Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6

detection_rules/etc/version.lock.json

@@ -338,7 +338,7 @@
     "rule_name": "Google Drive Ownership Transferred via Google Workspace",
     "sha256": "98600fe4b1c0c882bb99021122279f31ce5cdd2266abf34b56bab33f0cb7f190",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "080bc66a-5d56-4d1f-8071-817671716db9": {
     "min_stack_version": "8.3",
@@ -547,9 +547,9 @@
   "0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
     "min_stack_version": "8.3",
     "rule_name": "Multiple Alerts Involving a User",
-    "sha256": "370e2374f3b2571a3f3119c682a5be649e235d1846b8eec75e7ba4705aac4263",
+    "sha256": "8d4c07265bf4bd3c24f522e31ba75c8a38f0b8d8b41064fcc50c4dcf0e4e168f",
     "type": "threshold",
-    "version": 1
+    "version": 2
   },
   "0d69150b-96f8-467c-a86d-a67a3378ce77": {
     "min_stack_version": "8.3",
@@ -764,9 +764,9 @@
   "11dd9713-0ec6-4110-9707-32daae1ee68c": {
     "min_stack_version": "8.3",
     "rule_name": "PowerShell Script with Token Impersonation Capabilities",
-    "sha256": "571c3c9a9e52d72036dcd37ff012814d9bd65cb35c013e9a5ad0a9cb270ae47b",
+    "sha256": "0f8e7d4c05e2aa942a177e9e8522674ba38bc37003575e007b6ec8cbaa5c3a49",
     "type": "query",
-    "version": 2
+    "version": 3
   },
   "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
     "min_stack_version": "8.3",
@@ -2184,9 +2184,9 @@
       }
     },
     "rule_name": "Potential Process Injection via PowerShell",
-    "sha256": "af6f4fb1b2ee6c896750bdd4d73df591989f45ce9e13a9c949f7d8919f5a7fb6",
+    "sha256": "8c6f27c7e2b39957500b3f0d690080088b823c905b6f202e1b1b0de855c8553f",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "2e580225-2a58-48ef-938b-572933be06fe": {
     "min_stack_version": "8.3",
@@ -2248,9 +2248,9 @@
       }
     },
     "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
-    "sha256": "701e6b024ca7be633acff2c87983ac3cb5f4a1ffcb7f16ff249fcab653225f5d",
+    "sha256": "7116ad8f42568440dcb1c9bc6b196885c1878eea0730ad2d2b0b7825393a398b",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "2f8a1226-5720-437d-9c20-e0029deb6194": {
     "min_stack_version": "8.3",
@@ -3379,7 +3379,7 @@
     "rule_name": "Application Removed from Blocklist in Google Workspace",
     "sha256": "1425ad887371020ed16a18072658404fa91af9a56fbbdc316e44823c9370d614",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "4a4e23cf-78a2-449c-bac3-701924c269d3": {
     "min_stack_version": "8.3",
@@ -3432,9 +3432,9 @@
   "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
     "min_stack_version": "8.3",
     "rule_name": "PowerShell Share Enumeration Script",
-    "sha256": "0d9859995c28fa581240cc5695b8aa93e8f7c2595ec329b3422380c3d25fa676",
+    "sha256": "74c65a7829bcc251f06c98c0d4f413e59c86158ee47f518c8c9b158a3166ef82",
     "type": "query",
-    "version": 3
+    "version": 4
   },
   "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
     "min_stack_version": "8.3",
@@ -3782,6 +3782,13 @@
     "type": "eql",
     "version": 101
   },
+  "54a81f68-5f2a-421e-8eed-f888278bb712": {
+    "min_stack_version": "8.3",
+    "rule_name": "Exchange Mailbox Export via PowerShell",
+    "sha256": "a48a9cbb679372bd144a77cbe76de0fbd8975e021e3052cbc9a8b7b217712c04",
+    "type": "query",
+    "version": 1
+  },
   "54c3d186-0461-4dc3-9b33-2dc5c7473936": {
     "min_stack_version": "8.3",
     "previous": {
@@ -3906,9 +3913,9 @@
       }
     },
     "rule_name": "PowerShell PSReflect Script",
-    "sha256": "091b0bb0507a9ca860cb1eab4a5b50c137b839deb2ce342decf68176ab91b4c6",
+    "sha256": "11eb65e63a95ed292472ba5a64844f98470b90ed7eaef8847ba571ec81dffaa1",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "5700cb81-df44-46aa-a5d7-337798f53eb8": {
     "min_stack_version": "8.3",
@@ -3970,9 +3977,9 @@
       }
     },
     "rule_name": "PowerShell MiniDump Script",
-    "sha256": "58816e1e395d2b3dd424fe52412a8e0c6f41b45ac111e2135e28291a443f1ecb",
+    "sha256": "efa8737d826a936ed57d1404ea8b8ea907281530808f0add72c400af16dc720d",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "581add16-df76-42bb-af8e-c979bfb39a59": {
     "min_stack_version": "8.3",
@@ -4306,7 +4313,7 @@
     "rule_name": "Google Workspace 2SV Policy Disabled",
     "sha256": "a5a33cf12e70b976a8a202090de8c4e819f48cfb96c7be5ca799a3cd710da520",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "5e552599-ddec-4e14-bad1-28aa42404388": {
     "min_stack_version": "8.3",
@@ -4406,9 +4413,9 @@
       }
     },
     "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
-    "sha256": "5e289255b3744f6c6d02f444ed0e5b133a67e62aed318d241d24a1fd7db26417",
+    "sha256": "40e4e50e213f12414a720dbad1084ac9c5c66f7327c57db4a0983cd0f76293aa",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "61c31c14-507f-4627-8c31-072556b89a9c": {
     "rule_name": "Mknod Process Activity",
@@ -4794,7 +4801,7 @@
     "rule_name": "Google Workspace Admin Role Assigned to a User",
     "sha256": "900e09e88ba2b9b8a350387557983bccad76402efaa5f254d620c7a35f2dc7e7",
     "type": "query",
-    "version": 103
+    "version": 105
   },
   "689b9d57-e4d5-4357-ad17-9c334609d79a": {
     "min_stack_version": "8.3",
@@ -4927,9 +4934,9 @@
       }
     },
     "rule_name": "Exporting Exchange Mailbox via PowerShell",
-    "sha256": "66727f73174ac2f2c261e172136cf6c6fb2cb140f447a85b4f37da5356af8d64",
+    "sha256": "c67ead923f191802c3f4b9ac87ce88c947bd2556188ad794e916a19872202460",
     "type": "eql",
-    "version": 103
+    "version": 104
   },
   "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
     "min_stack_version": "8.3",
@@ -5108,7 +5115,7 @@
     "rule_name": "Google Workspace Role Modified",
     "sha256": "ecaaefd4c78cf905024b3584372e31dd778a12b5a3a53cbc478adf8099648e69",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "6f683345-bb10-47a7-86a7-71e9c24fb358": {
     "rule_name": "Linux Restricted Shell Breakout via the find command",
@@ -5516,7 +5523,7 @@
     "rule_name": "Application Added to Google Workspace Domain",
     "sha256": "ea4f94ba987a5d1684dd0f0d8c07ad19ab402403f98ab0c3f6c90db032a9a1e4",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "7882cebf-6cf1-4de3-9662-213aa13e8b80": {
     "min_stack_version": "8.3",
@@ -5663,7 +5670,7 @@
     "rule_name": "Google Workspace Bitlocker Setting Disabled",
     "sha256": "93dc8b13643b49a519faaa37a39d18e52b52eff11913929d9063bf0040ad8880",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "7ceb2216-47dd-4e64-9433-cddc99727623": {
     "min_stack_version": "8.3",
@@ -5769,9 +5776,9 @@
       }
     },
     "rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
-    "sha256": "83d4da9cb153ddbf63e9d180a6f581c16db23d16b1f8d457e680f84498386dd3",
+    "sha256": "8d5dd848650d0aa7e36c11cb01d8832928c0dc44d91d010b25bc66eb8e0caa76",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
     "min_stack_version": "8.3",
@@ -6588,7 +6595,7 @@
     "rule_name": "Google Workspace Admin Role Deletion",
     "sha256": "7b6697a97cdf6019e2920baed1a4b6396b33c1f4589dc81aab2539b378a9cdd9",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "93f47b6f-5728-4004-ba00-625083b3dcb0": {
     "min_stack_version": "8.3",
@@ -6611,7 +6618,7 @@
     "rule_name": "Google Workspace Custom Gmail Route Created or Modified",
     "sha256": "c316a06037035aae30e827897a80b0b965715ee7b63e7e6b1863c59d617d1292",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "954ee7c8-5437-49ae-b2d6-2960883898e9": {
     "min_stack_version": "8.3",
@@ -6641,9 +6648,9 @@
       }
     },
     "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
-    "sha256": "a361b95af4c8021091d89dc9a338520d4b43e6423cb8d0df588ad670d16955ad",
+    "sha256": "6e6d3db2b74e72a7814e88a22790a69b7bad458685f57587be4f172643d4f0f7",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "968ccab9-da51-4a87-9ce2-d3c9782fd759": {
     "min_stack_version": "8.3",
@@ -7049,7 +7056,7 @@
     "rule_name": "Google Workspace User Group Access Modified to Allow External Access",
     "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
     "rule_name": "Trusted Developer Application Usage",
@@ -7373,7 +7380,7 @@
     "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
     "sha256": "ebe6d8d11a370fe917eae7f3b885397f87978a7afb50ab4626fdb93bd08ef4f1",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
     "min_stack_version": "8.3",
@@ -7575,7 +7582,7 @@
     "rule_name": "Google Workspace Password Policy Modified",
     "sha256": "d24e6279427b06647bf3fd06e31435ede2a5935b00f6d945edc95bb76184920f",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
     "min_stack_version": "8.3",
@@ -7717,9 +7724,9 @@
       }
     },
     "rule_name": "Suspicious WerFault Child Process",
-    "sha256": "789f1a87e9509a8349805cf16c8fd134c08e9bd3105f7071f23d7bde6ccd3d06",
+    "sha256": "23935934e5f6286a952467374de45be57eaf2f087a3a5d7173ca4dd442eab89a",
     "type": "eql",
-    "version": 103
+    "version": 104
   },
   "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
     "min_stack_version": "8.3",
@@ -7749,9 +7756,9 @@
       }
     },
     "rule_name": "Potential Invoke-Mimikatz PowerShell Script",
-    "sha256": "d725f48824504ebcff898cc7a18afb3909944fe43308737abf93e1ea5df258fd",
+    "sha256": "0c8d4a72c696e4332bfa9e13eb0dbd1124b52d8b7d0539a2ef5acffbd89393b6",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
     "min_stack_version": "8.3",
@@ -7774,7 +7781,7 @@
     "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
     "sha256": "a053c9d367e47803d813b89bafecf8c714193d46da3a2ec7eadea82da11342cc",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
     "min_stack_version": "8.3",
@@ -7867,7 +7874,7 @@
     "rule_name": "Google Workspace Custom Admin Role Created",
     "sha256": "3c372d8580234e86ab7782b92f0f70b058b1cb50f36a7f7a9e6a90d83124659a",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
     "min_stack_version": "8.3",
@@ -7881,9 +7888,9 @@
       }
     },
     "rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
-    "sha256": "fef8bce965a84d33e4643b75262aa8da05a0edd85836287ebc090895c94d2246",
+    "sha256": "f657373af800c74ccef1ecd06cc71ed81e019056eb98a34716f2226c6016582e",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "ad88231f-e2ab-491c-8fc6-64746da26cfe": {
     "min_stack_version": "8.3",
@@ -8294,9 +8301,9 @@
   "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
     "min_stack_version": "8.3",
     "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
-    "sha256": "02f6fe3d4d2515b002c8108cdcc4be44a4379be8edb2d52bfc6f36a6dc956eae",
+    "sha256": "c0cab21b20611d9b1a263e9298c27e29fb538f6289afccfb13bb814958052974",
     "type": "threshold",
-    "version": 2
+    "version": 3
   },
   "b9554892-5e0e-424b-83a0-5aef95aa43bf": {
     "min_stack_version": "8.3",
@@ -8541,9 +8548,9 @@
       }
     },
     "rule_name": "PowerShell Keylogging Script",
-    "sha256": "03ce6493c19d1a809851b4007f1eac51dc3cb71a800286ceccb48c38d35002d7",
+    "sha256": "cf831ea0e6e09584f2304383208a6412f6948628b50083815985e0281224fda7",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "bd7eefee-f671-494e-98df-f01daf9e5f17": {
     "min_stack_version": "8.3",
@@ -9247,7 +9254,7 @@
     "rule_name": "Google Workspace MFA Enforcement Disabled",
     "sha256": "34e19b874f33327105443e1ceee3593b9bcb1b30eb30f5795bf9102bb91339c1",
     "type": "query",
-    "version": 105
+    "version": 107
   },
   "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
     "min_stack_version": "8.3",
@@ -9292,7 +9299,7 @@
     "rule_name": "Google Workspace User Organizational Unit Changed",
     "sha256": "d60b7181cd6749f1c0bad9cba1e5b7729a705db850228a659eec5f107737a162",
     "type": "query",
-    "version": 3
+    "version": 5
   },
   "cc89312d-6f47-48e4-a87c-4977bd4633c3": {
     "min_stack_version": "8.3",
@@ -9481,7 +9488,7 @@
     "rule_name": "Domain Added to Google Workspace Trusted Domains",
     "sha256": "d78af46dd84eb3d641be256da5b6c0645335b47293787741d08ae3dc07ff0ed5",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
     "min_stack_version": "8.3",
@@ -10333,9 +10340,9 @@
       }
     },
     "rule_name": "Suspicious .NET Reflection via PowerShell",
-    "sha256": "b7d9a84b34f7f5c23cdf325de8e97c6d1f72f685f26b659e435f33c59a6153ff",
+    "sha256": "df2b42656b315cd8e12e0096dabeb608860871497071ca47c3a8d6fe12739c68",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "e2a67480-3b79-403d-96e3-fdd2992c50ef": {
     "min_stack_version": "8.3",
@@ -10534,7 +10541,7 @@
     "rule_name": "MFA Disabled for Google Workspace Organization",
     "sha256": "374a8185c7f83236836608b1bd1b4aa5ea94dfbb014a9ecbc59316b18f977a26",
     "type": "query",
-    "version": 102
+    "version": 104
   },
   "e56993d2-759c-4120-984c-9ec9bb940fd5": {
     "rule_name": "RDP (Remote Desktop Protocol) to the Internet",
@@ -10838,9 +10845,9 @@
       }
     },
     "rule_name": "PowerShell Kerberos Ticket Request",
-    "sha256": "e2884c04f54ee6d27c4563c9199517c6ad5f56733dc0b0fc51a4cebb6602706e",
+    "sha256": "61731234033af30d76cb16b67695025f656a28ab6010571fc3eaa82657bcb16e",
     "type": "query",
-    "version": 103
+    "version": 104
   },
   "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
     "min_stack_version": "8.3",