nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (123) hide show
  1. nldcsc_elastic_rules/__init__.py +1 -1
  2. nldcsc_elastic_rules/rules/{linux → cross-platform}/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +32 -11
  3. nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml +134 -0
  4. nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml +128 -0
  5. nldcsc_elastic_rules/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +154 -0
  6. nldcsc_elastic_rules/rules/cross-platform/credential_access_gitleaks_execution.toml +114 -0
  7. nldcsc_elastic_rules/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml +198 -0
  8. nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml +24 -5
  9. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_config_modification.toml +120 -0
  10. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +158 -0
  11. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +172 -0
  12. nldcsc_elastic_rules/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml +98 -0
  13. nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +172 -0
  14. nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +133 -0
  15. nldcsc_elastic_rules/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +250 -0
  16. nldcsc_elastic_rules/rules/{linux/persistence_nodejs_pre_or_post_install_script_execution.toml → cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml} +40 -24
  17. nldcsc_elastic_rules/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +146 -0
  18. nldcsc_elastic_rules/rules/cross-platform/execution_register_github_actions_runner.toml +126 -0
  19. nldcsc_elastic_rules/rules/cross-platform/execution_via_github_actions_runner.toml +130 -0
  20. nldcsc_elastic_rules/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +163 -0
  21. nldcsc_elastic_rules/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +130 -0
  22. nldcsc_elastic_rules/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml +145 -0
  23. nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml +4 -1
  24. nldcsc_elastic_rules/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +3 -4
  25. nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml +23 -25
  26. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +13 -14
  27. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +8 -5
  28. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +12 -12
  29. nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +37 -43
  30. nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +137 -45
  31. nldcsc_elastic_rules/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +152 -0
  32. nldcsc_elastic_rules/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml +242 -0
  33. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +141 -33
  34. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml +108 -30
  35. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +2 -1
  36. nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +114 -27
  37. nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_deleted.toml +174 -0
  38. nldcsc_elastic_rules/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +111 -33
  39. nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +129 -43
  40. nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +89 -27
  41. nldcsc_elastic_rules/rules/integrations/aws/impact_rds_snapshot_deleted.toml +127 -37
  42. nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +160 -43
  43. nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +20 -10
  44. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +35 -1
  45. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +59 -1
  46. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +19 -1
  47. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +19 -1
  48. nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +58 -1
  49. nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +109 -35
  50. nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_made_public.toml +103 -22
  51. nldcsc_elastic_rules/rules/integrations/aws/persistence_redshift_instance_creation.toml +3 -3
  52. nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +126 -69
  53. nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +134 -0
  54. nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +2 -2
  55. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_event_failures.toml +124 -0
  56. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_event_failures.toml +148 -0
  57. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_city.toml +109 -0
  58. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_country.toml +108 -0
  59. nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_user.toml +147 -0
  60. nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml +9 -1
  61. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_error_message_spike.toml +95 -0
  62. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_error_code.toml +118 -0
  63. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +79 -0
  64. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +79 -0
  65. nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +117 -0
  66. nldcsc_elastic_rules/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +92 -0
  67. nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +24 -14
  68. nldcsc_elastic_rules/rules/linux/defense_evasion_file_deletion_via_shred.toml +12 -5
  69. nldcsc_elastic_rules/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +150 -0
  70. nldcsc_elastic_rules/rules/linux/persistence_at_job_creation.toml +4 -4
  71. nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation.toml +12 -7
  72. nldcsc_elastic_rules/rules/linux/persistence_pth_file_creation.toml +6 -1
  73. nldcsc_elastic_rules/rules/linux/persistence_site_and_user_customize_file_creation.toml +6 -1
  74. nldcsc_elastic_rules/rules/linux/persistence_web_server_unusual_command_execution.toml +155 -0
  75. nldcsc_elastic_rules/rules/ml/ml_high_count_events_for_a_host_name.toml +58 -1
  76. nldcsc_elastic_rules/rules/ml/ml_high_count_network_denies.toml +71 -1
  77. nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml +53 -1
  78. nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml +56 -1
  79. nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml +40 -1
  80. nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml +27 -1
  81. nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml +63 -1
  82. nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml +68 -1
  83. nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml +53 -1
  84. nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml +56 -1
  85. nldcsc_elastic_rules/rules/network/initial_access_react_server_components_rce_attempt.toml +123 -0
  86. nldcsc_elastic_rules/rules/promotions/external_alerts.toml +2 -2
  87. nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml +4 -3
  88. nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml +3 -4
  89. nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml +11 -8
  90. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml +25 -2
  91. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +2 -3
  92. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +2 -3
  93. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +2 -3
  94. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +2 -3
  95. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +2 -3
  96. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +2 -3
  97. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +2 -3
  98. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +2 -3
  99. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +2 -3
  100. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +2 -3
  101. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +2 -3
  102. nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +2 -3
  103. nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml +13 -10
  104. nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml +3 -2
  105. nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml +7 -2
  106. nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml +9 -2
  107. nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml +16 -6
  108. nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +7 -2
  109. nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml +2 -2
  110. nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml +19 -2
  111. nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml +50 -13
  112. nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml +12 -2
  113. nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +24 -18
  114. nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +14 -2
  115. nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml +3 -2
  116. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/METADATA +1 -1
  117. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/RECORD +119 -87
  118. nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +0 -105
  119. nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +0 -135
  120. nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml +0 -155
  121. nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +0 -95
  122. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/WHEEL +0 -0
  123. {nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/top_level.txt +0 -0
{nldcsc_elastic_rules-0.0.8.dist-info → nldcsc_elastic_rules-0.0.16.dist-info}/RECORD RENAMED
@@ -1,4 +1,4 @@
1
- nldcsc_elastic_rules/__init__.py,sha256=Q1e_hA0UWS0saeVTTT-JK4LFhAr5dFoDZ-VfeqaeRts,26
1
+ nldcsc_elastic_rules/__init__.py,sha256=kCZE74vRM5zi-pbvkfNWpOViAk-oSiYqqlYnSALkfr0,26
2
2
  nldcsc_elastic_rules/utils.py,sha256=ARrzmx6IIGjhxOXngl9X-vfbVFMFA-CrLlfUsIM5O0U,148
3
3
  nldcsc_elastic_rules/rules/README.md,sha256=74MF8KLotXS4bnoVVlsWqrFsJcimUd0OJ-_hfg0SfPQ,2862
4
4
  nldcsc_elastic_rules/rules/_deprecated/apm_null_user_agent.toml,sha256=P1Ob5RxPCMFTR8Z_fRaFpfLNgZmJekBbg1ihzeuHpeY,1466
@@ -104,58 +104,77 @@ nldcsc_elastic_rules/rules/_deprecated/threat_intel_fleet_integrations.toml,sha2
104
104
  nldcsc_elastic_rules/rules/apm/apm_403_response_to_a_post.toml,sha256=ZIpSHsNs0SlFDVlHmZPQIPMXnPPCeMzrN7-o-a5k5r4,5258
105
105
  nldcsc_elastic_rules/rules/apm/apm_405_response_method_not_allowed.toml,sha256=2g1rszIMgvs0Zaf0WBQxJbW_yoqr2putP8tDyC7ZJV4,5248
106
106
  nldcsc_elastic_rules/rules/apm/apm_sqlmap_user_agent.toml,sha256=jmZAnk7gHPZLC8ZxxDhtE3pRhAszY5Oy3_RvgewE5xI,4897
107
+ nldcsc_elastic_rules/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml,sha256=Q-3XDTh72LH_kueFoczaA6l03af9ZYPAGe_udVKB5mg,8231
108
+ nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml,sha256=BJkGwmylXCaOE_IajW-hC_V5XydIpibj2OeSjFvqsy4,6143
109
+ nldcsc_elastic_rules/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml,sha256=BcddfK6qmaRoXDJOYs-KkhajgUmhaFrMZVIiGi8YdGg,6544
107
110
  nldcsc_elastic_rules/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml,sha256=Go2LKCxIwI44xq5HVTFMsETaqkvxKt2qA6Vo-F4UDvI,6344
108
111
  nldcsc_elastic_rules/rules/cross-platform/command_and_control_non_standard_ssh_port.toml,sha256=3_DX-8CDapGSHHEcypgTTMeNGzJVp138ovapx_nnrsA,6645
109
112
  nldcsc_elastic_rules/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml,sha256=tItB8IUVDZBpAT1GAN0J_aCs9gI5FCMgJO8Twqeohf0,3069
110
113
  nldcsc_elastic_rules/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml,sha256=VLHwr8P3I196NlRDjCKUSFl83fQoeaQi2LEWNuqu9Ko,3492
111
114
  nldcsc_elastic_rules/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml,sha256=wo0aI10tqeIBUOhqFjh0pIfjx21t41haiEXlt6BheZ0,6875
112
115
  nldcsc_elastic_rules/rules/cross-platform/credential_access_forced_authentication_pipes.toml,sha256=IHaB480daLcQF6SdhYVjgnUlD_j1oYeY4WhBg9htTRw,6553
113
- nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml,sha256=LF0l3Xdr880z5DGlxMvY4CQHUOqrcXF6Nb9PmNLjip8,6135
116
+ nldcsc_elastic_rules/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml,sha256=o_RG5VB-yRynHi7zRM0WhqBuyPvGu473Wdt7AD8JK_Y,6204
117
+ nldcsc_elastic_rules/rules/cross-platform/credential_access_gitleaks_execution.toml,sha256=E-7bCwtmpT8HN8WPGr_OL8O7fqtijFB9awu35P4E2xc,6659
118
+ nldcsc_elastic_rules/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml,sha256=vVbec2nmLAYMWORKZ4yJIxYEsRkOBWfo73ZBwwXYQMQ,9545
119
+ nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml,sha256=lOCdqIIlh7NRHKkfvxHr5crUM4q59aV9OgC9rSckiZQ,6802
114
120
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml,sha256=8By1JMm0oxNhJMVv-YvqlUUJAl4fFspoOkWc7dOeL08,5663
115
121
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml,sha256=v4b-B5_CfJmhEuMDcvMKsiS-oDrB6R3FFHhvJi1xByg,5444
116
122
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml,sha256=I7kDvpYce1Z8NL05OFP9CRr4CtzG6ts5fUh0ZdbM1po,5726
117
123
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml,sha256=xuPv4W02Mph4pmTNa1hHJI-M2hEqwW-cf8ENTS7Uyrk,7025
118
124
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml,sha256=Fy-VPOKg7wZcyfwryXSFMkPdsBCLnwqk2t76qrxinEE,7603
119
125
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml,sha256=NtNYmX0maYCnSuDFgzqK3ZpKsUleH2X7i5yKS41rmLs,5738
126
+ nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_config_modification.toml,sha256=cn4uUKWh5WwCQmFdEbPZtQhaZnUiI_I_S2CcPMqNx5g,5411
127
+ nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml,sha256=fQuYQh-ZsEEd_-rhU9LjyJqIgE9Bfe2B32fGbDInBsU,6372
128
+ nldcsc_elastic_rules/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml,sha256=OHbyAIm_F6ToK5zRLLlhlKAz7vXRxK3LuMrEqoFXK7Y,7367
120
129
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml,sha256=kNlUelmrrAqnD2-N5LuQMUaF31PNavHRRWMpX3RDQvI,6548
130
+ nldcsc_elastic_rules/rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml,sha256=7_7EswnRl_hex6HYqweCzoaZW2xWpGyjQ1udyhgSb6g,5713
121
131
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_timestomp_touch.toml,sha256=gBETYl57StM1FBnQ5Gmq5aFYpggw98UfdXHd7JDdXYs,6282
122
132
  nldcsc_elastic_rules/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml,sha256=1lmsKs6XdJ-slajFLYnL2-bXFYGLvnlEzuBVJXTraWw,5670
123
133
  nldcsc_elastic_rules/rules/cross-platform/discovery_security_software_grep.toml,sha256=fHAyhS8GEZA3hcVxvw_IgRabtDcUf23zpdv5YwO3lj4,6071
124
134
  nldcsc_elastic_rules/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml,sha256=qlNGkyDHusBCazwgz2v_uXoibA_0aVp5G1n-bQW-FkM,6206
135
+ nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml,sha256=1v68rO8zqrBO_-VtA-pM_Ln6ZK6ZPsvLhi8L4AespoI,10462
136
+ nldcsc_elastic_rules/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml,sha256=D4fjrM-ctCZnGZlbHNnWBxUBs3n4IZ_qXkXIHQwwpMs,7636
137
+ nldcsc_elastic_rules/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml,sha256=gxBewFlj8u7LV6O85N0QUVSS-o9G7arcyKNFNmeX_bk,12107
125
138
  nldcsc_elastic_rules/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml,sha256=IZPl492ynOI3w89Uh0zBDVgSei_HIoh4UtGT5Y2sSqE,9419
126
139
  nldcsc_elastic_rules/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml,sha256=c-W_WRw-VMMIAc1lxc3n2Jib2oFMTZjMdzVub6pmzKw,6646
140
+ nldcsc_elastic_rules/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml,sha256=OnEnIYTptrKtir_Smx5RrkefAwAUy18MkXjUX9y7Ypg,5255
127
141
  nldcsc_elastic_rules/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml,sha256=s4VawGsT6CiQ0PuzLPFeJXJ-J7iS1JdIAlJE12SSnqM,5176
128
142
  nldcsc_elastic_rules/rules/cross-platform/execution_potential_widespread_malware_infection.toml,sha256=oi_7e1y0axyH7TUHobRHu4Xnfr-n4yuyM_dxx98vOqE,6100
143
+ nldcsc_elastic_rules/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml,sha256=CBAhMNFwboUAZGoLstOyaziJe-TNIQVzxwHQB06_WJY,9141
144
+ nldcsc_elastic_rules/rules/cross-platform/execution_register_github_actions_runner.toml,sha256=JtcKd6LS3jYqIHRqewQkg3kowGjhmzqE7HlSu8TNuQw,4670
129
145
  nldcsc_elastic_rules/rules/cross-platform/execution_revershell_via_shell_cmd.toml,sha256=gWaO0oJM9FUpvcGu8cqjzymHh3iPgs9m-Xjfz9sKflc,5050
130
146
  nldcsc_elastic_rules/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml,sha256=6VAeVUKS8iHw5TtWtSJOa45RRb7zQP8GdBxfu77fwZs,7037
147
+ nldcsc_elastic_rules/rules/cross-platform/execution_via_github_actions_runner.toml,sha256=rk4P0UJhizJAvFU5HHeMIS1N3wtXgpEldxDw9vhoEFw,5038
148
+ nldcsc_elastic_rules/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml,sha256=ZEF9z_NODjgmEItip2BpkooJ9gE_8rOlsJY1Z_Ay_Jk,10074
131
149
  nldcsc_elastic_rules/rules/cross-platform/guided_onboarding_sample_rule.toml,sha256=p1GJtIMLs7uK8ueRMlMk5OP-sjUstczOGzDeo-nXdpU,4364
132
150
  nldcsc_elastic_rules/rules/cross-platform/impact_hosts_file_modified.toml,sha256=pbQsZdl0HbwgBdhs8TKH0AketSeSGrtHeDRgrt7D8ng,6155
133
151
  nldcsc_elastic_rules/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml,sha256=QxBch-urFJa_M8mBylw_KuBt7p40A6DExV-DgUaBSiU,6817
152
+ nldcsc_elastic_rules/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml,sha256=L21SA9HJ_Obq_x_KkDJHBkpzhRWzdKPfnVx4yWogbY8,8825
134
153
  nldcsc_elastic_rules/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml,sha256=kGrG8Sn8eHRxpqVikaMpvH7lJ6F7n8rEHiaiiL5AZr4,6092
154
+ nldcsc_elastic_rules/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml,sha256=K0IPKIhb5kRwGYLfe6Yxq4N9MuqppOWvkMy2T1fgIXo,8870
135
155
  nldcsc_elastic_rules/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml,sha256=Cq9vuF3tyd_Uu2MvCBss_R48NrRBg3vZ5MiY0_rjwdA,5893
136
156
  nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_different_tactics_host.toml,sha256=YLMtF4Cn35gxcDuWZwXylLQ0a9qvAr2bkdKXFVqotQA,4899
137
157
  nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_edr_elastic_defend_by_host.toml,sha256=st7y6zZTVom0_tbTjVFe6RCYc8Vw9DTuUWVfwAHkzuI,6452
138
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml,sha256=OAJLTcNgFIIxdLFnP2nXMKfo0TAz72fai7fp0z6g3jY,6474
158
+ nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml,sha256=B7trzix2Ptfuz3ZTh4xtoqmSHiJoCpXpPgtYJZcMqus,6664
139
159
  nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml,sha256=_cnbuXg8X4kY8xq8LlEjC0T3dhw13SInhXB_SHmRw2k,4189
140
160
  nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_involving_user.toml,sha256=R_e4TuY_OuAnOg8njulV_E_b5UklfPEMLEz38Zmob38,5684
141
161
  nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_risky_host_esql.toml,sha256=ZzWOlUP78eoyDOEfLOwzo1CHDONNoII_BelLwyzlIRo,6830
142
- nldcsc_elastic_rules/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml,sha256=Mu6PiL0ona9s9IUmmhZCZJ-uz1PPtdqWc5jdDKVp72Y,7560
162
+ nldcsc_elastic_rules/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml,sha256=GvfD5a1EbBxBrUaCMgl4lMcvTroZr2Pskx35Px1AupA,7585
143
163
  nldcsc_elastic_rules/rules/cross-platform/persistence_shell_profile_modification.toml,sha256=8IVozmp2qkRLZx2tSNkhJ9Um5MxQyHJJvkQA6O0dYhs,6366
144
164
  nldcsc_elastic_rules/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml,sha256=2lajnfi6SDRrsgYBIYAg1aP6LTDMxoEBEqzwn20W0t0,6998
145
- nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml,sha256=LrLUZCrGMv0pWkxHwyH0dBjREddYNSu9V_8NyuXamfY,12886
165
+ nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml,sha256=38-wDVXItu_Z2fD3joam5w2bfFOtIdNjMoc0vFzzO94,13350
146
166
  nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml,sha256=a_IsO0G6AtUDVfX99o8bfZJ_HZKy1lzpvVfDnNRf8ng,5795
147
167
  nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml,sha256=cjzZu07IvTYj_uELIRHeezk37Maf_YDajZkMjBF7x_0,6615
148
168
  nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml,sha256=fRZeGQc-XCwHNzzVbCIDPlVxQaU8MupIH0b-2MAxKew,6292
149
169
  nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml,sha256=fTzelNHDFnODyBPm8AI1tuscKXABUqHPplcvX379wVA,5582
150
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml,sha256=_WAem94McY5zRjonuB8q1wkuEvLc4cXM1b4aHjnmDlE,6852
151
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml,sha256=fEVr0c2uw9_tNqCsglFgsv8mT1XR6BaPwjF37QNrUJc,6221
152
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml,sha256=4EWzpzh570MSAeIj9TIUhKInVpaMX7_76YUCiZiklqE,7019
153
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml,sha256=qj8qHNXOa-B4LKKTEQ8kE9rKZtn1-OVPVJkVsXkF-HQ,9353
170
+ nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml,sha256=hF8EcmhVv6VdsFYjYazZJm0lnANN9ijhgww6kiDfb4M,6729
171
+ nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml,sha256=aLOkJD3O9pyNmsTV54p6ssT77QxiFp_EbyP3A58q4zA,6321
172
+ nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml,sha256=ZkqS9obpaI6_I5HkipG07PDukGcabTlT9UEOjGEc-bQ,6875
173
+ nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml,sha256=l__fa7W4qeS75cTsK0l_Dx6WAH3sIfcux6d71Nsu4fc,9286
154
174
  nldcsc_elastic_rules/rules/integrations/aws/NOTICE.txt,sha256=J_TLlzy-3FynutCsreov6dyNdxzN0cayBHv4dv9HzbU,1307
155
175
  nldcsc_elastic_rules/rules/integrations/aws/collection_cloudtrail_logging_created.toml,sha256=RJP86WTPWoHmbKHwnGJClaA9JOj03xNMhyUIz_FAR3E,5318
156
176
  nldcsc_elastic_rules/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml,sha256=BtUlfFLgg-ZFKLxfdQn4wBB1LHcCfHfBhebFcdWawyQ,7928
157
177
  nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml,sha256=Zl483bumOX2jzaim3VBkhMcoJNR3UER6hzujvitdm4s,5986
158
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml,sha256=3x_lY9eJMuLbhNL_9Wf20VYqGQfazIupiakUEsnDvfU,5813
159
178
  nldcsc_elastic_rules/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml,sha256=Lplp3cPy4uYyYqhxRgLuvMqCWIxae7hjwRgDiPIh3LY,4866
160
179
  nldcsc_elastic_rules/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml,sha256=Dke3i6EVk9RQdQFYkmgaanKgcNphvdeQvk1iMNN-jQ4,5649
161
180
  nldcsc_elastic_rules/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml,sha256=GOWA-GRrdoKYF3Udgcrhha3NuTzp1s5ujToeETnn9Dg,7932
@@ -173,7 +192,7 @@ nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_ec2_network_acl_dele
173
192
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml,sha256=GWFDAiG6tOyAvQ1BSbSVI56xPfIEuNjoz5D8XfM_HRw,6844
174
193
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml,sha256=tmV2GPEMcL5p3uJwK89FvjlWwLD9ENXnL3xaJvvkbsY,6649
175
194
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml,sha256=JIINOKPZzNCjc8PakKandRp5uYhCwo-8PcGPxed4Y_Q,7347
176
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_rds_instance_restored.toml,sha256=lUPa8G7AeiBmivXnwkjo7yfwgCH0UZVCRvlombHFgVo,6998
195
+ nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_rds_instance_restored.toml,sha256=M9az6pAPc35THIL_bwNHKrY0nkZOtxdemp2RVy5RqaQ,9275
177
196
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml,sha256=JUKqj3LnC-QakpziQRgqSWmZKEFYy2Pr_SuTtuuBMN0,5278
178
197
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml,sha256=8pGC5ESemUKOP1Z8uw02LPnyIwLL2Lbltc0S_q0JufY,9296
179
198
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml,sha256=JNDaTM-Us7uqFRaghRwX4QQWnCDZxkueqTJdxv7rPWg,9452
@@ -184,9 +203,9 @@ nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_vpc_security_group_i
184
203
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml,sha256=TkoIXcSgrXGcyf9QoKX_jR_l9ZPkqoI5K3UyiDpFl0s,5863
185
204
  nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml,sha256=XzFBbUA37QpLCTqudpKehvyjaQBghhuvYMZRhOUAdr0,6109
186
205
  nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml,sha256=Pp0guprzdo4TOzDrPp8JaKAQ7oPyYeQMnpI0j6VEdOg,6206
187
- nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml,sha256=AmNxhpiM6q_pxttTXg8Qk87nGUQMNogHboogamWX0ZM,7295
188
- nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml,sha256=ard1d_HCx-z_4mMslbROYuPe7R0Nku5io6-9f8ToHbY,8119
189
206
  nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml,sha256=cK4vVEyZJcoQUf4kW2Cs25ruBbARH5DLFsqniSpFp3M,7032
207
+ nldcsc_elastic_rules/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml,sha256=fA1ubcEunGiB_V2xygfg6xeQNsPeOlv95Zg4TUK1-FQ,8363
208
+ nldcsc_elastic_rules/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml,sha256=etpuOZFenCVVyT-nml-IGgTBF2XaJeKbjZHZm6Ur3us,12018
190
209
  nldcsc_elastic_rules/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml,sha256=Sbjdn7tQpDly2NjPCnKwsY7NRe3pnWiqG5QIjc3DO_o,7145
191
210
  nldcsc_elastic_rules/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml,sha256=OGNblHLq3ztuIdMkn0Yg_juMnAnN1ZBa6mfVPnH9ktU,7740
192
211
  nldcsc_elastic_rules/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml,sha256=b8OGtmRNTTFzpqJCW4GtDi79Qpzle0lVsfY42JQXfag,5900
@@ -200,11 +219,11 @@ nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared
200
219
  nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_export_task.toml,sha256=QPJq_y1kHmqkp0wKq4KJ9USWEPbRhDEfQzCqDGhMpqM,7183
201
220
  nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml,sha256=99ippCgv0lT8A5NWK9PQz6wXocH0yvUSoH91ud9UyEw,8389
202
221
  nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml,sha256=I9QmIpHhmMSkzBh7ADvIY1Z2TwWGCrScNPYPj1c016k,5911
203
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_export.toml,sha256=aD3ifWgNQkZQBXMRK5J5-GRSACi4BsURnkWvs-uCY1Q,5575
204
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml,sha256=UVu61OyqBBMXd51YTpEFWQZx1MlpGNwluWBD2EaECHs,6436
205
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml,sha256=M_8H3WVPvQEGVuadwMDl14-0jZMX3mn3nv7GdwV_JIw,9944
222
+ nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_export.toml,sha256=8Y0bhhjjZvQx2MAzD-jYurzwSzsomx44o0AfLaDMwSU,8288
223
+ nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml,sha256=uNGiDOCJOxDj6JHk2Clvvy6WPNmSgh9XeyTER80WDAo,8326
224
+ nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml,sha256=O7yh2gFpzpZYCW4D-9LLjg2Ovoyv7dtC3_yV5QtNuJc,9979
206
225
  nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml,sha256=-xN6LZ2pQMa4qsZYfLYqnbRTks00pZPjCL434Fob6Ig,8974
207
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml,sha256=JhkcNos1KlBpjxxrbubI3i1fyQSADMjgc2qJPw2Pe2Q,5163
226
+ nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml,sha256=nVlFgE2Mc5zF_zEAJxhFkauaYh5UmLCjBStRXqHjG48,8158
208
227
  nldcsc_elastic_rules/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml,sha256=CBa6dItgrGD2M4P2stOobu-8kUsE8jMnYt0RDOfKqWI,7314
209
228
  nldcsc_elastic_rules/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml,sha256=TXfHWEchHOPgYzDUekxZV-4SKVhaGw1LnlaDXycJt9A,6153
210
229
  nldcsc_elastic_rules/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml,sha256=bdy-SzK7qyXUUtQMhPP7ca2dSK-nzUyc-9_xq0VhcC4,8137
@@ -213,23 +232,23 @@ nldcsc_elastic_rules/rules/integrations/aws/impact_cloudwatch_log_group_deletion
213
232
  nldcsc_elastic_rules/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml,sha256=jmA0sBoKwoObqs01MBgFLFSdEuR5oUXPmbOROTY3iGM,8091
214
233
  nldcsc_elastic_rules/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml,sha256=Ib4oGxt1WJNDahBBRE4w3U8n_SnXCS0Bxvq2VREabvM,9367
215
234
  nldcsc_elastic_rules/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml,sha256=tgDHWSD5StwsCA_JIG1IL7BaC59fbiFPQPTfCoTYulE,9383
216
- nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml,sha256=MP3L8aqJ8rRbVQt1hvS2nMMQEnTVx12d7g4uySsE78M,6057
235
+ nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_deleted.toml,sha256=SVxW6J_o5-76Kk5LFN1_qTHoPxy5oWYqTaxwmARVmyA,8042
217
236
  nldcsc_elastic_rules/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml,sha256=PqP5VqX8332IKaLhGHibCdq72XMGHfLdokABRANU8rM,7608
218
237
  nldcsc_elastic_rules/rules/integrations/aws/impact_iam_group_deletion.toml,sha256=cplF2-JcadpDB6wZo4QT_g-_j4sqa1YtKPAgDYyjgXw,5207
219
- nldcsc_elastic_rules/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml,sha256=CVze6V_A-Zxj-PAULTL0M3GMrUb3qd7C_aOW4svy2W8,6334
238
+ nldcsc_elastic_rules/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml,sha256=ck3zwNWp1WfyBC-5ELLw1JRAZ8_asZO7Wq9phmVv2FE,8200
220
239
  nldcsc_elastic_rules/rules/integrations/aws/impact_rds_group_deletion.toml,sha256=IfRWDlv8ScLpUOlJNg7fn7-cH-Rre9fVAxuz_62LGM8,6096
221
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml,sha256=a2mTygEDNMZQeFxDGjl6I3a5ON_TjuiXWV_5ieKLRRo,6794
222
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml,sha256=eSptNB3U73QWHxFj6ZQeEo73UtDIS0c7qSbGA1TcXOQ,5824
240
+ nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml,sha256=ec1m15_N69yyfX7LSF752k7yntdGlJNMEzJPCOFwiV4,7594
241
+ nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml,sha256=jFFPkS8eQzhIHxvKQE6WhU0TwCMgZH3uEESGjUOw5kM,6792
223
242
  nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml,sha256=jH6bfF6gNhUDH6hTjeqMzA2D__MSv867zYGBPBAgQPU,6035
224
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_snapshot_deleted.toml,sha256=0TtTv7EqBNXf3CfzKUtskvOqYO_3HYU0I7BsepFRU5c,6045
243
+ nldcsc_elastic_rules/rules/integrations/aws/impact_rds_snapshot_deleted.toml,sha256=AiV_phjYL1mBDbbtxNQehlssKkV5p_ZRIogcGOgUJpc,9340
225
244
  nldcsc_elastic_rules/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml,sha256=C5cVMG25p-CNbJdsqn4qAJmIM5-yr1jd0nhfpYYDN68,10275
226
245
  nldcsc_elastic_rules/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml,sha256=ysmVfQghjRUK6-2GlTRduF_0uS24RPXhyX7xS1COYrg,5774
227
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml,sha256=PE54c96NMy8O2r66eFep6rFL08_MqtTAvI3I9rSEsEI,7731
246
+ nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml,sha256=vs_YwrtysmwzPIrYkTljmwC7OCTde-wDbpqHKbkbzS4,10671
228
247
  nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_versioning_disabled.toml,sha256=MTzBZImV6kF9v7c6H6SRzHEAZ7bDC4GmTmiCcBURb7w,8503
229
248
  nldcsc_elastic_rules/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml,sha256=kgmHccgJB8i7MmXQKVcNeZr9fyN_uYslIPHTYiWNCGQ,5740
230
249
  nldcsc_elastic_rules/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml,sha256=9BSFjpzMQC75RFXMZWO7KpaJL5_JglPayCx74SK1V_w,5890
231
250
  nldcsc_elastic_rules/rules/integrations/aws/initial_access_console_login_root.toml,sha256=WssE20BS5d9i4TOXVfP5ONubFXBWnj2-KLsbk75rm9Y,8313
232
- nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml,sha256=Wd2wSxKSVvHyK3-eb-8pgiRi_uA_zOHJ_gfQoPYyfUc,11228
251
+ nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml,sha256=ynVZ0tSefOiIkE4TMNvmWRpzQe33fJjm4S9b0BDXlx8,11698
233
252
  nldcsc_elastic_rules/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml,sha256=FdM5pt2Yrujf6-zApli2OY76kWtZz47-586RLUMcK_g,3392
234
253
  nldcsc_elastic_rules/rules/integrations/aws/initial_access_password_recovery.toml,sha256=Lb39-UgXSGimgLxhtlDE7y1flrC2hzyKrQOpSL1USiI,7095
235
254
  nldcsc_elastic_rules/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml,sha256=4GeyrSDf3opUNKNlLAu_Z9-H8-GqDbeFUAheGws8mvU,7071
@@ -237,11 +256,11 @@ nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_aws_ssm_start_sessi
237
256
  nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml,sha256=JbgYqC15dr6N9Q-yf-JHvcXA4KOIO1telQU71MonrgY,8030
238
257
  nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml,sha256=pXl1Oh5Di0qsDcTKDPD0HuFOaPkFzNbRR2CEhJUkNo0,9025
239
258
  nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml,sha256=Rq9AI1rT5ruemMRe2RuDDD_wVSy3t0wMKLYI3qw2YpI,8412
240
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml,sha256=HpmzelFvpv51Bs-a1dDMBPG7rBV1xkOADD0XsePgoZ4,7557
241
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml,sha256=HCvWw4_vIoxx29SUa5EV3_971mSTPN1ggBO_TEJ6PEQ,7731
242
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml,sha256=_kwA7nqeQLnxlspzubF7ToHLWhWcHIKBFTIa0zzMMAY,8018
243
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml,sha256=ZK6t84mjqNg-5fctgNcRQg7-STmu_gOPVf0Rreu8STU,8033
244
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml,sha256=G7-0RT5HWrWINzcS7Qn_BGLbj86Jox7F54j4bGB3EKg,7797
259
+ nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml,sha256=fTOuAENlAYC3QS0aetQS7Ej1WsTibUrpKCZ-f_YZHe0,8304
260
+ nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml,sha256=Lx_9GiGGaOA2vn4lcfpdi48EhQ5KbbGCG8v5gH9poMA,8949
261
+ nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml,sha256=Yvr9RidIax8a1mabkOvQKddpnPFwVqUO8mJiZuhqRHw,8440
262
+ nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml,sha256=-Fc88tgeUHq2qgNMJrf3-G4mRDJWF8Yshlvr5pf-dAI,8455
263
+ nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml,sha256=bPNa7mNhTr7FoVN5oyYlHPThw5URb4b7_dhRBMxHis4,9092
245
264
  nldcsc_elastic_rules/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml,sha256=FQGpbv5ykz8X9ML-Fr9H8FPKu6M2X80ASp4ldo3Ns_U,7965
246
265
  nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_network_acl_creation.toml,sha256=wa6QpnNQ0eT6ISVrWSe_-sS0lVTBTqtviluJ-HT4bY4,7500
247
266
  nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml,sha256=8m8lYosDwNcJbnyRTF7D4K9XhW5s0FV-7eoRWr2tMH8,8229
@@ -255,11 +274,11 @@ nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_roles_anywhere_trust
255
274
  nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml,sha256=Mb0Mhah_nFolphPN3ONirb8lhX7AXjbSz8HzXjl3UKg,10399
256
275
  nldcsc_elastic_rules/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml,sha256=q01z_zfIKt75_sAm8R2o7SoS6Xx51wwDMth5ReR7Y0M,6155
257
276
  nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_cluster_creation.toml,sha256=lklvnHv2VDTSMNxoTFNjcE6yiF8YjLJUU2LOM5dHql0,6716
258
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml,sha256=GakLKDtxguBEAZuP10MtUo_8OEPOW8u6y_Q4V7wRoS0,6685
277
+ nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml,sha256=fQvlyqvWG7vPUPTpnEnnFH7bWVj8XLdisRjj-PxYu0k,9061
259
278
  nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_group_creation.toml,sha256=KH6wNnPxbv7T8Dn6Blfb17F6xN2yFYj-nTsxrdpA6Cw,6106
260
279
  nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_creation.toml,sha256=SkSA6z-JXI9tzxOOM4v4WYtfYtD8WLgT6-udM0WdQJE,5885
261
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_made_public.toml,sha256=QX0enKc6uc1PrgoFFKjoSJG1a3Nmx85cDAywXRVO2ns,6506
262
- nldcsc_elastic_rules/rules/integrations/aws/persistence_redshift_instance_creation.toml,sha256=K9m7VlNEDlhIFE37AR6J5_RcDMXEFzIeiAZAa1kS16A,6106
280
+ nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_made_public.toml,sha256=2DfWIMSsYMEhrt54p0QHZFZetX1bfNjSC8KQ1PEcTEg,7859
281
+ nldcsc_elastic_rules/rules/integrations/aws/persistence_redshift_instance_creation.toml,sha256=AZEKZ_EinPE5glnVZ8-9A8xUFK7aD23wZ5v3OxN7OzY,6132
263
282
  nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml,sha256=i3IM0x00LEyAW19nyALNw8zaNisnz9MKr6olk7G5hs8,6370
264
283
  nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml,sha256=bOqCz6IVGEQdIgYoFqgTY9OL_sCqmk5NEaH8nZU7dx4,6042
265
284
  nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml,sha256=ZU9o24n_nx4TOzrAm1y_QFxMw0DxfL5yExM4ZcpL0hM,5702
@@ -273,7 +292,7 @@ nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_saml_provid
273
292
  nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml,sha256=0fFZSwyGkMh9CHqCrxwD1LeDGufRjHv1OwHRC1t7bI0,7306
274
293
  nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml,sha256=9ECtwk5j0n76IHEOsu-H6rWRcarai9nGPXBU6WTIKGA,7597
275
294
  nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml,sha256=_YroOLuUvZxsgL7Bj_qODFZcL0NCJyIg0TLCKI3dQgc,6991
276
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml,sha256=CJ4890fqiR6BDOGl2LIrYtTvfLT1fSns4z8iyodgrxU,8184
295
+ nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml,sha256=HR7LDZijXyPZe3ihSZcSDW88lgp37v7BvrgWaGXgCf8,12291
277
296
  nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml,sha256=bvw3qAjChOQ7nAerHUxQC-r5RFg5w8JgxxfB3UfN5bw,8895
278
297
  nldcsc_elastic_rules/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml,sha256=LkyN7cjoaQTOf3nruuH9niphBHOhSl10Suss_1Ir10I,7000
279
298
  nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml,sha256=c0cevT1mzWoFBX3gWSkDPj8yS7-hrq20C32I5yVCM-0,4847
@@ -289,6 +308,7 @@ nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_po
289
308
  nldcsc_elastic_rules/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml,sha256=0GkNqHNLowP9mmdjTVAxMNb95ZbLV2g0XjuE1sPGptE,6092
290
309
  nldcsc_elastic_rules/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml,sha256=NM4ic7IydF1t5jWexWybyr-Pnm_y887xufzevTVtuTk,6931
291
310
  nldcsc_elastic_rules/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml,sha256=2AGF1nAZUzBljOG1MZXCLnU-lYa99akb8yIp7SQ3AuY,6776
311
+ nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml,sha256=7kW2CUft9w7ICPDROTA70FUVBkBAKA1Y0KXwXjxYleY,6937
292
312
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml,sha256=2t-Os6k1qY7u8HOyvFizO1ElJzbnLrzCbCOotTUGjE8,7711
293
313
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml,sha256=j92m5z6V8wxXJJgJX5PKKl-0TnN_LJ7VqkCSojtlANo,10331
294
314
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml,sha256=MawhtArdpXoYBKdvMrJKYdChAKIcGPSTsIjZCcbqIcQ,5979
@@ -296,7 +316,7 @@ nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_
296
316
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml,sha256=SxC4R00OxnBCKPx88JY77TwMu51ukRwvL3Snf8TyEzw,8490
297
317
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml,sha256=9CUi2i0wbXjstu7SAIJgDTywOcKN9El1xE0v_T6bDd0,7267
298
318
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml,sha256=OLRu1nEkE8oOnZFSwvBbSEPmQCNY2IHDoEX7AMxE0AQ,14220
299
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml,sha256=wKsjwH7ollQoeRLqi2WZuszbjaJwD2DDg8gcY1Nis1s,6576
319
+ nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml,sha256=kxWjxGKXAUX8iymqe0Tqegu6KK9uc-M0w3urXG8vWbU,6575
300
320
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml,sha256=A8mllBRUeCQetUzZ0DgGYFQmC0uGlAEeOMbb3zADw5c,14610
301
321
  nldcsc_elastic_rules/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml,sha256=TbGOqWOCd5OAOYfKKTh8wIJJ3Wymmu8YRWo8ZqvlAdo,6633
302
322
  nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml,sha256=CLfE6vVnbd9pr-ephxa3qLgG8FQZupGeqRsWZz0XxcI,5458
@@ -344,6 +364,11 @@ nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_rare_authenti
344
364
  nldcsc_elastic_rules/rules/integrations/azure/initial_access_external_guest_user_invite.toml,sha256=nEhMCfQp5uNayZKRCcoezB1HzRWZaFljEyJKyqtMtT4,6393
345
365
  nldcsc_elastic_rules/rules/integrations/azure/initial_access_first_time_seen_device_code_auth.toml,sha256=QSaPp-LThIMo4-cA5ERY8qrZnZIxC7IJvzwxi54fRl0,7918
346
366
  nldcsc_elastic_rules/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml,sha256=G_fktDxgC6Hap66t9tLAl2_YBc41iw1FTBjJhmFTnq0,6489
367
+ nldcsc_elastic_rules/rules/integrations/azure/ml_azure_event_failures.toml,sha256=U6mkeGU0Wnw8g5Mn9IFdPTk6dFMSMDoTVZHNd8g_Jrk,7716
368
+ nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_event_failures.toml,sha256=VZI-ivBYCIIkhEd7BSD_lmxM9_vEbs5ipy4-nX73p6U,7938
369
+ nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_city.toml,sha256=SwCN5TtcdPSa8VunLlmjm5jo_ZM-1mgIfWzH9BGEnHU,7023
370
+ nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_country.toml,sha256=qKcu4_BRkP3WZ4ggnYZM6zF6DFAmSCoDjmZBEOLzgoM,7029
371
+ nldcsc_elastic_rules/rules/integrations/azure/ml_azure_rare_method_by_user.toml,sha256=6X_lvPz2YQze21zZXbpztbaGma1hwRILDqqjcoQhipU,7868
347
372
  nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_application_credential_modification.toml,sha256=uc1QLRfU9rV4vq0xiTJsRnEB2KcWk4DbniXnfTwFMsM,6406
348
373
  nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_automation_account_created.toml,sha256=HVDz3et3jxZHloBC_0Sr-yYF5lZp4bs-JF9aXbfLew0,6072
349
374
  nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_automation_webhook_created.toml,sha256=sk2unPzhdRfFfq2VvLGPsIxXSOXdvvpirb1UJy5CeQM,5914
@@ -394,7 +419,7 @@ nldcsc_elastic_rules/rules/integrations/endpoint/execution_elastic_malicious_fil
394
419
  nldcsc_elastic_rules/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml,sha256=-ZPqaZmP2z-Su3cEmdqW4knt99pjQm2JQtU7eTBXHY0,8697
395
420
  nldcsc_elastic_rules/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml,sha256=i0euPpVIU9ybfJMJd_KLq6vgW0eYJAXZ5AuzkKx-RKk,8674
396
421
  nldcsc_elastic_rules/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml,sha256=hWJgYtCQYC05-sA4f2dzwKiHOK8nylNPT8AizyzDBLo,8659
397
- nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml,sha256=9wSprMy3phqTQEhQ5hEagN4aIp4dxnfvpuFEALsz1P0,14597
422
+ nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml,sha256=QQlt7EP_1nMhxEJTpj5FVAMj6Ue4EZTVMoWFmFUr_Ik,15053
398
423
  nldcsc_elastic_rules/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml,sha256=zn9hBV5cGzj6-NFmzyMD59E_lBRPIQHudV0k1yM5Cyo,5620
399
424
  nldcsc_elastic_rules/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml,sha256=Opz-8ulSqyD7ksLmIISm_ArZiKPHox6Lc3yr_eWErgY,5776
400
425
  nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml,sha256=ok9-iJDOFd6AZ0ABCZfGZTdxnPUqH7gtzolcAVryvhE,6431
@@ -415,6 +440,11 @@ nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_service_account_deleted.t
415
440
  nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_service_account_disabled.toml,sha256=I08lGtCXy11ojZfYMlsYe8XzJxSnYdFja1wDGrAVmrg,5645
416
441
  nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml,sha256=Qf-ZZH_3z9brqN-0klxtL-FsZAjFiZZS36Sn-qzTqwI,5489
417
442
  nldcsc_elastic_rules/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml,sha256=fLfQBKs7ImYg1DxYvMwSalz5i0ZE3F0cg1a-EL3fC0I,5977
443
+ nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_error_message_spike.toml,sha256=B27VhzFh1O3I1WEniqKMzOyr6A2T7bqZvqVq6tzewhU,3500
444
+ nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_error_code.toml,sha256=Qk8wE3uQFzH54XrVTxz6sLceAlXOIO5a7QB1Ypq8tho,4013
445
+ nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml,sha256=gkjd8P78xYDEGnjOAut98MY2FjQiS3aAHCXOFkGSIv4,3316
446
+ nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml,sha256=aKuOtgZSF2DmKXI7WpxdkCv8Eivyu1JzZAtwb111Ac4,3325
447
+ nldcsc_elastic_rules/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml,sha256=aLUduILKnUxVj8Bl_yKuqrh8XMQw_lM4CamyK4iT9W0,4108
418
448
  nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml,sha256=bHIsaQHQrybqxO11obuciwWWsNU5sYxdG4PgtsrnxhA,5711
419
449
  nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml,sha256=7XqyO_jEKz6Dp8SqKZeCRCpK4BHJJq49xyMZ1tuZwbw,6128
420
450
  nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_service_account_created.toml,sha256=OBfAb9oxCppW3-P5tG0A3E-4scrqHPDEnM7iHpVL4Nk,5604
@@ -424,6 +454,7 @@ nldcsc_elastic_rules/rules/integrations/github/execution_github_high_number_of_c
424
454
  nldcsc_elastic_rules/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml,sha256=6q-SntMIphiYXYTB1_Th2IH790UQp_-7pI2uqtWrzi8,5139
425
455
  nldcsc_elastic_rules/rules/integrations/github/execution_new_github_app_installed.toml,sha256=MkD6gHp77xXX-SCceSoWrfQgAXS392mBTPt5W875thw,5030
426
456
  nldcsc_elastic_rules/rules/integrations/github/impact_github_repository_deleted.toml,sha256=IJJ2S5jZqlKAdtz5HlQLJM-_BFACYGWErZ0csvPqwp0,5248
457
+ nldcsc_elastic_rules/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml,sha256=o-1ex0Erel4NLPg8YiTO_gm_0cfh6-_KGlyye5puVxg,3267
427
458
  nldcsc_elastic_rules/rules/integrations/github/persistence_github_org_owner_added.toml,sha256=LbXN15NvNoQagu6h-A5Wt7xT_UZ1EsM4BVHQOQDyl1c,5336
428
459
  nldcsc_elastic_rules/rules/integrations/github/persistence_organization_owner_role_granted.toml,sha256=krgvUBqURO0EJgbO6O85jZCU2lDcAmCo-MGbodiUFY4,5126
429
460
  nldcsc_elastic_rules/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml,sha256=FlES1Pm0gy22moYPW4LO5uRdluGsEU4Nz9JpucNUnwk,6762
@@ -479,7 +510,7 @@ nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_unusual_time_for
479
510
  nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml,sha256=g79V0ABJLK33BYTmsgV-YseWDQqHoozCvSJHEYQ2msE,7487
480
511
  nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml,sha256=QgEjGZvo7vMT7KhrUv4fstgivv-OQM5an2htugvEij0,13146
481
512
  nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml,sha256=DVKnxmSWgFj9dw5wA3uxt0wycwKeAY_mMPnN2vSU9Sc,6905
482
- nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml,sha256=d2MFbarCiiDCBRgbjsJcqHtCwFsa6YCm0_5pLSVX7NE,6201
513
+ nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml,sha256=RtWERY-rMHQBOnJW948zQpinvJ2xoYQ7Za0Ic6IDwYA,6780
483
514
  nldcsc_elastic_rules/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml,sha256=G381iayYS3tdK5EEPdYtxbEiQdnuMO-3q3WlIKmFPnA,5764
484
515
  nldcsc_elastic_rules/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml,sha256=PjYBhnQe0BN_BB-xDCNTz-b2U_xmqcMzRJRxi8Akn7I,6618
485
516
  nldcsc_elastic_rules/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml,sha256=IaSWU_sNcVZVZAkaexIJ3_MqatDXz1iENyoJAG59fto,8769
@@ -595,7 +626,6 @@ nldcsc_elastic_rules/rules/linux/command_and_control_aws_cli_endpoint_url_used.t
595
626
  nldcsc_elastic_rules/rules/linux/command_and_control_cat_network_activity.toml,sha256=k-h-Q4TvHrWGIbBwqoxOI6Uyl-KhyAi4ZR292QnBcyc,10055
596
627
  nldcsc_elastic_rules/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml,sha256=c89NL_yBFDR1FTTPACEVqVa4-pI0E8Fo6WzKRQjSnWY,8141
597
628
  nldcsc_elastic_rules/rules/linux/command_and_control_curl_socks_proxy_detected.toml,sha256=JcqLSyW2-yLr61Xh-auuxMSl09CGSl2NzBvxrOyyLnk,9140
598
- nldcsc_elastic_rules/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml,sha256=8xPvn6fFS__HSDFU-jKdfV1hCj4dOleT_25I-b37SgA,7540
599
629
  nldcsc_elastic_rules/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml,sha256=EoauyMXmyTeHRNRRBHcKg0hIEzvvcW2MZyCLr8us8jQ,9242
600
630
  nldcsc_elastic_rules/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml,sha256=b26_MQsQ_Zbe1_yUv1lmdpgqnpBTt3fI2zqZ_aR6ZEg,8775
601
631
  nldcsc_elastic_rules/rules/linux/command_and_control_ip_forwarding_activity.toml,sha256=aW8A9MMEdL_QxWoYNIMVFLBq11OCTJEmn60HF_9rb78,6284
@@ -650,7 +680,7 @@ nldcsc_elastic_rules/rules/linux/defense_evasion_disable_selinux_attempt.toml,sh
650
680
  nldcsc_elastic_rules/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml,sha256=TP2v-fOtbyN1br4Ss7wxZ-fF83LgiwWRNVW0gtL6Yyk,7579
651
681
  nldcsc_elastic_rules/rules/linux/defense_evasion_dynamic_linker_file_creation.toml,sha256=ki_aOv37YNyous1rvS_ygKRulboxeWQRuxG8oCo80k4,10311
652
682
  nldcsc_elastic_rules/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml,sha256=LR7nv5kcnab8M6Zy11Nj1eCYG9cTJjlbwCE1S4iGGZI,8400
653
- nldcsc_elastic_rules/rules/linux/defense_evasion_file_deletion_via_shred.toml,sha256=8972NmVPXUtb-KDYgvl5DdFd_O7KqFeKnwNnh7blNyc,7466
683
+ nldcsc_elastic_rules/rules/linux/defense_evasion_file_deletion_via_shred.toml,sha256=sh1JqbUZzGzxEPhOwVHC8gHV23sGXDNuYc1SSzwvvzc,7810
654
684
  nldcsc_elastic_rules/rules/linux/defense_evasion_file_mod_writable_dir.toml,sha256=yoiW_nL3_Q1cuWHqjyKNVvhbd6pdIYFp0rS5pGi9-3E,9193
655
685
  nldcsc_elastic_rules/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml,sha256=r4q_GWiN7uV8Zr31FZHMcFMEKTRd55BtKIWWoVmH5qU,8174
656
686
  nldcsc_elastic_rules/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml,sha256=rjLe8NDJRfd2Po4QtR4rGvPlaMki-OX3BO-s5Qsz3HY,8900
@@ -755,6 +785,7 @@ nldcsc_elastic_rules/rules/linux/execution_sus_extraction_or_decrompression_via_
755
785
  nldcsc_elastic_rules/rules/linux/execution_suspicious_executable_running_system_commands.toml,sha256=NQiopV19sl79cdiY0lp9N7KihuJ8_iqoBPQCGz8nodE,9335
756
786
  nldcsc_elastic_rules/rules/linux/execution_suspicious_mining_process_creation_events.toml,sha256=CqD2pvtdwm5CLHdDGarc0cz3EqhTeHcYd-WLFz-typs,7706
757
787
  nldcsc_elastic_rules/rules/linux/execution_suspicious_mkfifo_execution.toml,sha256=M5cfy5vI56PMpP4tLP1nAm7zVQj_mk_GZneQTQ0wfck,8406
788
+ nldcsc_elastic_rules/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml,sha256=N6jzMWVTussM8gbKSArfY39C1feoHfuq8h2tDQ-1uFg,8074
758
789
  nldcsc_elastic_rules/rules/linux/execution_system_binary_file_permission_change.toml,sha256=7F9NBgskVZbcFD61VDBf5YVfsyEssBH-9GNLwLthZGE,8023
759
790
  nldcsc_elastic_rules/rules/linux/execution_tc_bpf_filter.toml,sha256=_n2KpsJyMmmo9EfGtvjXTvesw96fWKNMTPvRaK5zky8,8024
760
791
  nldcsc_elastic_rules/rules/linux/execution_unix_socket_communication.toml,sha256=B7KrcxpVnHg0-kxEcopciAVsx7rxs05pXdAM8qR8BFg,6311
@@ -786,7 +817,7 @@ nldcsc_elastic_rules/rules/linux/lateral_movement_unusual_remote_file_creation.t
786
817
  nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_execution.toml,sha256=zVnlpYm0Hyy93XbmgZsU1xQlCvcZuHsyjkHMcyHIoTY,9830
787
818
  nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_file_creation.toml,sha256=mpknpHIcWzMJ0dEHhDF3xlkUDk7KS6-zU2qT1ZWcVsU,10085
788
819
  nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_netcon.toml,sha256=LcnVX5WQgHGEKHz5DgEceFXbPaY56fT-OyxlHf7e0RM,9796
789
- nldcsc_elastic_rules/rules/linux/persistence_at_job_creation.toml,sha256=iT_N5VtTBSTj7DPOZtSrC_KnWb7MVnslzq5LX43PTaA,9983
820
+ nldcsc_elastic_rules/rules/linux/persistence_at_job_creation.toml,sha256=nm_Ovbo0xDKDv9AnWmyUtrXHiDuCnMT9tJd2JBmO308,10010
790
821
  nldcsc_elastic_rules/rules/linux/persistence_boot_file_copy.toml,sha256=FXmoWEUm0HS3zG5JONnECmK-sS9JgSJc_mAbbBRYlIs,9171
791
822
  nldcsc_elastic_rules/rules/linux/persistence_bpf_probe_write_user.toml,sha256=GO_d9TsPDtd0IjUnMuw2KPbjwW7VEkWjFjAglBNPrmU,7504
792
823
  nldcsc_elastic_rules/rules/linux/persistence_chkconfig_service_add.toml,sha256=ckRod__ON03736h45WCBoP_fkLSDtNXtI2Q7xU79rEM,12141
@@ -824,16 +855,15 @@ nldcsc_elastic_rules/rules/linux/persistence_manual_dracut_execution.toml,sha256
824
855
  nldcsc_elastic_rules/rules/linux/persistence_message_of_the_day_creation.toml,sha256=Fsnv7CCQu_LU8_184vFM9b1Orkn3BdKlRcbVkqGp2us,10662
825
856
  nldcsc_elastic_rules/rules/linux/persistence_message_of_the_day_execution.toml,sha256=3Va3AnNEupp6YTwfb59LaT3TkwkPTKdEpaBpuY-qYG8,11299
826
857
  nldcsc_elastic_rules/rules/linux/persistence_network_manager_dispatcher_persistence.toml,sha256=S_nnxNc2tS3OJB7p8zZMWPf8T3uugMN42n4Jx8ohm8s,10303
827
- nldcsc_elastic_rules/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml,sha256=Q3pQVQL7GiwHWhRu8js4dalDORAg86m8AFO6FNWXYVg,4686
828
858
  nldcsc_elastic_rules/rules/linux/persistence_openssl_passwd_hash_generation.toml,sha256=HMTiLsHyMCpsJz5-Q6OlD3LWDhgDwqwLZ8kCVxMKWLQ,8306
829
- nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation.toml,sha256=28HEBVh0Yv1pZUtPw1pSdLZ7oEvlR58akB8O4lipltM,8282
859
+ nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation.toml,sha256=TtPHvC4lCERw8ApEcNWTORQTok2sgoqJlrB92L8dhGE,8742
830
860
  nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml,sha256=4daNwJdC-dCm35V6LHn2YT2k88JzyeNM4Ay1QlAz3tk,6934
831
861
  nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml,sha256=w8l8BHW9HDTtLNKzkFblLUVuBBdnM3EgzOytpLv2g40,7106
832
862
  nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_source_download.toml,sha256=sOe1szhNzSEf7z_7QIohWYKs3eAw9izord5or9yv9Fs,6250
833
863
  nldcsc_elastic_rules/rules/linux/persistence_polkit_policy_creation.toml,sha256=-webliLnZvU-9DBXUAERJk4RVnG_NKFTzWtyPd8y0FQ,8028
834
864
  nldcsc_elastic_rules/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml,sha256=luMf-uBI_9mszIFPHaVfBUxgcZVRY_TT0Wc0rRUV48A,9769
835
865
  nldcsc_elastic_rules/rules/linux/persistence_process_capability_set_via_setcap.toml,sha256=LmCztA6z-RROpqPNDoCU-Kv5egmGmOFc1JJz_6zJgkU,7677
836
- nldcsc_elastic_rules/rules/linux/persistence_pth_file_creation.toml,sha256=MHC_VYIyNdX4vL0Uy0Ir_eynnnc7AqdO-VCzpxpovmE,9179
866
+ nldcsc_elastic_rules/rules/linux/persistence_pth_file_creation.toml,sha256=K5koiQylnqVRpzkSiyfmQCM82jtqEjUyWgGLSRxbl6o,9327
837
867
  nldcsc_elastic_rules/rules/linux/persistence_rc_local_error_via_syslog.toml,sha256=92turJDNe1mhjp4JX4Sgz0mtUKbfHY72Ru4zk8FGfV4,7634
838
868
  nldcsc_elastic_rules/rules/linux/persistence_rc_local_service_already_running.toml,sha256=i1pGrl3JkqxnhkL41lrdjPz2x5pudpu5qoJfUEAjeJE,8472
839
869
  nldcsc_elastic_rules/rules/linux/persistence_rc_script_creation.toml,sha256=MAuqJKh3at1GU5tA91fZolPsDy-kKvmYF5n52gAlDbc,11869
@@ -844,7 +874,7 @@ nldcsc_elastic_rules/rules/linux/persistence_shared_object_creation.toml,sha256=
844
874
  nldcsc_elastic_rules/rules/linux/persistence_shell_configuration_modification.toml,sha256=ABFKHMTmxPXf0B3_D3Kco59UBU7eDYg-s6sW7mkoKuw,10691
845
875
  nldcsc_elastic_rules/rules/linux/persistence_simple_web_server_connection_accepted.toml,sha256=Y6NCotjjPViwDD1mf3pgI3hL9yxIpDl6tVk9KTifV7c,9047
846
876
  nldcsc_elastic_rules/rules/linux/persistence_simple_web_server_creation.toml,sha256=2teNfvMYbNwKukvOQVsxQ-nIFo9tslF38bNtnoSqW4U,9244
847
- nldcsc_elastic_rules/rules/linux/persistence_site_and_user_customize_file_creation.toml,sha256=nmEgELFxMkstOxrGkxIwGvza-N_GdPbXtqcrX9qsPj8,9243
877
+ nldcsc_elastic_rules/rules/linux/persistence_site_and_user_customize_file_creation.toml,sha256=HdKzr_qRE9O1jODuSUrZ26seSKIvWQM6CaBold9g8cw,9391
848
878
  nldcsc_elastic_rules/rules/linux/persistence_ssh_key_generation.toml,sha256=SOV5QSz_Wl-r1KYd6r98AFMMwfj4-VatQKtlPzPUDHE,6638
849
879
  nldcsc_elastic_rules/rules/linux/persistence_ssh_netcon.toml,sha256=3avmeoDyjH0erwCeEBedeStMpxf4iCb809J1tRXpVOE,7564
850
880
  nldcsc_elastic_rules/rules/linux/persistence_ssh_via_backdoored_system_user.toml,sha256=XZBiubtiLYnaSPP2OA0hANeyr2T_nm81T0bcWlEZUXc,8153
@@ -868,6 +898,7 @@ nldcsc_elastic_rules/rules/linux/persistence_user_or_group_creation_or_modificat
868
898
  nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_child_spawned.toml,sha256=mR9q_SyFFr3KbQ_0763AX7d-geBxB70uMDRcRqIDs_Y,11927
869
899
  nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_command_execution.toml,sha256=-oKvYsUxfRAjB6DnjuXEzch8oGbuUeoEcJNE19ac_00,11555
870
900
  nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_destination_port.toml,sha256=Nn58HN-bgiJRQ6pJLnbEJFxfM6_3gdkK-jgkEUmIghk,9874
901
+ nldcsc_elastic_rules/rules/linux/persistence_web_server_unusual_command_execution.toml,sha256=26iRsVPwKPxJsixZE84rUddKPS6ucZ6LzQYtj-HFiN8,8792
871
902
  nldcsc_elastic_rules/rules/linux/persistence_xdg_autostart_netcon.toml,sha256=FPbZm4OdB_WCpKaZuwauJhI73FP-B8S6392ysQ7aKew,11011
872
903
  nldcsc_elastic_rules/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml,sha256=Q92YiJGlea4JOtttRC9F5i2OBW3_jH3sfq2GrJmSdaU,9882
873
904
  nldcsc_elastic_rules/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml,sha256=NHXMJj064rfeflQgC4fRoIlycp30-luwnoPV5wGtfaM,8875
@@ -999,16 +1030,16 @@ nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_user_logon.toml,sha256
999
1030
  nldcsc_elastic_rules/rules/ml/initial_access_ml_linux_anomalous_user_name.toml,sha256=iNufQcmdGizV-2smL--et7zPuAmJ2jab-UWQt-JcSY4,7456
1000
1031
  nldcsc_elastic_rules/rules/ml/initial_access_ml_windows_anomalous_user_name.toml,sha256=RZFc5oqap1Gapd74KWg0ygdFvchJnARdXpOVYZ_61Rg,7152
1001
1032
  nldcsc_elastic_rules/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml,sha256=9ucTP7Q6X6kTiuXWEa9nueqW0r_EdFNOAQ7ZG9d1FJs,5685
1002
- nldcsc_elastic_rules/rules/ml/ml_high_count_events_for_a_host_name.toml,sha256=x-lS-NExEL8gOxp5mun9uz1tUmLir3kG10zczlKQqnA,7325
1003
- nldcsc_elastic_rules/rules/ml/ml_high_count_network_denies.toml,sha256=wMjhrjukKhbLGc2FnyeegsONlnDVM8ENMjXzMAcvEko,9233
1004
- nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml,sha256=T8DWawy6a4jfxxoEgDgZrrnxTMtyG7_MtAdGOLBrAyg,9234
1005
- nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml,sha256=f9ssepHJ6ynY5epi85V_4f1Sk3jwZaHo5BlKiYrVWoQ,6859
1006
- nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml,sha256=zqr7MfO7mI5YWnRiNxChJOXyyRaT_hDqg-3dTjgPFWw,9453
1007
- nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml,sha256=70zaSCAcALMh6TyvqO8H5ngh_0pPfXcAjae5MUv52D8,7114
1008
- nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml,sha256=r-RVZZC-D4fBn_5iMlPmVCeALt21fZBaBq04Lzbisx0,9760
1009
- nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml,sha256=SY0Vb9x6WuovgSXt35RMbdLRVcEuGrcbfhhU4M5W49s,9747
1010
- nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml,sha256=jzaTqY4fh5v0UDcJA9jiuw0tmmOyrVA8WhU76K4W2_Y,8925
1011
- nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml,sha256=Olu_4u033xDRSOeIhIDAsuNkDc69BPY2IZlqQMjH_8o,6565
1033
+ nldcsc_elastic_rules/rules/ml/ml_high_count_events_for_a_host_name.toml,sha256=JSoCQ_sBJXfQp_JOfbj-8K-mcWCsFu-3NA4b55s7I24,8617
1034
+ nldcsc_elastic_rules/rules/ml/ml_high_count_network_denies.toml,sha256=pIiKMyeOI6v_kHTIP_0HeEZSoYvUaBwIM6NSV18WoOA,10823
1035
+ nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml,sha256=Opp883aStXYGCLFyt7t9Krm1aCGH26IzqFHkWQYIc9I,10376
1036
+ nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml,sha256=AJ4AXTBiFSmlMusoEvpzTPJDlWPH6esnpENOX3RRSdI,8049
1037
+ nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml,sha256=cy-cHGJ_51fjRQ8Gw6FlSmXxnSGBjawphjYWjenMxhg,10322
1038
+ nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml,sha256=6hJhS5Ors15sl7GNR_rFCl3T6Cf_7709wfCtGNNSLlM,7680
1039
+ nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml,sha256=JShjfA-ylsE4i8aGnrvlDjYNf_jW0zvTrj0YcKsSX_0,11218
1040
+ nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml,sha256=fr7qgbjlL7BQYb6ZgtAUVJ9UuCqXiwb0o00ElVGKuGE,11337
1041
+ nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml,sha256=Novfl3ap1ltCvQjUVB5TQYhfvCuzsCaQHtoWIzNjzDA,10081
1042
+ nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml,sha256=5-m0T7sslRq_opLq7PlJ4775qIwR0kcpQQiqM22pfu4,7755
1012
1043
  nldcsc_elastic_rules/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml,sha256=KF2u9Gr51vPCHGCaTMWYMa-7JDOUB-mrkXM7h4X8P70,9351
1013
1044
  nldcsc_elastic_rules/rules/ml/persistence_ml_rare_process_by_host_linux.toml,sha256=yCKzM-DKLvxs6Oz2RcT2KfC1cgVykUyFSI17oc8pTRw,9330
1014
1045
  nldcsc_elastic_rules/rules/ml/persistence_ml_rare_process_by_host_windows.toml,sha256=eALjJe_xz11RYe3FmHDs1tpRxmxx0dL0qytSfjGrq-U,11662
@@ -1033,6 +1064,7 @@ nldcsc_elastic_rules/rules/network/command_and_control_vnc_virtual_network_compu
1033
1064
  nldcsc_elastic_rules/rules/network/discovery_potential_network_sweep_detected.toml,sha256=5tQIN2thiNsLQTRjDdHRAAk5GFy7wjAUJ8Ca-MJnID8,6605
1034
1065
  nldcsc_elastic_rules/rules/network/discovery_potential_port_scan_detected.toml,sha256=gpRNpr2f8lTKAPr8feg7iIOw3AtpPwOgXRZMc3Ieek8,6801
1035
1066
  nldcsc_elastic_rules/rules/network/discovery_potential_syn_port_scan_detected.toml,sha256=9JcJqRiehUpdeEirZmBTVqPT4FSEbWUxuTICvw0vmAI,6617
1067
+ nldcsc_elastic_rules/rules/network/initial_access_react_server_components_rce_attempt.toml,sha256=5Z70AlUVQJJkLqtvCJKCbXUZxTdlO3lYb2Dl1hIbUu4,5131
1036
1068
  nldcsc_elastic_rules/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml,sha256=Qai4OAj8Rr6eN-_U2iJB11FpSg9LuTyZACc9vYKjpAs,5890
1037
1069
  nldcsc_elastic_rules/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml,sha256=7Lko0AyJx0dSe0f6bXpLnjlZi309glFt4dSJRDKlZ2k,6152
1038
1070
  nldcsc_elastic_rules/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml,sha256=cAPxvSf0gXy2-AMiqKCs-QHKwvsiU36qwg808WUe9MU,6574
@@ -1049,7 +1081,7 @@ nldcsc_elastic_rules/rules/promotions/endgame_ransomware_detected.toml,sha256=jz
1049
1081
  nldcsc_elastic_rules/rules/promotions/endgame_ransomware_prevented.toml,sha256=NbkC3mYaZo-9BNdCHkIIDou6qtaGjERlIsRVqx1UgHQ,5205
1050
1082
  nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_detected.toml,sha256=qf7eZQG0C_M-JudxEg58LKQg8UYOfVj7QJH7LpZNljY,5219
1051
1083
  nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_prevented.toml,sha256=_C-Ljdho36X-6MIv67-Uj5We3noqyc_KmlOUdY-OutE,5785
1052
- nldcsc_elastic_rules/rules/promotions/external_alerts.toml,sha256=a-7lcp3HNwR-9slkINZVc3zvY5vcdi4h2f3gUWulFok,5437
1084
+ nldcsc_elastic_rules/rules/promotions/external_alerts.toml,sha256=uZXbICVRv6Ai1OGpiI8vHFdk8h54zjNSRLC1dDFTPl8,5473
1053
1085
  nldcsc_elastic_rules/rules/promotions/google_secops_external_alerts.toml,sha256=N-RqHMdp-ShOWRbdjRWAlgpRul7D3HwAMBbTw2_NCtE,5408
1054
1086
  nldcsc_elastic_rules/rules/promotions/microsoft_sentinel_external_alerts.toml,sha256=579FABDjrD2Bx-HtjVbt9Xx_FbGxLZ6V8lwExUnbUjE,5192
1055
1087
  nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml,sha256=OsC42xvAWZ73ucgomaH2F3Hz-qH2WgRXmhFvZ4UPFkg,5352
@@ -1079,7 +1111,7 @@ nldcsc_elastic_rules/rules/windows/collection_posh_webcam_video_capture.toml,sha
1079
1111
  nldcsc_elastic_rules/rules/windows/collection_winrar_encryption.toml,sha256=jrytpercQnyWQkufhRT-L3zm4dlgVgd-7liJXmO583k,5364
1080
1112
  nldcsc_elastic_rules/rules/windows/command_and_control_certreq_postdata.toml,sha256=Zy4h-3zDaUJOctE9E72kt8Dtc0popzZDZSC47Sbw1_c,7957
1081
1113
  nldcsc_elastic_rules/rules/windows/command_and_control_common_llm_endpoint.toml,sha256=BCmSt8ytB0-2eBiE6naRjv4dMkS9qp5y0oFLc8tGNZ0,5960
1082
- nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml,sha256=8VJr0CC0L4mgpQyWgNHw30K5fBsnssl1SaZX1B2X7iY,16056
1114
+ nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml,sha256=TcA4ckj12HQQaUXZXkk-0vt_bbGozRtyYxbb97QWZ4U,16082
1083
1115
  nldcsc_elastic_rules/rules/windows/command_and_control_dns_susp_tld.toml,sha256=7YsiR5XjwtQ5X7HZrm6hcIAcmfYJbCdgtEW1St-to5k,4779
1084
1116
  nldcsc_elastic_rules/rules/windows/command_and_control_dns_tunneling_nslookup.toml,sha256=OGBh4zDgseRjdRBBbAqE8Lhlmtu0QErRfeiFZqTMVVA,4816
1085
1117
  nldcsc_elastic_rules/rules/windows/command_and_control_encrypted_channel_freesslcert.toml,sha256=tu4oPRs2LaxkDndmPIJyqyBZpt2al03ncSZF0dn5xUU,6285
@@ -1146,7 +1178,7 @@ nldcsc_elastic_rules/rules/windows/credential_access_posh_relay_tools.toml,sha25
1146
1178
  nldcsc_elastic_rules/rules/windows/credential_access_posh_request_ticket.toml,sha256=_Bkl3F0MjLYjXR9JnaLJjuKcN7XZPr-ub7ml5kRiv_A,5750
1147
1179
  nldcsc_elastic_rules/rules/windows/credential_access_posh_veeam_sql.toml,sha256=Qht0Xqy8JelaTYLJUhXEviycG4lfN97T28arm0W0G_E,6754
1148
1180
  nldcsc_elastic_rules/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml,sha256=hyX6TzSZeEYIpncq_WyREZJRs4QpwHNtusKXHyukrX0,6135
1149
- nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml,sha256=E1UEiQ5Q1gMSm3f_0p51meE4oiJAdlX1-qz9-7GN2to,3769
1181
+ nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml,sha256=WiRjB8wpQeih26RTU0BvjQZ9BtPdNY5EiOZSqm5ddzU,3960
1150
1182
  nldcsc_elastic_rules/rules/windows/credential_access_regback_sam_security_hives.toml,sha256=IlgMYu2u6WUR_u-vjongz-rl9BhVwO82OhWHzp3xnGg,4266
1151
1183
  nldcsc_elastic_rules/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml,sha256=5XU3oqye076_WHBRMjIg9ao7S0yH3AYzrojE6DC9kVU,6881
1152
1184
  nldcsc_elastic_rules/rules/windows/credential_access_remote_sam_secretsdump.toml,sha256=pHo0i42ZPV-a7iMVjbFkbPDc50IOkdK47QiKJuhqIt4,5186
@@ -1213,7 +1245,7 @@ nldcsc_elastic_rules/rules/windows/defense_evasion_installutil_beacon.toml,sha25
1213
1245
  nldcsc_elastic_rules/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml,sha256=7V6HIeM2Cx0z7CEPgT2FmI654kLyd3azSrR8pvwGeV4,5953
1214
1246
  nldcsc_elastic_rules/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml,sha256=1L_MbC6n0qgRHwjfwdwjuZlKVBXsDiVaOtOHH2Q7_J4,5166
1215
1247
  nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml,sha256=frvBRYQ_LC8iXipJ5Im8JtumujieS752GS9OksOrccs,7249
1216
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml,sha256=WOx6mmJvHfpP8ZzimjNw2neBSX9NDxLASHjZXwsMxpM,5263
1248
+ nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml,sha256=8C5Q9OzmKb5wOxLpPutid_ThCYyC_uRxLKs_p_xPGiQ,5563
1217
1249
  nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_business_apps_installer.toml,sha256=j2KEB7Ay3jaTi0syxEyogu87ktxgzIYNF2hU2hC98dg,11678
1218
1250
  nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_communication_apps.toml,sha256=LaHGL1NKjdABiXJFIj2dgmWbxGMwjiMBcZ2HA76ofLg,8401
1219
1251
  nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_renamed_autoit.toml,sha256=LjiVW8uEXoIiU-PXNuCWdF08-ZXNvyv3uQuVJjhFMnY,7161
@@ -1239,19 +1271,19 @@ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_assembly_load.toml,sha25
1239
1271
  nldcsc_elastic_rules/rules/windows/defense_evasion_posh_compressed.toml,sha256=XOWQ8kHTh2dO3XxH0jkIMiN2psYQNLk1tVuFnZrQwpA,8838
1240
1272
  nldcsc_elastic_rules/rules/windows/defense_evasion_posh_defender_tampering.toml,sha256=H7mJPSpYXBsCUHCh4LeBwYpJIH63u74Rg92viCwK0u4,7756
1241
1273
  nldcsc_elastic_rules/rules/windows/defense_evasion_posh_encryption.toml,sha256=MQ9N2-3oBvRn_4oDb_nuzsE3AikOwuNotuXnCZOOou8,4808
1242
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml,sha256=3GMIlxL6uLxopELtFNemyD_wXa9A0lRdgQA_mnMZRi0,7210
1243
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml,sha256=5up_YdsYqQDy1hogwGVVPFl53F6ozoSFyhaPqSJGCyQ,8516
1244
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml,sha256=ozd5RUQy64yPC3TLhahFE5BzeoBAlIjXAgfTUziGIHY,7755
1245
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml,sha256=M4X_HRO_da0PMznobkaAeig3ufXUAKrKzqmFLsjrBXM,7579
1246
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml,sha256=ao5ZlxvVFQ6BCRLNqOoZrDE_u63vlj2RPaY8U3aSUzI,7585
1247
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml,sha256=uSIV23uVHCG8w4dOBqJKOLp7NG8Oack8W4ZNRPAO1wQ,8724
1248
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml,sha256=TkWuTs6I2PEj4T2dVplw5G0LD4c0Gd2PHB4XIcKHF2k,7872
1249
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml,sha256=L4-0_uAAzaWJslVY-ZiM21mdB5MH_it04Ow4cCWkvZ8,8270
1250
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml,sha256=7VBif_aCoodwGDl25wObmsEl1PdLZ5Ip9UXZtZ1iCwQ,7630
1251
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml,sha256=lVazgVc9FTHDtlTo-MnmOa3wINYh7CJu9Gb3Ks83xa8,7691
1252
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml,sha256=y4VL4u2-rs0xBrCl4MF7nOnd6obq_JrZcniCLKwl6Ac,7818
1253
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml,sha256=lByx_whxoaBNgYOtYzNTqYWyrWlMVZt5h0Qj4QNlA7o,8493
1254
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml,sha256=73kD8DvxAAt1yM6DfNmLfI9zeB6uFDXzs4ymgkOzj1s,7852
1274
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml,sha256=nIkF_igI2m1Es2jPG4M1gjGsyG_DzKRwZ7MXkO540no,7992
1275
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml,sha256=sjItunEhZHaO11TmKDVGI9phF0dawG05inyVQf-VzFQ,8463
1276
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml,sha256=zptOONgWeqPeWiN_OQ8Nix9zRLLDe7hsxrqy-O4U_aA,7702
1277
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml,sha256=UNFzDw-M2AAwjP5JRRl9LLu4aPlDF8GzFG0k_0QHu9E,7526
1278
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml,sha256=wCAkvpPciw0nm1sUP3veDwEdo0_x_zgEWthaNYQnoXM,7532
1279
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml,sha256=j4cD80tA2EaiMu7Q1q3ow7W_8ODWUr7UUmniD5ihiNg,8671
1280
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml,sha256=rbfaYn3Ahheo_s-iapoDP5jk0JveY3hx8YpOhrBo2pY,7819
1281
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml,sha256=FOvOlKjLvduWxFgfxHaHUwuuH_oecst2uhdgGw47diM,8217
1282
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml,sha256=83P_lIPfuy_PkQU1ekamwNqRk65z9YSQ5uQFri68NCw,7577
1283
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml,sha256=KFY98MQAwcNrdkYRiR4o-2AOX1mBQQ4ujU5rl7VrXvY,7638
1284
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml,sha256=Vhgrvg2jj6ylgcvt0t7mYXwN-HGdqgyBgfrKZKn15dY,7765
1285
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml,sha256=uz9X-H7HP3QxysaU-unpwi1ToAfWrE0NV6izKGa279E,8440
1286
+ nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml,sha256=csdRkU95QB8Xh9LcBnsWt_U3PZhAIy92HzQkVZ1-31c,7799
1255
1287
  nldcsc_elastic_rules/rules/windows/defense_evasion_posh_process_injection.toml,sha256=8_uM7jgoKG-Va_IXEEYJziDf-YjDdKRnVOWi_x0yPUI,6831
1256
1288
  nldcsc_elastic_rules/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml,sha256=am79dz3gAQf4ByzAl7vlv9jEnROtTepQl17hraYTH5k,5851
1257
1289
  nldcsc_elastic_rules/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml,sha256=OjV5NTzP8zJbDst8ZBtqAogYc7q-iKrm5DBgX59SW-c,8423
@@ -1295,7 +1327,7 @@ nldcsc_elastic_rules/rules/windows/defense_evasion_workfolders_control_execution
1295
1327
  nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_bash_exec.toml,sha256=puYptvYAfibK6l9D9JFCiZLqdyEdcmZqiWNaDhU5cDY,7079
1296
1328
  nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_child_process.toml,sha256=oYFiLyUA-Tidjg_kykjJurLs4OFAQK0PjoqRJrvlP30,6694
1297
1329
  nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_enabled_via_dism.toml,sha256=UesneOswq1R7iocJo8vg9QLaxl88WgiTXKvj3KlLFjE,4790
1298
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml,sha256=paHIABZd3o1aKb-ZLDYOxPxYVMT6ogdThiiYNJeiqPw,5641
1330
+ nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml,sha256=fTbCy6hGMcd9jsaagXooFfzWDjAfuljjPltx2EJqL7U,5690
1299
1331
  nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_kalilinux.toml,sha256=7294lxGdAu9mtl33cvpYWPkgVkUPdqPuxw05IehmkFA,6609
1300
1332
  nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_registry_modification.toml,sha256=HOBOA2c-daK49hs6kOSFeCwiXuk-MF1yJrVGCJ7f0Ww,4979
1301
1333
  nldcsc_elastic_rules/rules/windows/discovery_active_directory_webservice.toml,sha256=eZHSHkw703rfmtDtdjCXfgOIFji3anbPm-RXPvAhHj4,6129
@@ -1336,7 +1368,7 @@ nldcsc_elastic_rules/rules/windows/execution_ms_office_written_file.toml,sha256=
1336
1368
  nldcsc_elastic_rules/rules/windows/execution_nodejs_susp_patterns.toml,sha256=uP8ICm99MNfB-aM5NRoqrT1lOpdNxP0GUbv2dSqoOB4,6096
1337
1369
  nldcsc_elastic_rules/rules/windows/execution_pdf_written_file.toml,sha256=098rzQC6ck864jO0ey8E4KkE0H6tzXNJ7PfwNgMp-xo,6087
1338
1370
  nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_authors.toml,sha256=nF3f5ZfGXOx_SDqVkbnEtZG7NxmNDZ208g_HCgk5ROQ,7347
1339
- nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml,sha256=md9pah_plTv-C_KUXLQ9XsYlz2OWLinX4jR6YB89Jrw,18988
1371
+ nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml,sha256=L-k96jZu4I0ThBltNwIsYUd9882m7EQ_6Ml9eqGjJcA,19045
1340
1372
  nldcsc_elastic_rules/rules/windows/execution_posh_malicious_script_agg.toml,sha256=Hg2d2tF7i3AsH8iHg2DeLt_uiGUOral-KxDvdQouOow,7881
1341
1373
  nldcsc_elastic_rules/rules/windows/execution_posh_portable_executable.toml,sha256=1c5RzfLHsb4LmNTIilvDgaZxru4_DOvWesmBvewvMxY,7999
1342
1374
  nldcsc_elastic_rules/rules/windows/execution_posh_psreflect.toml,sha256=UjH8AiNIE_1DYEgavEGqoY9qtIBEF40cgj7nJlMaAW8,9211
@@ -1351,7 +1383,7 @@ nldcsc_elastic_rules/rules/windows/execution_shared_modules_local_sxs_dll.toml,s
1351
1383
  nldcsc_elastic_rules/rules/windows/execution_suspicious_cmd_wmi.toml,sha256=-4Hoo7imXX8xOa6_S8vyRVgzGLrSFxs7WR4pBTFUpEI,6678
1352
1384
  nldcsc_elastic_rules/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml,sha256=oXZSLLYVYGDhKu4z2yv1-EGT3ncczzOtud0NE1EmRN0,6229
1353
1385
  nldcsc_elastic_rules/rules/windows/execution_suspicious_pdf_reader.toml,sha256=bR5Jv4nTWhGA98t69DzpaPnnGqn4WtGzC80oW1d3paI,6756
1354
- nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml,sha256=PAfMKWXaK25pV0A6-CMPKyHqHof245I3HEfJgqlE9T0,6644
1386
+ nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml,sha256=FPHDGVVqKw2DK-uT61Wk-UNuZQgWyzTfl_pnJlnreIw,6806
1355
1387
  nldcsc_elastic_rules/rules/windows/execution_suspicious_psexesvc.toml,sha256=ic2nrCsXMZniME32tkpy4HNMdo1-CTEqQ_04HofZmFE,4908
1356
1388
  nldcsc_elastic_rules/rules/windows/execution_via_compiled_html_file.toml,sha256=wdu_WI5h7QgX_3BspesTdTlszCl-G5nBfrIaLbMH7oc,8522
1357
1389
  nldcsc_elastic_rules/rules/windows/execution_via_hidden_shell_conhost.toml,sha256=A0XLi8MarYpc3HKALpWHwvxkUSzoMQJyloHhjHGI2Rk,6406
@@ -1359,13 +1391,13 @@ nldcsc_elastic_rules/rules/windows/execution_via_mmc_console_file_unusual_path.t
1359
1391
  nldcsc_elastic_rules/rules/windows/execution_windows_cmd_shell_susp_args.toml,sha256=d4VzL7AyXFmmQ8MJpyXJUNBB_LSAsn9-i3viQ6Qa8jg,10526
1360
1392
  nldcsc_elastic_rules/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml,sha256=30e8gROm412sQcxTLcZwS6BOTIgVne61ajBkvIF4aLU,5687
1361
1393
  nldcsc_elastic_rules/rules/windows/execution_windows_phish_clickfix.toml,sha256=mhz5fOI0RpiWb2FpH8f22si9HtL0wzfhSwWNRC2jaV0,5564
1362
- nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml,sha256=kVLxv6X1_OTu3wpEUzF3jREsTTPScOYXSDavIro73LI,8623
1394
+ nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml,sha256=BYPN5ii_BR0kE35OqXBHC3taT-07Gz4ajFUBA3VnQdE,8864
1363
1395
  nldcsc_elastic_rules/rules/windows/execution_windows_script_from_internet.toml,sha256=bYCGWdYdNAzfSV_7s0r19LLz7Xm4740Wzo4p3bgnOp4,7345
1364
1396
  nldcsc_elastic_rules/rules/windows/exfiltration_smb_rare_destination.toml,sha256=_wtLhQ8pARBL-l3mXfop7qSOblDv8jxXviSqPWCGEhs,6530
1365
1397
  nldcsc_elastic_rules/rules/windows/impact_backup_file_deletion.toml,sha256=2xNOIQuekfe6RxkxyYHG706ozcO_HcMlQc6An8xKR9U,5553
1366
1398
  nldcsc_elastic_rules/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml,sha256=1Od1FkY5Osw6bnVJVkMrmp7xQvm3uZYPnNtIuxAiHHM,4807
1367
1399
  nldcsc_elastic_rules/rules/windows/impact_high_freq_file_renames_by_kernel.toml,sha256=EcVXU0usKaWvgfrvkBPfObjNezuYzn4vl7GFX9pNGJc,4975
1368
- nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml,sha256=XC4_wpBSJMD9T2lkaWNU19-lQMiRAEuwu4IyG2L3qQE,4214
1400
+ nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml,sha256=W7odggYHI38fTaZ3OnY9NlTLHkQ1TJBRwb7oqYkX9Cc,4512
1369
1401
  nldcsc_elastic_rules/rules/windows/impact_modification_of_boot_config.toml,sha256=p_xQQaFrLRDa2y9GSyC2H-KDpP3f6xZVhQpW2ZVRr5s,4605
1370
1402
  nldcsc_elastic_rules/rules/windows/impact_ransomware_file_rename_smb.toml,sha256=yuOkSMN7HB0IG3yZ_K1g3OWIfU6B9mNdrpe3SKvMcA8,4744
1371
1403
  nldcsc_elastic_rules/rules/windows/impact_ransomware_note_file_over_smb.toml,sha256=HjYDFOX4vpan1X3ElPd4V1Qy-AdHOQSmAbfZflvIVsU,4625
@@ -1395,7 +1427,7 @@ nldcsc_elastic_rules/rules/windows/initial_access_webshell_screenconnect_server.
1395
1427
  nldcsc_elastic_rules/rules/windows/initial_access_xsl_script_execution_via_com.toml,sha256=NoSSCuAYQHs8QrjiLBQdGkE0YyLcqNHff2OlA9SzNW8,6533
1396
1428
  nldcsc_elastic_rules/rules/windows/lateral_movement_alternate_creds_pth.toml,sha256=qFnnTafyct_DTY8T7dDcTgztcIioPDTYkTdytfyzVmA,6014
1397
1429
  nldcsc_elastic_rules/rules/windows/lateral_movement_cmd_service.toml,sha256=9G94e6Y3KmSsquCqUFQMEOdRh6PlhxM31EQO5OnSLxQ,6500
1398
- nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml,sha256=LSpcZbrtQUaxzsNBJpoy0E9UrjrjQ-bq7QRsFW0tHM0,5466
1430
+ nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml,sha256=SPCDJeEpU8ZUxTiEJE47RilXU_8pOisAvGWKtFzcAfE,5798
1399
1431
  nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_hta.toml,sha256=gEpTvWudeoZStefuMe6tDmKibtQNtk_KhpeYWT7Br3U,6639
1400
1432
  nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_mmc20.toml,sha256=S1HB9Ld0M7TMSU3tjFbED_DemqNR7AKbj8tLveR5Cl8,6445
1401
1433
  nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml,sha256=_MIRxeTLGXDjHnYJQgGv5Da-MLcwffJ750sjz1quMlQ,6325
@@ -1415,7 +1447,7 @@ nldcsc_elastic_rules/rules/windows/lateral_movement_remote_file_copy_hidden_shar
1415
1447
  nldcsc_elastic_rules/rules/windows/lateral_movement_remote_service_installed_winlog.toml,sha256=XKrC5WwooOdlfknHVaa19T0voPxHslbZ09U6-Vlijis,7696
1416
1448
  nldcsc_elastic_rules/rules/windows/lateral_movement_remote_services.toml,sha256=u1u1CINBlmKFGbPHr-82QLnTzXgwX8YcnNQzQMoZrfI,9595
1417
1449
  nldcsc_elastic_rules/rules/windows/lateral_movement_remote_task_creation_winlog.toml,sha256=9adwBkanumF87DWPl5FqaXzWm-0muxS-mH_Gam3ZlK8,4112
1418
- nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml,sha256=Lc68YQgmB9uPms2zDD_bUcdFIGsnXDXWXBEUUKvKk-8,4768
1450
+ nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml,sha256=NfT5CX5OhIA1-ig74iS0ro3Q3ZiGN3vkgJtYyUZbEy0,4790
1419
1451
  nldcsc_elastic_rules/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml,sha256=ygBXLX6oPAfyi5CHQmQ0Ma3vGH3Y1jbxdt7vpa7bPsE,6706
1420
1452
  nldcsc_elastic_rules/rules/windows/lateral_movement_unusual_dns_service_children.toml,sha256=_zYzWEUS5w1MdYEPphXVJfUK5D1HlyNk7lo4vZ_zguc,6342
1421
1453
  nldcsc_elastic_rules/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml,sha256=oKkF_nhf1x63kCDYR7rNP3zSKlXcbuk2wl0E7OlAnO8,5880
@@ -1426,7 +1458,7 @@ nldcsc_elastic_rules/rules/windows/persistence_adobe_hijack_persistence.toml,sha
1426
1458
  nldcsc_elastic_rules/rules/windows/persistence_app_compat_shim.toml,sha256=7sny3AHhPTiCeo2R9IzRPcrbp2PlqkHjzmzt_iUzW2U,6838
1427
1459
  nldcsc_elastic_rules/rules/windows/persistence_appcertdlls_registry.toml,sha256=oqyEWPuHdLNTdM-lGMtWrFapC6MDIkDgKCWQQ2R2zqQ,6977
1428
1460
  nldcsc_elastic_rules/rules/windows/persistence_appinitdlls_registry.toml,sha256=6o_KRcTnOhbEwY2WdNXEdEZli9y9Dw8QtmV90Lr0jc8,9499
1429
- nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml,sha256=Is5Iv1kjagauttUHw_LrwNFcD4Kb3J09AnJzIyzrjrc,6019
1461
+ nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml,sha256=8x1eUWPkbYNThw-RQGbDTBH4V58eIUKzofO-M0d5bEw,6605
1430
1462
  nldcsc_elastic_rules/rules/windows/persistence_dontexpirepasswd_account.toml,sha256=AZXaI7PI9rdgkzslU1i6XrxQ0YJN6bHxapWQc22nRLU,5129
1431
1463
  nldcsc_elastic_rules/rules/windows/persistence_evasion_hidden_local_account_creation.toml,sha256=S_iyl_wqONlSR00uS_CGllonqvXpLPgS9iAUhXg7PQM,3930
1432
1464
  nldcsc_elastic_rules/rules/windows/persistence_evasion_registry_ifeo_injection.toml,sha256=gX-XC2BVe0whasBLIQXPPEKClZBC-KW9WoqDEVJ_K-I,7712
@@ -1438,7 +1470,7 @@ nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_task_scripting.to
1438
1470
  nldcsc_elastic_rules/rules/windows/persistence_ms_office_addins_file.toml,sha256=cy3RyKwO4vdRodc3sw7ri0fMry5WyB0nmQCOjadPib8,6217
1439
1471
  nldcsc_elastic_rules/rules/windows/persistence_ms_outlook_vba_template.toml,sha256=JGPl37JjgEjnecyB8vsSk8UENi0UGuZhVs1iMPL7kY8,6049
1440
1472
  nldcsc_elastic_rules/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml,sha256=CDJsA_izN_TmjgRB12lzsVVd1ex1kA_b0R358MrSp_I,6418
1441
- nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml,sha256=nuoCfbclQ1d4oufv8JYHXuCq9ywrlfxr5y-ZaqXdXLY,6963
1473
+ nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml,sha256=C1FaVDWas9PgzmGdZiGaIwBVIIUHCGmTVCKXZACpcCw,9240
1442
1474
  nldcsc_elastic_rules/rules/windows/persistence_msoffice_startup_registry.toml,sha256=Z3eUPnDpSxQ5-Jl1WhGnVqYFI_tQBb-05xcxR2-wz98,6081
1443
1475
  nldcsc_elastic_rules/rules/windows/persistence_netsh_helper_dll.toml,sha256=y86NtRIlST2dtiOdIrw5PRjHghqbcd16Gzc36JJquQA,5914
1444
1476
  nldcsc_elastic_rules/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml,sha256=kL6Ogski61D2lOyolZk2mDYDERpIRds3ULpxmfWE1vg,6884
@@ -1467,7 +1499,7 @@ nldcsc_elastic_rules/rules/windows/persistence_temp_scheduled_task.toml,sha256=L
1467
1499
  nldcsc_elastic_rules/rules/windows/persistence_time_provider_mod.toml,sha256=mFCP4Yo4X0BGLgmJM9FeqsWvA8A9jZ0Yzq39jghrmTY,8067
1468
1500
  nldcsc_elastic_rules/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml,sha256=iVYIz72BHW2jNAZ4_QWsV93AHnTLfGJX60qbVd0imSg,4313
1469
1501
  nldcsc_elastic_rules/rules/windows/persistence_user_account_creation.toml,sha256=d34lugH0guU-EOL8YEpdmlm32Hk2ssMyVCCkbiqzA0M,3921
1470
- nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml,sha256=_Slt17cmSaiwYIolYz2khVm3aHId8_nHulm_exOo-Ww,6469
1502
+ nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml,sha256=sjEhC3FrjKbNCTYS--HOBHtj0FbfmXgLo6OV8D1tRBk,7195
1471
1503
  nldcsc_elastic_rules/rules/windows/persistence_via_bits_job_notify_command.toml,sha256=1RB-1YfPFvC-1rmAO_vYHeUb2FpCx18-SpFA9JEg_ng,6320
1472
1504
  nldcsc_elastic_rules/rules/windows/persistence_via_hidden_run_key_valuename.toml,sha256=PbVWdM15MMKTbPu6obodbM9VKlpU3w4_H7nlbRy84v4,7346
1473
1505
  nldcsc_elastic_rules/rules/windows/persistence_via_lsa_security_support_provider_registry.toml,sha256=LilCihIdWiHBu-r9N0bKxdXONXntkWxtn70crDt--_A,6962
@@ -1513,7 +1545,7 @@ nldcsc_elastic_rules/rules/windows/privilege_escalation_samaccountname_spoofing_
1513
1545
  nldcsc_elastic_rules/rules/windows/privilege_escalation_service_control_spawned_script_int.toml,sha256=ZreqoWddgjw4cKRpxSxjYDlXFIzr-QqtcmwsSPFbBOk,8019
1514
1546
  nldcsc_elastic_rules/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml,sha256=XdQS5q3CcyaXwnXg2-ICNqR_uKXDZPvwkGfpr8xpeMY,6765
1515
1547
  nldcsc_elastic_rules/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml,sha256=vZE6uCCgGpiOoyQFh8VNlqbb1Co1b-j_pGrAH8Mz1HQ,3617
1516
- nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml,sha256=3CwSw-oj6Ar3mfov3aAVXXWNBkjDVZ2r3obC01Fqyhw,7104
1548
+ nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml,sha256=nQwFtMkDIXKhxdobRJcOUbC-AbIABxduQqVbpJqaQ00,7329
1517
1549
  nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml,sha256=PhYC8BalSKrAuCZjRpnDQEoWOVf48VwuE9BjMEgfzmM,7485
1518
1550
  nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml,sha256=MBFTRYxAq_f1nveeFpm1a6HYnBGIecOwj2Vj4VnpQeQ,7580
1519
1551
  nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml,sha256=nOT_xIotEHyAvo6GvsMSiCS8J7ByCW4la_9K8qCcN8g,6912
@@ -1524,13 +1556,13 @@ nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_mock_windir.t
1524
1556
  nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml,sha256=ZctV6YJb52604KHgmkA678wgsQZUrqiCXLgUH2MGa5c,8539
1525
1557
  nldcsc_elastic_rules/rules/windows/privilege_escalation_unquoted_service_path.toml,sha256=KAz8Bu33Lgkvst8UsmPd8bhkCHcefmHb-F_Hz7lYC4c,6355
1526
1558
  nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml,sha256=_Axno6Ol0VTI3eJYhRjh2GkV7gvs__nwP2wcw_EZLn8,9841
1527
- nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml,sha256=xgLdwnORlQSHRhlao3HAwiiLGlZXgCQmGD2SR7L_c1k,7616
1559
+ nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml,sha256=PmbNzQ7Bp3siV1IJTolLocvYIfjNTEK8iodgGDTtoCc,8592
1528
1560
  nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml,sha256=u_TLhyqMmCF4HBw0EYYk_DbEPO99haj9K5CbY-p0YvE,7828
1529
- nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml,sha256=WKPQwNhpDJeqZnlMCfZ-NKc0Xi5in0dwv5vrZWaNgCo,9811
1561
+ nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml,sha256=9DQ5eeYr8aSwr8bwJSyjOggjxo5soeQmqkA38k_bdTY,9880
1530
1562
  nldcsc_elastic_rules/rules/windows/privilege_escalation_via_rogue_named_pipe.toml,sha256=pUlGQseYyqX77bUWbD5nDMAs8T6-rgPh5uECXrKjS8E,6176
1531
1563
  nldcsc_elastic_rules/rules/windows/privilege_escalation_via_token_theft.toml,sha256=9_pNHTlUhFvwPCoWOw7yCIC6PBqSinWldm6zgipznL0,9459
1532
1564
  nldcsc_elastic_rules/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml,sha256=Qfi-w1KpA3dLyZ_s0xc3vZOey9IasOKirk-C3JPzRkw,7502
1533
- nldcsc_elastic_rules-0.0.8.dist-info/METADATA,sha256=TEZYRaEOp86-OBDuK0bwCcke6IrSiJoIJCzbLENfbqA,64
1534
- nldcsc_elastic_rules-0.0.8.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
1535
- nldcsc_elastic_rules-0.0.8.dist-info/top_level.txt,sha256=2ua0gPWflzV4D32kz6ZXXok1H-0wJVI2Scdm_qmNsrM,21
1536
- nldcsc_elastic_rules-0.0.8.dist-info/RECORD,,
1565
+ nldcsc_elastic_rules-0.0.16.dist-info/METADATA,sha256=2DdMxEDYvymI5MZGi-qk-x0pLaWgGyjQlXzJvkQnLZs,65
1566
+ nldcsc_elastic_rules-0.0.16.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
1567
+ nldcsc_elastic_rules-0.0.16.dist-info/top_level.txt,sha256=2ua0gPWflzV4D32kz6ZXXok1H-0wJVI2Scdm_qmNsrM,21
1568
+ nldcsc_elastic_rules-0.0.16.dist-info/RECORD,,