diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 7ff477a7840..f737c9f0f47 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -338,7 +338,7 @@ "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "98600fe4b1c0c882bb99021122279f31ce5cdd2266abf34b56bab33f0cb7f190", "type": "query", - "version": 3 + "version": 5 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", @@ -547,9 +547,9 @@ "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "min_stack_version": "8.3", "rule_name": "Multiple Alerts Involving a User", - "sha256": "370e2374f3b2571a3f3119c682a5be649e235d1846b8eec75e7ba4705aac4263", + "sha256": "8d4c07265bf4bd3c24f522e31ba75c8a38f0b8d8b41064fcc50c4dcf0e4e168f", "type": "threshold", - "version": 1 + "version": 2 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", @@ -764,9 +764,9 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "571c3c9a9e52d72036dcd37ff012814d9bd65cb35c013e9a5ad0a9cb270ae47b", + "sha256": "0f8e7d4c05e2aa942a177e9e8522674ba38bc37003575e007b6ec8cbaa5c3a49", "type": "query", - "version": 2 + "version": 3 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", @@ -2184,9 +2184,9 @@ } }, "rule_name": "Potential Process Injection via PowerShell", - "sha256": "af6f4fb1b2ee6c896750bdd4d73df591989f45ce9e13a9c949f7d8919f5a7fb6", + "sha256": "8c6f27c7e2b39957500b3f0d690080088b823c905b6f202e1b1b0de855c8553f", "type": "query", - "version": 103 + "version": 104 }, "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", @@ -2248,9 +2248,9 @@ } }, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "701e6b024ca7be633acff2c87983ac3cb5f4a1ffcb7f16ff249fcab653225f5d", + "sha256": "7116ad8f42568440dcb1c9bc6b196885c1878eea0730ad2d2b0b7825393a398b", "type": "query", - "version": 103 + "version": 104 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", @@ -3379,7 +3379,7 @@ "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "1425ad887371020ed16a18072658404fa91af9a56fbbdc316e44823c9370d614", "type": "query", - "version": 3 + "version": 5 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", @@ -3432,9 +3432,9 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "0d9859995c28fa581240cc5695b8aa93e8f7c2595ec329b3422380c3d25fa676", + "sha256": "74c65a7829bcc251f06c98c0d4f413e59c86158ee47f518c8c9b158a3166ef82", "type": "query", - "version": 3 + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", @@ -3782,6 +3782,13 @@ "type": "eql", "version": 101 }, + "54a81f68-5f2a-421e-8eed-f888278bb712": { + "min_stack_version": "8.3", + "rule_name": "Exchange Mailbox Export via PowerShell", + "sha256": "a48a9cbb679372bd144a77cbe76de0fbd8975e021e3052cbc9a8b7b217712c04", + "type": "query", + "version": 1 + }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "previous": { @@ -3906,9 +3913,9 @@ } }, "rule_name": "PowerShell PSReflect Script", - "sha256": "091b0bb0507a9ca860cb1eab4a5b50c137b839deb2ce342decf68176ab91b4c6", + "sha256": "11eb65e63a95ed292472ba5a64844f98470b90ed7eaef8847ba571ec81dffaa1", "type": "query", - "version": 103 + "version": 104 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", @@ -3970,9 +3977,9 @@ } }, "rule_name": "PowerShell MiniDump Script", - "sha256": "58816e1e395d2b3dd424fe52412a8e0c6f41b45ac111e2135e28291a443f1ecb", + "sha256": "efa8737d826a936ed57d1404ea8b8ea907281530808f0add72c400af16dc720d", "type": "query", - "version": 103 + "version": 104 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", @@ -4306,7 +4313,7 @@ "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "a5a33cf12e70b976a8a202090de8c4e819f48cfb96c7be5ca799a3cd710da520", "type": "query", - "version": 3 + "version": 5 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "min_stack_version": "8.3", @@ -4406,9 +4413,9 @@ } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "5e289255b3744f6c6d02f444ed0e5b133a67e62aed318d241d24a1fd7db26417", + "sha256": "40e4e50e213f12414a720dbad1084ac9c5c66f7327c57db4a0983cd0f76293aa", "type": "query", - "version": 103 + "version": 104 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4794,7 +4801,7 @@ "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "900e09e88ba2b9b8a350387557983bccad76402efaa5f254d620c7a35f2dc7e7", "type": "query", - "version": 103 + "version": 105 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", @@ -4927,9 +4934,9 @@ } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "66727f73174ac2f2c261e172136cf6c6fb2cb140f447a85b4f37da5356af8d64", + "sha256": "c67ead923f191802c3f4b9ac87ce88c947bd2556188ad794e916a19872202460", "type": "eql", - "version": 103 + "version": 104 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.3", @@ -5108,7 +5115,7 @@ "rule_name": "Google Workspace Role Modified", "sha256": "ecaaefd4c78cf905024b3584372e31dd778a12b5a3a53cbc478adf8099648e69", "type": "query", - "version": 102 + "version": 104 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -5516,7 +5523,7 @@ "rule_name": "Application Added to Google Workspace Domain", "sha256": "ea4f94ba987a5d1684dd0f0d8c07ad19ab402403f98ab0c3f6c90db032a9a1e4", "type": "query", - "version": 102 + "version": 104 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "min_stack_version": "8.3", @@ -5663,7 +5670,7 @@ "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "93dc8b13643b49a519faaa37a39d18e52b52eff11913929d9063bf0040ad8880", "type": "query", - "version": 3 + "version": 5 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "min_stack_version": "8.3", @@ -5769,9 +5776,9 @@ } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "83d4da9cb153ddbf63e9d180a6f581c16db23d16b1f8d457e680f84498386dd3", + "sha256": "8d5dd848650d0aa7e36c11cb01d8832928c0dc44d91d010b25bc66eb8e0caa76", "type": "query", - "version": 103 + "version": 104 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -6588,7 +6595,7 @@ "rule_name": "Google Workspace Admin Role Deletion", "sha256": "7b6697a97cdf6019e2920baed1a4b6396b33c1f4589dc81aab2539b378a9cdd9", "type": "query", - "version": 102 + "version": 104 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "min_stack_version": "8.3", @@ -6611,7 +6618,7 @@ "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "c316a06037035aae30e827897a80b0b965715ee7b63e7e6b1863c59d617d1292", "type": "query", - "version": 3 + "version": 5 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", @@ -6641,9 +6648,9 @@ } }, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "a361b95af4c8021091d89dc9a338520d4b43e6423cb8d0df588ad670d16955ad", + "sha256": "6e6d3db2b74e72a7814e88a22790a69b7bad458685f57587be4f172643d4f0f7", "type": "query", - "version": 103 + "version": 104 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", @@ -7049,7 +7056,7 @@ "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", - "version": 3 + "version": 5 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", @@ -7373,7 +7380,7 @@ "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "sha256": "ebe6d8d11a370fe917eae7f3b885397f87978a7afb50ab4626fdb93bd08ef4f1", "type": "query", - "version": 3 + "version": 5 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", @@ -7575,7 +7582,7 @@ "rule_name": "Google Workspace Password Policy Modified", "sha256": "d24e6279427b06647bf3fd06e31435ede2a5935b00f6d945edc95bb76184920f", "type": "query", - "version": 102 + "version": 104 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", @@ -7717,9 +7724,9 @@ } }, "rule_name": "Suspicious WerFault Child Process", - "sha256": "789f1a87e9509a8349805cf16c8fd134c08e9bd3105f7071f23d7bde6ccd3d06", + "sha256": "23935934e5f6286a952467374de45be57eaf2f087a3a5d7173ca4dd442eab89a", "type": "eql", - "version": 103 + "version": 104 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.3", @@ -7749,9 +7756,9 @@ } }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "d725f48824504ebcff898cc7a18afb3909944fe43308737abf93e1ea5df258fd", + "sha256": "0c8d4a72c696e4332bfa9e13eb0dbd1124b52d8b7d0539a2ef5acffbd89393b6", "type": "query", - "version": 103 + "version": 104 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.3", @@ -7774,7 +7781,7 @@ "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "a053c9d367e47803d813b89bafecf8c714193d46da3a2ec7eadea82da11342cc", "type": "query", - "version": 102 + "version": 104 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "min_stack_version": "8.3", @@ -7867,7 +7874,7 @@ "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "3c372d8580234e86ab7782b92f0f70b058b1cb50f36a7f7a9e6a90d83124659a", "type": "query", - "version": 102 + "version": 104 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", @@ -7881,9 +7888,9 @@ } }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "fef8bce965a84d33e4643b75262aa8da05a0edd85836287ebc090895c94d2246", + "sha256": "f657373af800c74ccef1ecd06cc71ed81e019056eb98a34716f2226c6016582e", "type": "query", - "version": 103 + "version": 104 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", @@ -8294,9 +8301,9 @@ "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "min_stack_version": "8.3", "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", - "sha256": "02f6fe3d4d2515b002c8108cdcc4be44a4379be8edb2d52bfc6f36a6dc956eae", + "sha256": "c0cab21b20611d9b1a263e9298c27e29fb538f6289afccfb13bb814958052974", "type": "threshold", - "version": 2 + "version": 3 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.3", @@ -8541,9 +8548,9 @@ } }, "rule_name": "PowerShell Keylogging Script", - "sha256": "03ce6493c19d1a809851b4007f1eac51dc3cb71a800286ceccb48c38d35002d7", + "sha256": "cf831ea0e6e09584f2304383208a6412f6948628b50083815985e0281224fda7", "type": "query", - "version": 103 + "version": 104 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", @@ -9247,7 +9254,7 @@ "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "34e19b874f33327105443e1ceee3593b9bcb1b30eb30f5795bf9102bb91339c1", "type": "query", - "version": 105 + "version": 107 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", @@ -9292,7 +9299,7 @@ "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "d60b7181cd6749f1c0bad9cba1e5b7729a705db850228a659eec5f107737a162", "type": "query", - "version": 3 + "version": 5 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "min_stack_version": "8.3", @@ -9481,7 +9488,7 @@ "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "d78af46dd84eb3d641be256da5b6c0645335b47293787741d08ae3dc07ff0ed5", "type": "query", - "version": 102 + "version": 104 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", @@ -10333,9 +10340,9 @@ } }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "b7d9a84b34f7f5c23cdf325de8e97c6d1f72f685f26b659e435f33c59a6153ff", + "sha256": "df2b42656b315cd8e12e0096dabeb608860871497071ca47c3a8d6fe12739c68", "type": "query", - "version": 103 + "version": 104 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.3", @@ -10534,7 +10541,7 @@ "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "374a8185c7f83236836608b1bd1b4aa5ea94dfbb014a9ecbc59316b18f977a26", "type": "query", - "version": 102 + "version": 104 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -10838,9 +10845,9 @@ } }, "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "e2884c04f54ee6d27c4563c9199517c6ad5f56733dc0b0fc51a4cebb6602706e", + "sha256": "61731234033af30d76cb16b67695025f656a28ab6010571fc3eaa82657bcb16e", "type": "query", - "version": 103 + "version": 104 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3",