diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index a9a449bd20f..a58afc8401f 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -136,6 +136,13 @@ "type": "threshold", "version": 3 }, + "0415258b-a7b2-48a6-891a-3367cd9d4d31": { + "min_stack_version": "8.10", + "rule_name": "First Time AWS Cloudformation Stack Creation by User", + "sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69", + "type": "new_terms", + "version": 1 + }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Modification of OpenSSH Binaries", "sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494", @@ -168,9 +175,9 @@ }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730", + "sha256": "62ffe5e865877ef8219855345f46847fe57e06fe444ff0e1677417423462f9f7", "type": "eql", - "version": 110 + "version": 111 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", @@ -257,9 +264,9 @@ } }, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "56429d1cd02f3329c6753fbb15a52eee3bffe8568d69b72013586dde2be95b57", + "sha256": "1d581fab9894150d93b9290184613601916238ed613aed8f033ba029c6d7f747", "type": "eql", - "version": 211 + "version": 212 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -386,6 +393,12 @@ "type": "query", "version": 110 }, + "0b79f5c0-2c31-4fea-86cd-e62644278205": { + "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", + "sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6", + "type": "eql", + "version": 1 + }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", @@ -694,9 +707,9 @@ }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697", + "sha256": "61444df98cf53ebddeb195242c5e574f0dc8ccb8d8f4dc6594a0adad1b12c8ae", "type": "eql", - "version": 109 + "version": 110 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", @@ -760,9 +773,9 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08", + "sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4", "type": "eql", - "version": 113 + "version": 114 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", @@ -1107,9 +1120,9 @@ }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", - "sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53", + "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", "type": "eql", - "version": 110 + "version": 111 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", @@ -1274,9 +1287,15 @@ }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5", + "sha256": "c48d98b19af215d3015bf2ae376ddaf8e9cf52396b7d8c7ecc202a8dd07e6ca7", "type": "eql", - "version": 5 + "version": 6 + }, + "263481c8-1e9b-492e-912d-d1760707f810": { + "rule_name": "Potential Relay Attack against a Domain Controller", + "sha256": "29653a7e284dbb939a7a8255c062053acc7a8a9ed217a576cbe3ee9550260c4e", + "type": "eql", + "version": 1 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Container Access Level Modification", @@ -1610,9 +1629,9 @@ }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f", + "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", "type": "eql", - "version": 110 + "version": 111 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -1646,9 +1665,9 @@ }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "4ef923e73c924a38e0cf60427e8d215a0402d88bd2d9cb5ede83696a7716d700", + "sha256": "2cdb7b3a2bf626307a984b0abe5d085a6c7fddf727f862b27c5c4226a83c20a5", "type": "eql", - "version": 112 + "version": 113 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", @@ -1664,9 +1683,9 @@ }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "4852203398c11a4639cf6b6e5a60a3f6076a2888bac58d701a1229bbd0f44f33", + "sha256": "16e9f3ed67d6796c3a8d6b7fae2c3432ecec1180bccc33240b81d05c0d654d22", "type": "eql", - "version": 1 + "version": 2 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", @@ -1789,9 +1808,9 @@ }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", + "sha256": "fca388730dbad2c3ff2b395e9a5b007eb2322d3321108a972c0800621625b236", "type": "query", - "version": 104 + "version": 105 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", @@ -1854,9 +1873,9 @@ }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2", + "sha256": "af158d7bfec8753394ad026acb38864b9b079e3e72c88b77c89994f5bd556cd7", "type": "eql", - "version": 107 + "version": 108 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", @@ -1977,10 +1996,20 @@ "version": 8 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { + "min_stack_version": "8.13", + "previous": { + "8.10": { + "max_allowable_version": 102, + "rule_name": "Rapid7 Threat Command CVEs Correlation", + "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", + "type": "threat_match", + "version": 3 + } + }, "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99", "type": "threat_match", - "version": 2 + "version": 103 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", @@ -2173,9 +2202,9 @@ }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6", + "sha256": "7041f252f474f1e369c464abd37f99158b76abc8a410ca1b574a7ba8d9949434", "type": "eql", - "version": 108 + "version": 109 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", @@ -2600,9 +2629,9 @@ } }, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "56b311155088f43b725ed46b4f073ce9e8c6c4cf56e3a435b24b86d86aad53c2", + "sha256": "12362423f221d5f78a62ede69455b6acc8926caeb7057ac6af76e9e8663839a1", "type": "eql", - "version": 311 + "version": 312 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", @@ -2617,10 +2646,20 @@ "version": 104 }, "5188c68e-d3de-4e96-994d-9e242269446f": { + "min_stack_version": "8.13", + "previous": { + "8.10": { + "max_allowable_version": 102, + "rule_name": "Service DACL Modification via sc.exe", + "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", + "type": "eql", + "version": 3 + } + }, "rule_name": "Service DACL Modification via sc.exe", "sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4", "type": "eql", - "version": 2 + "version": 103 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", @@ -2727,9 +2766,9 @@ }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", - "sha256": "1e4f39e3118e880f5a867bfacf7e44eb031423fd7f329399580ab13c11496005", + "sha256": "61c4a9b0ac89069ebebbae26b3fdacde12584f6f4e7740be2af14ada43fb3a09", "type": "eql", - "version": 108 + "version": 109 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", @@ -2749,9 +2788,9 @@ }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", - "sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59", + "sha256": "4fecc41d452137292a6ff4c3b910e2db51e3a2b19db79c8b080a77123e6fa91c", "type": "eql", - "version": 109 + "version": 110 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", @@ -2767,9 +2806,9 @@ }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", - "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", + "sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6", "type": "eql", - "version": 1 + "version": 2 }, "56004189-4e69-4a39-b4a9-195329d226e9": { "rule_name": "Unusual Process Spawned by a Host", @@ -2871,9 +2910,9 @@ }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "c31bbb3334b07220c4b6cef2aa9a19eab7c31d95eb16d2aa4e9238bee56e8c23", + "sha256": "76abc0c85f49d2d3d424da358ef2d8be32890bd1ea48e48bae9cb3452d1b75a7", "type": "eql", - "version": 1 + "version": 2 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -2883,9 +2922,9 @@ }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb", + "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", "type": "eql", - "version": 111 + "version": 112 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", @@ -3231,9 +3270,9 @@ }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", - "sha256": "417b0c6af6df3823e5c27b53ae2f2e9eb7eb16e6f01f91427f7abb1d180c9885", + "sha256": "5fc949c2d8e00d3580f74fc9c2d044a0ed34182238f186e9c60e3f63df540d87", "type": "eql", - "version": 1 + "version": 2 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", @@ -3367,9 +3406,9 @@ }, "6839c821-011d-43bd-bd5b-acff00257226": { "rule_name": "Image File Execution Options Injection", - "sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c", + "sha256": "50bf5a8bd62644d73f17a659a039bf239abd8300e1a63ce24f0e7962f8da028a", "type": "eql", - "version": 107 + "version": 108 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "New or Modified Federation Domain", @@ -3397,9 +3436,9 @@ }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c", + "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", "type": "eql", - "version": 107 + "version": 108 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", @@ -3643,9 +3682,9 @@ }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857", + "sha256": "48ce070e2534c85222ae42380aff08e9cf1051209120195a41abb438dd4f8f6e", "type": "eql", - "version": 108 + "version": 109 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", @@ -4379,9 +4418,9 @@ }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", - "sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32", + "sha256": "e6768a2a66d26ab7605de86680ec11417c10c845603ad67d0b5768837751b40f", "type": "eql", - "version": 5 + "version": 6 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", @@ -4457,9 +4496,9 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda", + "sha256": "e39c5937dbc4ab56573d51ab9f6ce2aecc5f8d281f4c0d4a2d2c86bf94d01fd5", "type": "eql", - "version": 106 + "version": 107 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -4505,10 +4544,20 @@ "version": 102 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { + "min_stack_version": "8.13", + "previous": { + "8.10": { + "max_allowable_version": 102, + "rule_name": "Potential WSUS Abuse for Lateral Movement", + "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "14b4979002a83a6465682c6befade51921e625b24b5f4e9a1853b44867a35df8", "type": "eql", - "version": 2 + "version": 103 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -4530,9 +4579,9 @@ }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c", + "sha256": "9d598e6e9bc071131420f3deda7217c06abc51610e570d681b78402ea96352e6", "type": "eql", - "version": 106 + "version": 107 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", @@ -4707,9 +4756,9 @@ }, "94418745-529f-4259-8d25-a713a6feb6ae": { "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "45b22e6a32cde549ff94fed6e252272ab50f5e930618ac392c419221bc2e7a0b", + "sha256": "6d87a179a9250be94d5ebc89d3c18cac19a649c4532c5e5aad6410478f96a232", "type": "eql", - "version": 2 + "version": 3 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", @@ -4744,9 +4793,9 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80", + "sha256": "bac765ec665e393fb7abe2f02f93968c2d175a15544229c56054eb22f34775c6", "type": "eql", - "version": 108 + "version": 109 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", @@ -4870,9 +4919,9 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684", + "sha256": "a9b76ad35efed428600fccb9f8ae90c150c46bc3fc5fd166b1bef8b119c42576", "type": "eql", - "version": 111 + "version": 112 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", @@ -4966,9 +5015,9 @@ }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce", + "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", "type": "eql", - "version": 109 + "version": 110 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "min_stack_version": "8.13", @@ -5148,9 +5197,9 @@ }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119", + "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", "type": "eql", - "version": 7 + "version": 8 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", @@ -5178,9 +5227,9 @@ }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "4431365d45dff1dc0bb58de9834b1f789ec1644de2b4e9a4fc91939f2daa2306", + "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", "type": "eql", - "version": 110 + "version": 111 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", @@ -5200,6 +5249,12 @@ "type": "eql", "version": 108 }, + "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { + "rule_name": "AWS EC2 Instance Interaction with IAM Service", + "sha256": "9e4af5cbfc36dcf4ab18a58a55f1d842bdf17984c316634858daba91f4a597e8", + "type": "eql", + "version": 1 + }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942", @@ -5348,9 +5403,9 @@ }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd", + "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", "type": "eql", - "version": 108 + "version": 109 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", @@ -5442,6 +5497,12 @@ "type": "eql", "version": 1 }, + "ac5a2759-5c34-440a-b0c4-51fe674611d6": { + "rule_name": "Outlook Home Page Registry Modification", + "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", + "type": "eql", + "version": 1 + }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", @@ -5857,9 +5918,9 @@ }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "5601d16f4802d024ee0184d6b289f4e1e69f656faea361a8198509634ecaa94f", + "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", "type": "eql", - "version": 110 + "version": 111 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", @@ -6206,9 +6267,9 @@ }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", - "sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6", + "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", "type": "eql", - "version": 108 + "version": 109 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", @@ -6320,9 +6381,9 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319", + "sha256": "985eb4b46415181a0323ee6989edd69c59dd6f2ce8d722127ad56b3a19fa80de", "type": "eql", - "version": 110 + "version": 111 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", @@ -6562,9 +6623,9 @@ }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292", + "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", "type": "eql", - "version": 110 + "version": 111 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", @@ -6584,6 +6645,12 @@ "type": "eql", "version": 3 }, + "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { + "rule_name": "AWS EC2 Instance Console Login via Assumed Role", + "sha256": "16a5255bebd2dbea413bcd674ddbbe9fc7c0e8a6c372b513b9a452bba2274d8a", + "type": "eql", + "version": 1 + }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", @@ -6677,9 +6744,9 @@ }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c", + "sha256": "2a3b7c96ce47b36edf5907c4a17aa9daadb71967a9cf07899d4652d1229b4a30", "type": "eql", - "version": 106 + "version": 107 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", @@ -6731,9 +6798,9 @@ }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df", + "sha256": "5ec17a379037e78fedec2824325606f2809d00b82ef20dbe0b033e7ca4f6a90b", "type": "eql", - "version": 109 + "version": 110 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", @@ -6809,9 +6876,9 @@ }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "cd4b7c5087be13627f1d4c03ecf5ac7eb292b6b9098b1404150445ce5c391a6f", + "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", "type": "eql", - "version": 10 + "version": 11 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", @@ -6923,9 +6990,9 @@ }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", - "sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735", + "sha256": "01ff1a4a0da048d2db7c176002b8d170340e7da6262971258cc7bdd9be0d1b53", "type": "eql", - "version": 108 + "version": 109 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "min_stack_version": "8.13", @@ -7290,9 +7357,9 @@ }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", - "sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c", + "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", "type": "eql", - "version": 108 + "version": 109 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host Files System Changes via Windows Subsystem for Linux", @@ -7649,9 +7716,9 @@ }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", - "sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf", + "sha256": "37fb482f0f36b0aaf240177b0772c47fbb687b0c27e4ce31b11827e6a81f5c54", "type": "eql", - "version": 107 + "version": 108 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", @@ -7880,9 +7947,16 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "c72616ff8d3f7e52d73f8ecfdf74d2f866c3022006cb09e63b8ddf2949902b53", + "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", "type": "eql", - "version": 111 + "version": 112 + }, + "f8822053-a5d2-46db-8c96-d460b12c36ac": { + "min_stack_version": "8.10", + "rule_name": "Potential Active Directory Replication Account Backdoor", + "sha256": "9688f78481678b10a288649c3ca1860936667b913c127421100f6640e5a357d1", + "type": "query", + "version": 1 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", @@ -8059,9 +8133,9 @@ }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", - "sha256": "53f77d9b26e7b3c4f4a9405f5a37689a6f6835378960abea321bb8127a7cc0e2", + "sha256": "cf5258393c1c96765c7ec4622413a5fa2b2ed02429b6dbfcaf2db4c1814f0568", "type": "eql", - "version": 10 + "version": 11 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", @@ -8077,9 +8151,9 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "3b4caccd62315bfba09e8fc1003d105a3d8246446718aad67d327b284b7e2f97", + "sha256": "93f435cb72d30a8a679257867d908523bc546a21fe8ceaa3f795c09830d3caa8", "type": "eql", - "version": 112 + "version": 113 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", @@ -8095,9 +8169,9 @@ }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2", + "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", "type": "eql", - "version": 107 + "version": 108 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",