06e9154b8dfcbb81694b06dc697b34579bf8cf6a0cd30736373befe600", "type": "eql", - "version": 113 + "version": 114 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -3307,9 +3325,9 @@ }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab", + "sha256": "f50ea89e08ddc6328c44b623d878bc787655674577a6075bf9e3fb76d9078099", "type": "query", - "version": 9 + "version": 10 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", @@ -3391,9 +3409,9 @@ }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d", + "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", "type": "eql", - "version": 1 + "version": 2 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -3416,9 +3434,9 @@ "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "min_stack_version": "8.13", "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "47b579b9a56ed6ea73b213367dcfbd08587402835edd04fc34313a9314a6cd79", + "sha256": "f37f973f474742e8a38e13c139ca15569ef5585dd173927ac51ce82ef9c18c16", "type": "esql", - "version": 1 + "version": 2 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -3541,9 +3559,9 @@ }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", - "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", + "sha256": "80f05981fbcc24c112445883cc761db7ad1e0595638df8e9ec23a15539069011", "type": "query", - "version": 106 + "version": 107 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", @@ -3637,9 +3655,9 @@ }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec", + "sha256": "32963011dca38553023a0d151758f181bed528bee5ecb5b09ac7e98db6994910", "type": "query", - "version": 4 + "version": 5 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", @@ -3667,9 +3685,9 @@ }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "fc40abf7c58386b21b4e7ba3f8d8b900510aeaa86c789defff2aec11c20e707c", + "sha256": "221735c970fc3e380f11afa20a31274e578aab37486d9b912fe880f215412ddb", "type": "query", - "version": 1 + "version": 2 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Microsoft 365 Potential ransomware activity", @@ -3767,15 +3785,15 @@ }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982", + "sha256": "5ddd8e0de022dc243009f61fe4aed4fd7812fd7d7ce4ff362bb536a2e0dcc1e9", "type": "query", - "version": 203 + "version": 204 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41", + "sha256": "a0e3b8730c343117a90da40402ba342accfe78408370c0616811f7f7c7151628", "type": "eql", - "version": 10 + "version": 11 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "rule_name": "Creation of Hidden Shared Object File", @@ -3832,9 +3850,9 @@ }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534", + "sha256": "cba8664ad751541036313bc6f39bf662a14e3ee4440c028dac9c4b089dd71780", "type": "new_terms", - "version": 2 + "version": 3 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", @@ -3933,9 +3951,9 @@ }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675", + "sha256": "cd48ecf96030ca2c8b75a94c8626c73026ee15c4d6168b32dcaae58fc5eabcee", "type": "query", - "version": 108 + "version": 109 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -3987,9 +4005,9 @@ }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "258486b4912fda4473895fde9c357e6ffafdb33966d85558b912df16f95cad7c", + "sha256": "7f541c0c50a6d33535985522ee86c00dcbab65268ec216860fa7dbf501f66554", "type": "eql", - "version": 1 + "version": 2 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", @@ -4011,9 +4029,9 @@ }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "26e76de9328e30fd2a1ccfedc25b238243c1c82d255dd6d1e3f7ccc9e67d7898", + "sha256": "2b5beb7d7435862fd58aef36fbe1c663e0c9dd064e09b122cce712360569c1da", "type": "query", - "version": 1 + "version": 2 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -4034,7 +4052,7 @@ "version": 2 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { "8.10": { "max_allowable_version": 102, @@ -4042,12 +4060,19 @@ "sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49", "type": "eql", "version": 3 + }, + "8.12": { + "max_allowable_version": 203, + "rule_name": "Microsoft Management Console File from Unusual Path", + "sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49", + "type": "eql", + "version": 104 } }, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "adb75f0219164c5e3c96a145f69d0da86658f728ce7ced78350c0b40f97eb464", "type": "eql", - "version": 103 + "version": 204 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", @@ -4063,9 +4088,9 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "45cb9853a105ac47b63d0424f8bae22ba4f4cd32a1a54641b355e1ca2600cc91", + "sha256": "36739d1ea63a60bf5bf18435372ca052df46550047f525bcdad4d50834353f0f", "type": "eql", - "version": 12 + "version": 13 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", @@ -4146,9 +4171,9 @@ } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "da93c9757e2bcf7faed59270b7d6ee09006cacaab0f5d201d13e988814868cf4", + "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", "type": "query", - "version": 211 + "version": 212 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", @@ -4324,9 +4349,9 @@ }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "e31ebc9b2e2d37078a625aed023401808117893b3d430c3d1efa9613c4c25e8b", + "sha256": "8dd7a417573e32c8f9a9a915202a55dd8102686e9658319a446b576a606ee36e", "type": "eql", - "version": 1 + "version": 2 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -4448,6 +4473,13 @@ "type": "eql", "version": 11 }, + "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { + "min_stack_version": "8.10", + "rule_name": "RPM Package Installed by Unusual Parent Process", + "sha256": "024fc49f53a9fd7181c86315420fe4dccfb3bdd681a4137d7cdf9941fcb288fe", + "type": "new_terms", + "version": 1 + }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", @@ -4472,6 +4504,12 @@ "type": "query", "version": 102 }, + "8e2485b6-a74f-411b-bf7f-38b819f3a846": { + "rule_name": "Potential WSUS Abuse for Lateral Movement", + "sha256": "14b4979002a83a6465682c6befade51921e625b24b5f4e9a1853b44867a35df8", + "type": "eql", + "version": 2 + }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459", @@ -4486,9 +4524,9 @@ }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6", + "sha256": "a7bdaa881fb24eeac7f8b469e62094e6743b3e033b57c9e6b304f30557b471fa", "type": "eql", - "version": 1 + "version": 2 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", @@ -4700,9 +4738,9 @@ }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6", + "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", "type": "query", - "version": 1 + "version": 2 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", @@ -4842,6 +4880,12 @@ "type": "eql", "version": 3 }, + "9822c5a1-1494-42de-b197-487197bb540c": { + "rule_name": "Git Hook Egress Network Connection", + "sha256": "6d36df93f7a4a9365138e6a5ca493712ab0384647f7f19e86479b6e29c524099", + "type": "eql", + "version": 1 + }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416", @@ -4929,9 +4973,9 @@ "9aa4be8d-5828-417d-9f54-7cd304571b24": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", - "sha256": "eff6b294c92c7c35ef4eb29bb794b1411e7565a8c4b583706f2b90fe0eb66bfc", + "sha256": "6fefd72c277cd75eb7a8ef7ad56be46dff3cc3dc600c49b50c2c8e7f5249af7f", "type": "esql", - "version": 1 + "version": 2 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", @@ -4948,9 +4992,9 @@ "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "09a5921aebc2dd2ccaa3c5f1ec3555fe6b3c42684ded88c5f19af5361d9b7bee", + "sha256": "869205c107b75f01fc84a1a4d7906b841d447e59fa886d66162a42cadd64c68e", "type": "eql", - "version": 2 + "version": 3 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", @@ -5038,9 +5082,9 @@ }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "17ecf0959839ce503bd007ec83692ce66c8030a9fb479e52cf63f27f40bce235", + "sha256": "d5b10fa1230219482d9260c9b3abc29a378aad24325e84d344be2fa223a72b04", "type": "eql", - "version": 1 + "version": 2 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -5217,6 +5261,12 @@ "type": "eql", "version": 112 }, + "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { + "rule_name": "AWS S3 Bucket Server Access Logging Disabled", + "sha256": "468acf9925b683cd43a8c9d55cff0117071c66f66e7c1a1dfe43b164b6cb22a2", + "type": "eql", + "version": 1 + }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", @@ -5241,6 +5291,13 @@ "type": "eql", "version": 110 }, + "a80d96cd-1164-41b3-9852-ef58724be496": { + "min_stack_version": "8.10", + "rule_name": "Privileged Docker Container Creation", + "sha256": "71a69d4b84ccadbd7640c534e386e6eb4f86321b6bc43973d840f1a936706df4", + "type": "new_terms", + "version": 1 + }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID Device Code Auth with Broker Client", "sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323", @@ -5459,9 +5516,9 @@ }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa", + "sha256": "129a19636bb2a5074188b195332bb5f191fa7c838a1aa56dd1e30cb5df52303f", "type": "eql", - "version": 2 + "version": 3 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "File Transfer or Listener Established via Netcat", @@ -5477,9 +5534,9 @@ }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", - "sha256": "89dd331d158595da7f82292bb3ad35215a29392df1352a0082b0ffae70f15088", + "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", "type": "eql", - "version": 4 + "version": 5 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", @@ -5586,9 +5643,9 @@ }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "8b76484fc36e6fadcda9a04a2159138a7848fea3ac58faa33232daf8efb18d03", + "sha256": "5ef62fe38d22a4511a897c8008ac45dc5666daf58d4330f04538f49decbbeea1", "type": "eql", - "version": 1 + "version": 2 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -5646,9 +5703,9 @@ }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", - "sha256": "a074138b6a33a4b9b1a130c6f7b65c67cdb9876c041ca0b69884d42473c8b69b", + "sha256": "685f7eda1ffe48d637bb57dd38a4e2f75a7db512b20e0f6fe2346df99999cb0a", "type": "new_terms", - "version": 1 + "version": 2 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", @@ -5706,9 +5763,9 @@ }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d", + "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", "type": "query", - "version": 5 + "version": 6 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.13", @@ -5909,9 +5966,9 @@ }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", - "sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d", + "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", "type": "query", - "version": 112 + "version": 113 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "rule_name": "Potential Defense Evasion via CMSTP.exe", @@ -5975,9 +6032,9 @@ }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e", + "sha256": "6ef5b668d02b203ffdc37ef65990aee5f42c4670ba455b360633b447080411c1", "type": "eql", - "version": 111 + "version": 112 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", @@ -6027,6 +6084,12 @@ "type": "eql", "version": 102 }, + "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { + "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", + "sha256": "7dfac73dced87edaa379d9833ef2f04a8f33bdcf67589b61d2314529be98b5e6", + "type": "eql", + "version": 1 + }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef", @@ -6183,6 +6246,12 @@ "type": "query", "version": 205 }, + "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { + "rule_name": "Egress Connection from Entrypoint in Container", + "sha256": "316a1006bad5109ad8ef036d4b8ba5142bcc0cd4822c7c4c0e3f4852e1860f20", + "type": "eql", + "version": 1 + }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", @@ -6191,9 +6260,9 @@ }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a", + "sha256": "3220434ae7ebd56669033cb648bf9d422b8aec1fb59053d8472bcb7a69abf1a1", "type": "query", - "version": 203 + "version": 204 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Modification by dns.exe", @@ -6245,9 +6314,9 @@ }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2", + "sha256": "370e2287e26fd37cab018216a50a46bdac348146f3ab718ff3a9d20dd6380f0e", "type": "eql", - "version": 8 + "version": 9 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", @@ -6557,6 +6626,12 @@ "type": "eql", "version": 107 }, + "d488f026-7907-4f56-ad51-742feb3db01c": { + "rule_name": "AWS S3 Bucket Replicated to Another Account", + "sha256": "fc10d87ef74b91aafdf6f789f6c0f7602e2a1f222d20a3433c18424042268f55", + "type": "eql", + "version": 1 + }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", "sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6", @@ -6618,6 +6693,12 @@ "type": "eql", "version": 107 }, + "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { + "rule_name": "Unusual DPKG Execution", + "sha256": "69340d5a5035b5a7afddb451f23b3a5ff02a53ac0e1d8d93bc331e92cccfde1b", + "type": "eql", + "version": 1 + }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", @@ -6786,6 +6867,12 @@ "type": "eql", "version": 5 }, + "dc61f382-dc0c-4cc0-a845-069f2a071704": { + "rule_name": "Git Hook Command Execution", + "sha256": "282fc3f8ccba0ee2e2712e27b8c470536176a5b702f23fded8742b217ac7e540", + "type": "eql", + "version": 1 + }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", @@ -6824,9 +6911,9 @@ }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "33706216d4262064ec48b546b6ffdf38bed77bb6eb5accc6f3c50dfcfdaf3123", + "sha256": "3d195d2619285bfbd6aca75e191418a6b62714cfd361ca97b4f700816d1f7663", "type": "eql", - "version": 1 + "version": 2 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -6843,9 +6930,9 @@ "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", - "sha256": "19d99e61768ab16b134e882ec4962306af32019e01915f7ab3e1cf5f2133b998", + "sha256": "8979a73ae9ab4764b2093fc3309d75e33d1a0cbb4d0324ecb205316fbcd81be4", "type": "esql", - "version": 1 + "version": 2 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", @@ -6891,16 +6978,16 @@ }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622", + "sha256": "0aa047864e74cf8a18fe9dd039cc10fc1cfadcd1b2b98de5cfedf9afe1c98251", "type": "query", - "version": 203 + "version": 204 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", - "sha256": "a504729c3998dc3923862276128db6af723328cdce3b98391d9578e95419b28d", + "sha256": "5b5ba08eead004cb3d4496535950dc93033040262d718f2307f0585fd0a266dc", "type": "esql", - "version": 1 + "version": 2 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -7010,9 +7097,9 @@ } }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "3cf8ff583ef123ebe0ef752da349e94652bcd203d089689bf6cfba36e727cc9d", + "sha256": "31536a11d590cece9331f011d8354e03c5452833563053431fcec39ce7de39de", "type": "query", - "version": 212 + "version": 213 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "min_stack_version": "8.11", @@ -7077,9 +7164,9 @@ }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "ad8079dba717dfa922d05b69f5258721d12980d2f2ddc8d494fb7fcdcda065fa", + "sha256": "2612a73932324f2d0d2d71d184740ba05e67dee72b389d4dd7a60b54c96ee46d", "type": "eql", - "version": 111 + "version": 112 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "rule_name": "First Time Seen NewCredentials Logon Process", @@ -7215,15 +7302,15 @@ }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "5b1937ed0f1a2ea8d8b793ad31baa79ae277d949a84917d1c7a94395daa4a29b", + "sha256": "14242eb38154b8a8e1a58bf61c0bfb74b5979a402c8daf3ac16d945e00cfd816", "type": "eql", - "version": 1 + "version": 2 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35", + "sha256": "8357787656e3daed9dc3bd059a5ddbfe3135b2c8f5f60e19c0e6f21f35c60199", "type": "new_terms", - "version": 105 + "version": 106 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -7299,9 +7386,9 @@ }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c", + "sha256": "661da391dd78348e6362f2c0adfd6989bbbe145a0119ef4fc58a6b960cbcff03", "type": "eql", - "version": 2 + "version": 3 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", @@ -7538,9 +7625,9 @@ }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "e6460a31449c23f8abfc491157dd710febce134e74e0b2a94674e4238594f31f", + "sha256": "4e740008509defdc52f3ce580a43a0c02b9f679ad77ebf0f4136253adef5b1ec", "type": "eql", - "version": 1 + "version": 2 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "rule_name": "Service Path Modification", @@ -7568,9 +7655,9 @@ }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", - "sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4", + "sha256": "e5fdfcb66dea5127d8f0e81321083c8f03e4f3d583ff0cdbd29bdd9d55c5738a", "type": "eql", - "version": 109 + "version": 110 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "AWS RDS Instance Creation", @@ -7628,9 +7715,9 @@ }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "93c96b13d7d31467aad7b9c5c4f5f7d57d901aef4bc28ba0aa3435056d1fcac8", + "sha256": "6dc8920fe9a4bc479c93299a5b594945d88909d894d5a90f8997caba441bfa2a", "type": "eql", - "version": 1 + "version": 2 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", @@ -7645,6 +7732,13 @@ "type": "esql", "version": 1 }, + "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { + "min_stack_version": "8.10", + "rule_name": "DPKG Package Installed by Unusual Parent Process", + "sha256": "d1fdc0cf4916e52650e3c796851aa1b7ce6f2c33b18b0b7d62594435904c9876", + "type": "new_terms", + "version": 1 + }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", "sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7", @@ -7719,9 +7813,9 @@ }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "5d49105f2099fe1c95a69e97a0bc950a38fa1c2c94f564b11948f80c348c3513", + "sha256": "e4f93dc05162bf6cad753a1327db0e023df793034c6204d0b08a1d15f6d23b4b", "type": "eql", - "version": 1 + "version": 2 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", @@ -7917,9 +8011,9 @@ }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", - "sha256": "490363306b4257204e506425c71095a8e6d0d7dacd80b8c9ab0d2896a95eeba1", + "sha256": "7d0cd61a7ee1b6b5c420e7c65fa957d464287864d848af99298aefd73ed89184", "type": "eql", - "version": 1 + "version": 2 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", @@ -7929,9 +8023,9 @@ }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", - "sha256": "100db09c2d29764aa7b946d7b316cc9a17183ce57593ca72f84d578faa490b68", + "sha256": "6e4722f7391334da9fa02d2bfe859e94a1110c6b78b728f62607aaa9380b59e9", "type": "new_terms", - "version": 1 + "version": 2 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -7965,15 +8059,15 @@ }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", - "sha256": "7dde3a1e0411df154e689f9f2cf9df0b84e51b6f97f7f0c86121d90c0ee8c602", + "sha256": "53f77d9b26e7b3c4f4a9405f5a37689a6f6835378960abea321bb8127a7cc0e2", "type": "eql", - "version": 9 + "version": 10 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e", + "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", "type": "query", - "version": 4 + "version": 5 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", @@ -8019,15 +8113,15 @@ }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", - "sha256": "8b90331ba2cd07c2de41d17ca68bee336ea36c749c9c78f7dc5187704d786cc4", + "sha256": "605581cc6adbd551e8e3354e5d289bc809a96070b5ff60171f1c4b73ac505a15", "type": "eql", - "version": 11 + "version": 12 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "f2663204a55cb4e897803fbc5d1f136637511d520fa0c559bf7234323858ab5e", + "sha256": "7842115a7191021a44e61d69bdc1563edc6e9d471a1237af41d228647df07824", "type": "query", - "version": 1 + "version": 2 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API",