nldcsc-elastic-rules 0.0.8__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- nldcsc_elastic_rules/__init__.py +1 -0
- nldcsc_elastic_rules/rules/README.md +31 -0
- nldcsc_elastic_rules/rules/_deprecated/apm_null_user_agent.toml +49 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml +85 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_dns_directly_to_the_internet.toml +85 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +77 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +76 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_linux_iodine_activity.toml +60 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml +110 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_port_8000_activity_to_the_internet.toml +63 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +46 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_proxy_port_activity_to_the_internet.toml +66 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_smtp_to_the_internet.toml +73 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_sql_server_port_activity_to_the_internet.toml +62 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml +89 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml +64 -0
- nldcsc_elastic_rules/rules/_deprecated/command_and_control_tor_activity_to_the_internet.toml +69 -0
- nldcsc_elastic_rules/rules/_deprecated/container_workload_protection.toml +78 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml +101 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml +144 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml +121 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_microsoft_365_potential_password_spraying_attack.toml +61 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml +104 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +109 -0
- nldcsc_elastic_rules/rules/_deprecated/credential_access_tcpdump_activity.toml +61 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml +51 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_code_injection_conhost.toml +106 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml +47 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml +137 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +96 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_mshta_making_network_connections.toml +51 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_potential_processherpaderping.toml +59 -0
- nldcsc_elastic_rules/rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml +102 -0
- nldcsc_elastic_rules/rules/_deprecated/discovery_file_dir_discovery.toml +95 -0
- nldcsc_elastic_rules/rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml +45 -0
- nldcsc_elastic_rules/rules/_deprecated/discovery_query_registry_via_reg.toml +44 -0
- nldcsc_elastic_rules/rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml +129 -0
- nldcsc_elastic_rules/rules/_deprecated/discovery_whoami_commmand.toml +48 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_apt_binary.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_awk_binary_shell.toml +51 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_busybox_binary.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_c89_c99_binary.toml +52 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_command_shell_started_by_powershell.toml +45 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml +100 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_cpulimit_binary.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_crash_binary.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_env_binary.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_expect_binary.toml +52 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml +113 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_find_binary.toml +52 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_flock_binary.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_gcc_binary.toml +52 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_interactive_exec_to_container.toml +127 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml +109 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_linux_process_started_in_temp_directory.toml +48 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_mysql_binary.toml +52 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml +114 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml +74 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml +111 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_ssh_binary.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_suspicious_jar_child_process.toml +113 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_vi_binary.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/execution_via_net_com_assemblies.toml +55 -0
- nldcsc_elastic_rules/rules/_deprecated/exfiltration_ec2_snapshot_change_activity.toml +111 -0
- nldcsc_elastic_rules/rules/_deprecated/exfiltration_rds_snapshot_export.toml +47 -0
- nldcsc_elastic_rules/rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml +87 -0
- nldcsc_elastic_rules/rules/_deprecated/impact_virtual_network_device_modified.toml +96 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_cross_site_scripting.toml +49 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_login_failures.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_login_location.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_login_sessions.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_login_time.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +81 -0
- nldcsc_elastic_rules/rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml +127 -0
- nldcsc_elastic_rules/rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml +46 -0
- nldcsc_elastic_rules/rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml +60 -0
- nldcsc_elastic_rules/rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml +122 -0
- nldcsc_elastic_rules/rules/_deprecated/linux_mknod_activity.toml +37 -0
- nldcsc_elastic_rules/rules/_deprecated/linux_nmap_activity.toml +37 -0
- nldcsc_elastic_rules/rules/_deprecated/linux_socat_activity.toml +36 -0
- nldcsc_elastic_rules/rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml +58 -0
- nldcsc_elastic_rules/rules/_deprecated/persistence_etc_file_creation.toml +271 -0
- nldcsc_elastic_rules/rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml +85 -0
- nldcsc_elastic_rules/rules/_deprecated/persistence_kernel_module_activity.toml +53 -0
- nldcsc_elastic_rules/rules/_deprecated/persistence_shell_activity_by_web_server.toml +101 -0
- nldcsc_elastic_rules/rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml +126 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +99 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +51 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml +75 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_linux_strace_activity.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml +98 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +99 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +98 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_printspooler_malicious_driver_file_changes.toml +51 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification.toml +50 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_root_login_without_mfa.toml +104 -0
- nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml +56 -0
- nldcsc_elastic_rules/rules/_deprecated/threat_intel_filebeat7x.toml +191 -0
- nldcsc_elastic_rules/rules/_deprecated/threat_intel_filebeat8x.toml +192 -0
- nldcsc_elastic_rules/rules/_deprecated/threat_intel_fleet_integrations.toml +192 -0
- nldcsc_elastic_rules/rules/apm/apm_403_response_to_a_post.toml +69 -0
- nldcsc_elastic_rules/rules/apm/apm_405_response_method_not_allowed.toml +69 -0
- nldcsc_elastic_rules/rules/apm/apm_sqlmap_user_agent.toml +70 -0
- nldcsc_elastic_rules/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +102 -0
- nldcsc_elastic_rules/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +106 -0
- nldcsc_elastic_rules/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +76 -0
- nldcsc_elastic_rules/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml +85 -0
- nldcsc_elastic_rules/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +116 -0
- nldcsc_elastic_rules/rules/cross-platform/credential_access_forced_authentication_pipes.toml +112 -0
- nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml +97 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +81 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +87 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +99 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +111 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +117 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml +98 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +107 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_timestomp_touch.toml +102 -0
- nldcsc_elastic_rules/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +130 -0
- nldcsc_elastic_rules/rules/cross-platform/discovery_security_software_grep.toml +140 -0
- nldcsc_elastic_rules/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +102 -0
- nldcsc_elastic_rules/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +166 -0
- nldcsc_elastic_rules/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml +99 -0
- nldcsc_elastic_rules/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +87 -0
- nldcsc_elastic_rules/rules/cross-platform/execution_potential_widespread_malware_infection.toml +92 -0
- nldcsc_elastic_rules/rules/cross-platform/execution_revershell_via_shell_cmd.toml +102 -0
- nldcsc_elastic_rules/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +132 -0
- nldcsc_elastic_rules/rules/cross-platform/guided_onboarding_sample_rule.toml +80 -0
- nldcsc_elastic_rules/rules/cross-platform/impact_hosts_file_modified.toml +119 -0
- nldcsc_elastic_rules/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +137 -0
- nldcsc_elastic_rules/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml +117 -0
- nldcsc_elastic_rules/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +85 -0
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_different_tactics_host.toml +79 -0
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_edr_elastic_defend_by_host.toml +97 -0
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml +105 -0
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml +82 -0
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_involving_user.toml +82 -0
- nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_risky_host_esql.toml +105 -0
- nldcsc_elastic_rules/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +141 -0
- nldcsc_elastic_rules/rules/cross-platform/persistence_shell_profile_modification.toml +107 -0
- nldcsc_elastic_rules/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +144 -0
- nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml +228 -0
- nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +90 -0
- nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +113 -0
- nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +105 -0
- nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +91 -0
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml +121 -0
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +107 -0
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml +127 -0
- nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml +165 -0
- nldcsc_elastic_rules/rules/integrations/aws/NOTICE.txt +26 -0
- nldcsc_elastic_rules/rules/integrations/aws/collection_cloudtrail_logging_created.toml +124 -0
- nldcsc_elastic_rules/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +186 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +121 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +134 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +144 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +156 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +128 -0
- nldcsc_elastic_rules/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +152 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +120 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml +126 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +121 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +174 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +129 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +119 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +153 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +179 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml +201 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml +152 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +171 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml +134 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml +141 -0
- nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +135 -0
- nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml +155 -0
- nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml +152 -0
- nldcsc_elastic_rules/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +139 -0
- nldcsc_elastic_rules/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml +125 -0
- nldcsc_elastic_rules/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +119 -0
- nldcsc_elastic_rules/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml +138 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +133 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml +115 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml +150 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_export_task.toml +154 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +185 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +88 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +194 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml +188 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +155 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +152 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +137 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +202 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +189 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +156 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +147 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +167 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_iam_group_deletion.toml +119 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_group_deletion.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_rds_snapshot_deleted.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml +155 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml +139 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml +126 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_versioning_disabled.toml +153 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +154 -0
- nldcsc_elastic_rules/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +143 -0
- nldcsc_elastic_rules/rules/integrations/aws/initial_access_console_login_root.toml +165 -0
- nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +225 -0
- nldcsc_elastic_rules/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml +89 -0
- nldcsc_elastic_rules/rules/integrations/aws/initial_access_password_recovery.toml +137 -0
- nldcsc_elastic_rules/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml +131 -0
- nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml +123 -0
- nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +141 -0
- nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +206 -0
- nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +190 -0
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +114 -0
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +171 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +133 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +151 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +144 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +173 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +167 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +142 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_group_creation.toml +136 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +176 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +169 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +215 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_cluster_creation.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_group_creation.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_creation.toml +90 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_made_public.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_redshift_instance_creation.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_route_table_created.toml +123 -0
- nldcsc_elastic_rules/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +162 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml +176 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml +173 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +180 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +140 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +163 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +139 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +158 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +146 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +170 -0
- nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +176 -0
- nldcsc_elastic_rules/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml +169 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml +109 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml +109 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml +122 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml +131 -0
- nldcsc_elastic_rules/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +122 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml +164 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml +179 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml +193 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml +142 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml +129 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +255 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +137 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml +265 -0
- nldcsc_elastic_rules/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +83 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +128 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/azure/discovery_blob_container_access_mod.toml +112 -0
- nldcsc_elastic_rules/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +171 -0
- nldcsc_elastic_rules/rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml +173 -0
- nldcsc_elastic_rules/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml +92 -0
- nldcsc_elastic_rules/rules/integrations/azure/execution_command_virtual_machine.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +121 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_restore_point_collection_deleted.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_restore_point_collections_deleted.toml +132 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml +132 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml +136 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_key_vault_modified.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_storage_account_deletion.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml +115 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/azure/impact_resource_group_deletion.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +125 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml +224 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +134 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +124 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml +167 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml +146 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +190 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +187 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +232 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml +145 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml +133 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml +148 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +153 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_external_guest_user_invite.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_first_time_seen_device_code_auth.toml +140 -0
- nldcsc_elastic_rules/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +143 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_application_credential_modification.toml +104 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_automation_account_created.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +114 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +104 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +152 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +138 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_service_principal_created.toml +120 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/beaconing/command_and_control_beaconing.toml +113 -0
- nldcsc_elastic_rules/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +70 -0
- nldcsc_elastic_rules/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +73 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +109 -0
- nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml +168 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml +167 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/elastic_endpoint_security.toml +126 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +134 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +135 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml +159 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml +159 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml +145 -0
- nldcsc_elastic_rules/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml +146 -0
- nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml +316 -0
- nldcsc_elastic_rules/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +87 -0
- nldcsc_elastic_rules/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_service_account_created.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +90 -0
- nldcsc_elastic_rules/rules/integrations/github/execution_github_app_deleted.toml +80 -0
- nldcsc_elastic_rules/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +88 -0
- nldcsc_elastic_rules/rules/integrations/github/execution_new_github_app_installed.toml +85 -0
- nldcsc_elastic_rules/rules/integrations/github/impact_github_repository_deleted.toml +84 -0
- nldcsc_elastic_rules/rules/integrations/github/persistence_github_org_owner_added.toml +90 -0
- nldcsc_elastic_rules/rules/integrations/github/persistence_organization_owner_role_granted.toml +88 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +119 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +119 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +120 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +125 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +133 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +126 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +76 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +112 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +122 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +112 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +134 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +116 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +125 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +117 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +124 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +119 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +124 -0
- nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +113 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/defense_evasion_events_deleted.toml +85 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +80 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +77 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +87 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +104 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +114 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +114 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +129 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +104 -0
- nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml +146 -0
- nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml +195 -0
- nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +130 -0
- nldcsc_elastic_rules/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml +122 -0
- nldcsc_elastic_rules/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +155 -0
- nldcsc_elastic_rules/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml +181 -0
- nldcsc_elastic_rules/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml +140 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml +165 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml +91 -0
- nldcsc_elastic_rules/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +91 -0
- nldcsc_elastic_rules/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +92 -0
- nldcsc_elastic_rules/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +84 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +132 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +131 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml +120 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml +154 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +87 -0
- nldcsc_elastic_rules/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +104 -0
- nldcsc_elastic_rules/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +140 -0
- nldcsc_elastic_rules/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +91 -0
- nldcsc_elastic_rules/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +128 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +120 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml +143 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +141 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +113 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml +146 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +115 -0
- nldcsc_elastic_rules/rules/integrations/okta/credential_access_user_impersonation_access.toml +82 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +114 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +123 -0
- nldcsc_elastic_rules/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +87 -0
- nldcsc_elastic_rules/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +91 -0
- nldcsc_elastic_rules/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +97 -0
- nldcsc_elastic_rules/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +93 -0
- nldcsc_elastic_rules/rules/integrations/okta/impact_possible_okta_dos_attack.toml +96 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +89 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +80 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +95 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +110 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +121 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +104 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +129 -0
- nldcsc_elastic_rules/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +113 -0
- nldcsc_elastic_rules/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +67 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +100 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +98 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +94 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +99 -0
- nldcsc_elastic_rules/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +103 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +111 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +121 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +102 -0
- nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +101 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml +105 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +107 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml +118 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +106 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +108 -0
- nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +108 -0
- nldcsc_elastic_rules/rules/linux/collection_linux_clipboard_activity.toml +95 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +92 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_cat_network_activity.toml +179 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +154 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_curl_socks_proxy_detected.toml +130 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +116 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +162 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +124 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_ip_forwarding_activity.toml +99 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_kubectl_networking_modification.toml +134 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_chisel_client_activity.toml +174 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_chisel_server_activity.toml +175 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_kworker_netcon.toml +155 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_proxychains_activity.toml +153 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +147 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +183 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +193 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +124 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +228 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_telegram_api_request.toml +125 -0
- nldcsc_elastic_rules/rules/linux/command_and_control_tunneling_via_earthworm.toml +189 -0
- nldcsc_elastic_rules/rules/linux/credential_access_aws_creds_search_inside_container.toml +118 -0
- nldcsc_elastic_rules/rules/linux/credential_access_collection_sensitive_files.toml +188 -0
- nldcsc_elastic_rules/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +135 -0
- nldcsc_elastic_rules/rules/linux/credential_access_credential_dumping.toml +126 -0
- nldcsc_elastic_rules/rules/linux/credential_access_gdb_init_process_hooking.toml +124 -0
- nldcsc_elastic_rules/rules/linux/credential_access_gdb_process_hooking.toml +105 -0
- nldcsc_elastic_rules/rules/linux/credential_access_gh_auth_via_nodejs.toml +97 -0
- nldcsc_elastic_rules/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +144 -0
- nldcsc_elastic_rules/rules/linux/credential_access_manual_memory_dumping.toml +128 -0
- nldcsc_elastic_rules/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +118 -0
- nldcsc_elastic_rules/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +117 -0
- nldcsc_elastic_rules/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +113 -0
- nldcsc_elastic_rules/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +136 -0
- nldcsc_elastic_rules/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +135 -0
- nldcsc_elastic_rules/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +117 -0
- nldcsc_elastic_rules/rules/linux/credential_access_proc_credential_dumping.toml +132 -0
- nldcsc_elastic_rules/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +119 -0
- nldcsc_elastic_rules/rules/linux/credential_access_ssh_backdoor_log.toml +174 -0
- nldcsc_elastic_rules/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml +100 -0
- nldcsc_elastic_rules/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +212 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_acl_modification_via_setfacl.toml +105 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +127 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +133 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +140 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +119 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +143 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_base64_decoding_activity.toml +203 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +156 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_busybox_indirect_shell_spawn.toml +139 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_chattr_immutable_file.toml +140 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +134 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml +99 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml +189 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_directory_creation_in_bin.toml +133 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_disable_apparmor_attempt.toml +133 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_disable_selinux_attempt.toml +139 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +117 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +162 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +133 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_file_deletion_via_shred.toml +124 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_file_mod_writable_dir.toml +138 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +143 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +159 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_hidden_directory_creation.toml +141 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +148 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_hidden_shared_object.toml +133 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +135 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +156 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_journalctl_clear_logs.toml +132 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_kernel_module_removal.toml +153 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_kill_command_executed.toml +151 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_kthreadd_masquerading.toml +130 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_ld_preload_cmdline.toml +164 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_ld_so_creation.toml +161 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_log_files_deleted.toml +151 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_mount_execution.toml +127 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +163 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +158 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_potential_kubectl_masquerading.toml +155 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_potential_proot_exploits.toml +124 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_prctl_process_name_tampering.toml +121 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_rename_esxi_files.toml +120 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_rename_esxi_index_file.toml +119 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_root_certificate_installation.toml +130 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml +120 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_ssl_certificate_deletion.toml +134 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +97 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_suspicious_path_mounted.toml +113 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +115 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +129 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_unsual_kill_signal.toml +108 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_unusual_preload_env_vars.toml +152 -0
- nldcsc_elastic_rules/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +153 -0
- nldcsc_elastic_rules/rules/linux/discovery_docker_socket_discovery.toml +128 -0
- nldcsc_elastic_rules/rules/linux/discovery_dynamic_linker_via_od.toml +126 -0
- nldcsc_elastic_rules/rules/linux/discovery_esxi_software_via_find.toml +125 -0
- nldcsc_elastic_rules/rules/linux/discovery_esxi_software_via_grep.toml +125 -0
- nldcsc_elastic_rules/rules/linux/discovery_kernel_module_enumeration.toml +134 -0
- nldcsc_elastic_rules/rules/linux/discovery_kernel_seeking.toml +127 -0
- nldcsc_elastic_rules/rules/linux/discovery_kernel_unpacking.toml +126 -0
- nldcsc_elastic_rules/rules/linux/discovery_kubeconfig_file_discovery.toml +141 -0
- nldcsc_elastic_rules/rules/linux/discovery_kubectl_permission_discovery.toml +117 -0
- nldcsc_elastic_rules/rules/linux/discovery_linux_hping_activity.toml +141 -0
- nldcsc_elastic_rules/rules/linux/discovery_linux_nping_activity.toml +141 -0
- nldcsc_elastic_rules/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml +117 -0
- nldcsc_elastic_rules/rules/linux/discovery_pam_version_discovery.toml +152 -0
- nldcsc_elastic_rules/rules/linux/discovery_ping_sweep_detected.toml +122 -0
- nldcsc_elastic_rules/rules/linux/discovery_polkit_version_discovery.toml +117 -0
- nldcsc_elastic_rules/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml +156 -0
- nldcsc_elastic_rules/rules/linux/discovery_private_key_password_searching_activity.toml +114 -0
- nldcsc_elastic_rules/rules/linux/discovery_proc_maps_read.toml +116 -0
- nldcsc_elastic_rules/rules/linux/discovery_process_capabilities.toml +114 -0
- nldcsc_elastic_rules/rules/linux/discovery_pspy_process_monitoring_detected.toml +116 -0
- nldcsc_elastic_rules/rules/linux/discovery_security_file_access_via_common_utility.toml +122 -0
- nldcsc_elastic_rules/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +137 -0
- nldcsc_elastic_rules/rules/linux/discovery_sudo_allowed_command_enumeration.toml +119 -0
- nldcsc_elastic_rules/rules/linux/discovery_suid_sguid_enumeration.toml +142 -0
- nldcsc_elastic_rules/rules/linux/discovery_suspicious_memory_grep_activity.toml +96 -0
- nldcsc_elastic_rules/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml +147 -0
- nldcsc_elastic_rules/rules/linux/discovery_suspicious_which_command_execution.toml +97 -0
- nldcsc_elastic_rules/rules/linux/discovery_unusual_user_enumeration_via_id.toml +114 -0
- nldcsc_elastic_rules/rules/linux/discovery_virtual_machine_fingerprinting.toml +136 -0
- nldcsc_elastic_rules/rules/linux/discovery_yum_dnf_plugin_detection.toml +122 -0
- nldcsc_elastic_rules/rules/linux/execution_abnormal_process_id_file_created.toml +160 -0
- nldcsc_elastic_rules/rules/linux/execution_container_management_binary_launched_inside_container.toml +118 -0
- nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +134 -0
- nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +138 -0
- nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +145 -0
- nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +161 -0
- nldcsc_elastic_rules/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +135 -0
- nldcsc_elastic_rules/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +112 -0
- nldcsc_elastic_rules/rules/linux/execution_executable_stack_execution.toml +107 -0
- nldcsc_elastic_rules/rules/linux/execution_file_execution_followed_by_deletion.toml +125 -0
- nldcsc_elastic_rules/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml +128 -0
- nldcsc_elastic_rules/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +163 -0
- nldcsc_elastic_rules/rules/linux/execution_interpreter_tty_upgrade.toml +127 -0
- nldcsc_elastic_rules/rules/linux/execution_kubectl_apply_pod_from_url.toml +123 -0
- nldcsc_elastic_rules/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml +148 -0
- nldcsc_elastic_rules/rules/linux/execution_nc_listener_via_rlwrap.toml +133 -0
- nldcsc_elastic_rules/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +130 -0
- nldcsc_elastic_rules/rules/linux/execution_network_event_post_compilation.toml +132 -0
- nldcsc_elastic_rules/rules/linux/execution_perl_tty_shell.toml +123 -0
- nldcsc_elastic_rules/rules/linux/execution_potential_hack_tool_executed.toml +135 -0
- nldcsc_elastic_rules/rules/linux/execution_potentially_overly_permissive_container_creation.toml +144 -0
- nldcsc_elastic_rules/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +152 -0
- nldcsc_elastic_rules/rules/linux/execution_process_started_from_process_id_file.toml +101 -0
- nldcsc_elastic_rules/rules/linux/execution_process_started_in_shared_memory_directory.toml +128 -0
- nldcsc_elastic_rules/rules/linux/execution_python_tty_shell.toml +121 -0
- nldcsc_elastic_rules/rules/linux/execution_python_webserver_spawned.toml +142 -0
- nldcsc_elastic_rules/rules/linux/execution_remote_code_execution_via_postgresql.toml +126 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_evasion_linux_binary.toml +213 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_openssl_client_or_server.toml +136 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_background_process.toml +137 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +139 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_java_revshell_linux.toml +143 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +154 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_meterpreter_linux.toml +148 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_suspicious_binary.toml +147 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +137 -0
- nldcsc_elastic_rules/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +157 -0
- nldcsc_elastic_rules/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +139 -0
- nldcsc_elastic_rules/rules/linux/execution_suspicious_executable_running_system_commands.toml +139 -0
- nldcsc_elastic_rules/rules/linux/execution_suspicious_mining_process_creation_events.toml +117 -0
- nldcsc_elastic_rules/rules/linux/execution_suspicious_mkfifo_execution.toml +138 -0
- nldcsc_elastic_rules/rules/linux/execution_system_binary_file_permission_change.toml +118 -0
- nldcsc_elastic_rules/rules/linux/execution_tc_bpf_filter.toml +124 -0
- nldcsc_elastic_rules/rules/linux/execution_unix_socket_communication.toml +109 -0
- nldcsc_elastic_rules/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +126 -0
- nldcsc_elastic_rules/rules/linux/execution_unusual_interactive_process_inside_container.toml +87 -0
- nldcsc_elastic_rules/rules/linux/execution_unusual_kthreadd_execution.toml +141 -0
- nldcsc_elastic_rules/rules/linux/execution_unusual_path_invocation_from_command_line.toml +145 -0
- nldcsc_elastic_rules/rules/linux/execution_unusual_pkexec_execution.toml +152 -0
- nldcsc_elastic_rules/rules/linux/exfiltration_potential_curl_data_exfiltration.toml +126 -0
- nldcsc_elastic_rules/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +131 -0
- nldcsc_elastic_rules/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +130 -0
- nldcsc_elastic_rules/rules/linux/impact_data_encrypted_via_openssl.toml +118 -0
- nldcsc_elastic_rules/rules/linux/impact_esxi_process_kill.toml +116 -0
- nldcsc_elastic_rules/rules/linux/impact_memory_swap_modification.toml +144 -0
- nldcsc_elastic_rules/rules/linux/impact_potential_bruteforce_malware_infection.toml +178 -0
- nldcsc_elastic_rules/rules/linux/impact_potential_linux_ransomware_note_detected.toml +123 -0
- nldcsc_elastic_rules/rules/linux/impact_process_kill_threshold.toml +111 -0
- nldcsc_elastic_rules/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml +144 -0
- nldcsc_elastic_rules/rules/linux/initial_access_first_time_public_key_authentication.toml +118 -0
- nldcsc_elastic_rules/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +111 -0
- nldcsc_elastic_rules/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +95 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_kubeconfig_file_activity.toml +155 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +141 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_ssh_it_worm_download.toml +141 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_ssh_process_launched_inside_container.toml +138 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_telnet_network_activity_external.toml +138 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_telnet_network_activity_internal.toml +139 -0
- nldcsc_elastic_rules/rules/linux/lateral_movement_unusual_remote_file_creation.toml +148 -0
- nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_execution.toml +166 -0
- nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_file_creation.toml +163 -0
- nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_netcon.toml +159 -0
- nldcsc_elastic_rules/rules/linux/persistence_at_job_creation.toml +171 -0
- nldcsc_elastic_rules/rules/linux/persistence_boot_file_copy.toml +156 -0
- nldcsc_elastic_rules/rules/linux/persistence_bpf_probe_write_user.toml +121 -0
- nldcsc_elastic_rules/rules/linux/persistence_chkconfig_service_add.toml +203 -0
- nldcsc_elastic_rules/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +229 -0
- nldcsc_elastic_rules/rules/linux/persistence_cron_job_creation.toml +269 -0
- nldcsc_elastic_rules/rules/linux/persistence_dbus_service_creation.toml +158 -0
- nldcsc_elastic_rules/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +149 -0
- nldcsc_elastic_rules/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +164 -0
- nldcsc_elastic_rules/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +152 -0
- nldcsc_elastic_rules/rules/linux/persistence_dpkg_unusual_execution.toml +147 -0
- nldcsc_elastic_rules/rules/linux/persistence_dracut_module_creation.toml +166 -0
- nldcsc_elastic_rules/rules/linux/persistence_dynamic_linker_backup.toml +197 -0
- nldcsc_elastic_rules/rules/linux/persistence_extract_initramfs_via_cpio.toml +137 -0
- nldcsc_elastic_rules/rules/linux/persistence_git_hook_execution.toml +152 -0
- nldcsc_elastic_rules/rules/linux/persistence_git_hook_file_creation.toml +164 -0
- nldcsc_elastic_rules/rules/linux/persistence_git_hook_netcon.toml +159 -0
- nldcsc_elastic_rules/rules/linux/persistence_git_hook_process_execution.toml +170 -0
- nldcsc_elastic_rules/rules/linux/persistence_grub_configuration_creation.toml +145 -0
- nldcsc_elastic_rules/rules/linux/persistence_grub_makeconfig.toml +130 -0
- nldcsc_elastic_rules/rules/linux/persistence_init_d_file_creation.toml +194 -0
- nldcsc_elastic_rules/rules/linux/persistence_insmod_kernel_module_load.toml +196 -0
- nldcsc_elastic_rules/rules/linux/persistence_kde_autostart_modification.toml +246 -0
- nldcsc_elastic_rules/rules/linux/persistence_kernel_driver_load.toml +126 -0
- nldcsc_elastic_rules/rules/linux/persistence_kernel_driver_load_by_non_root.toml +132 -0
- nldcsc_elastic_rules/rules/linux/persistence_kernel_object_file_creation.toml +136 -0
- nldcsc_elastic_rules/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +131 -0
- nldcsc_elastic_rules/rules/linux/persistence_kworker_file_creation.toml +208 -0
- nldcsc_elastic_rules/rules/linux/persistence_linux_backdoor_user_creation.toml +165 -0
- nldcsc_elastic_rules/rules/linux/persistence_linux_group_creation.toml +137 -0
- nldcsc_elastic_rules/rules/linux/persistence_linux_shell_activity_via_web_server.toml +199 -0
- nldcsc_elastic_rules/rules/linux/persistence_linux_user_account_creation.toml +136 -0
- nldcsc_elastic_rules/rules/linux/persistence_linux_user_added_to_privileged_group.toml +163 -0
- nldcsc_elastic_rules/rules/linux/persistence_lkm_configuration_file_creation.toml +132 -0
- nldcsc_elastic_rules/rules/linux/persistence_manual_dracut_execution.toml +146 -0
- nldcsc_elastic_rules/rules/linux/persistence_message_of_the_day_creation.toml +188 -0
- nldcsc_elastic_rules/rules/linux/persistence_message_of_the_day_execution.toml +215 -0
- nldcsc_elastic_rules/rules/linux/persistence_network_manager_dispatcher_persistence.toml +163 -0
- nldcsc_elastic_rules/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml +109 -0
- nldcsc_elastic_rules/rules/linux/persistence_openssl_passwd_hash_generation.toml +129 -0
- nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation.toml +135 -0
- nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +122 -0
- nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +115 -0
- nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_source_download.toml +108 -0
- nldcsc_elastic_rules/rules/linux/persistence_polkit_policy_creation.toml +132 -0
- nldcsc_elastic_rules/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +164 -0
- nldcsc_elastic_rules/rules/linux/persistence_process_capability_set_via_setcap.toml +120 -0
- nldcsc_elastic_rules/rules/linux/persistence_pth_file_creation.toml +165 -0
- nldcsc_elastic_rules/rules/linux/persistence_rc_local_error_via_syslog.toml +111 -0
- nldcsc_elastic_rules/rules/linux/persistence_rc_local_service_already_running.toml +124 -0
- nldcsc_elastic_rules/rules/linux/persistence_rc_script_creation.toml +189 -0
- nldcsc_elastic_rules/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml +146 -0
- nldcsc_elastic_rules/rules/linux/persistence_setuid_setgid_capability_set.toml +187 -0
- nldcsc_elastic_rules/rules/linux/persistence_shadow_file_modification.toml +126 -0
- nldcsc_elastic_rules/rules/linux/persistence_shared_object_creation.toml +205 -0
- nldcsc_elastic_rules/rules/linux/persistence_shell_configuration_modification.toml +154 -0
- nldcsc_elastic_rules/rules/linux/persistence_simple_web_server_connection_accepted.toml +152 -0
- nldcsc_elastic_rules/rules/linux/persistence_simple_web_server_creation.toml +160 -0
- nldcsc_elastic_rules/rules/linux/persistence_site_and_user_customize_file_creation.toml +160 -0
- nldcsc_elastic_rules/rules/linux/persistence_ssh_key_generation.toml +124 -0
- nldcsc_elastic_rules/rules/linux/persistence_ssh_netcon.toml +137 -0
- nldcsc_elastic_rules/rules/linux/persistence_ssh_via_backdoored_system_user.toml +135 -0
- nldcsc_elastic_rules/rules/linux/persistence_suspicious_file_opened_through_editor.toml +151 -0
- nldcsc_elastic_rules/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +136 -0
- nldcsc_elastic_rules/rules/linux/persistence_systemd_generator_creation.toml +157 -0
- nldcsc_elastic_rules/rules/linux/persistence_systemd_netcon.toml +144 -0
- nldcsc_elastic_rules/rules/linux/persistence_systemd_scheduled_timer_created.toml +208 -0
- nldcsc_elastic_rules/rules/linux/persistence_systemd_service_creation.toml +261 -0
- nldcsc_elastic_rules/rules/linux/persistence_systemd_service_started.toml +241 -0
- nldcsc_elastic_rules/rules/linux/persistence_systemd_shell_execution.toml +132 -0
- nldcsc_elastic_rules/rules/linux/persistence_tainted_kernel_module_load.toml +124 -0
- nldcsc_elastic_rules/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +125 -0
- nldcsc_elastic_rules/rules/linux/persistence_udev_rule_creation.toml +142 -0
- nldcsc_elastic_rules/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +152 -0
- nldcsc_elastic_rules/rules/linux/persistence_unusual_exim4_child_process.toml +103 -0
- nldcsc_elastic_rules/rules/linux/persistence_unusual_pam_grantor.toml +118 -0
- nldcsc_elastic_rules/rules/linux/persistence_unusual_sshd_child_process.toml +136 -0
- nldcsc_elastic_rules/rules/linux/persistence_user_credential_modification_via_echo.toml +109 -0
- nldcsc_elastic_rules/rules/linux/persistence_user_or_group_creation_or_modification.toml +129 -0
- nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_child_spawned.toml +234 -0
- nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_command_execution.toml +218 -0
- nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_destination_port.toml +168 -0
- nldcsc_elastic_rules/rules/linux/persistence_xdg_autostart_netcon.toml +155 -0
- nldcsc_elastic_rules/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +159 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +142 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_container_util_misconfiguration.toml +128 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml +124 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml +124 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml +129 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_dac_permissions.toml +132 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml +115 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_docker_escape_via_nsenter.toml +86 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml +130 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_docker_release_file_creation.toml +88 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_enlightenment_window_manager.toml +115 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +127 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +158 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_kworker_uid_elevation.toml +132 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +140 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +146 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +118 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +167 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +127 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_mount_launched_inside_container.toml +114 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml +132 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +118 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +130 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml +112 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +164 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +163 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +136 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +119 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_shadow_file_read.toml +140 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +126 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_sudo_hijacking.toml +149 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +131 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +126 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +122 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +137 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +142 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_uid_change_post_compilation.toml +119 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +152 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +129 -0
- nldcsc_elastic_rules/rules/linux/privilege_escalation_writable_docker_socket.toml +120 -0
- nldcsc_elastic_rules/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml +104 -0
- nldcsc_elastic_rules/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +197 -0
- nldcsc_elastic_rules/rules/macos/credential_access_credentials_keychains.toml +121 -0
- nldcsc_elastic_rules/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +113 -0
- nldcsc_elastic_rules/rules/macos/credential_access_dumping_keychain_security.toml +116 -0
- nldcsc_elastic_rules/rules/macos/credential_access_high_volume_of_pbpaste.toml +121 -0
- nldcsc_elastic_rules/rules/macos/credential_access_kerberosdump_kcc.toml +124 -0
- nldcsc_elastic_rules/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +135 -0
- nldcsc_elastic_rules/rules/macos/credential_access_mitm_localhost_webproxy.toml +116 -0
- nldcsc_elastic_rules/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +114 -0
- nldcsc_elastic_rules/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +128 -0
- nldcsc_elastic_rules/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml +128 -0
- nldcsc_elastic_rules/rules/macos/credential_access_systemkey_dumping.toml +117 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_apple_softupdates_modification.toml +117 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +125 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +115 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_install_root_certificate.toml +118 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_modify_environment_launchctl.toml +120 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +122 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +130 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_safari_config_change.toml +118 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +114 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +111 -0
- nldcsc_elastic_rules/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +128 -0
- nldcsc_elastic_rules/rules/macos/discovery_users_domain_built_in_commands.toml +133 -0
- nldcsc_elastic_rules/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +128 -0
- nldcsc_elastic_rules/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +131 -0
- nldcsc_elastic_rules/rules/macos/execution_installer_package_spawned_network_event.toml +147 -0
- nldcsc_elastic_rules/rules/macos/execution_script_via_automator_workflows.toml +110 -0
- nldcsc_elastic_rules/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +138 -0
- nldcsc_elastic_rules/rules/macos/execution_shell_execution_via_apple_scripting.toml +114 -0
- nldcsc_elastic_rules/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +182 -0
- nldcsc_elastic_rules/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +133 -0
- nldcsc_elastic_rules/rules/macos/lateral_movement_mounting_smb_share.toml +121 -0
- nldcsc_elastic_rules/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +119 -0
- nldcsc_elastic_rules/rules/macos/lateral_movement_vpn_connection_attempt.toml +118 -0
- nldcsc_elastic_rules/rules/macos/persistence_account_creation_hide_at_logon.toml +116 -0
- nldcsc_elastic_rules/rules/macos/persistence_creation_change_launch_agents_file.toml +118 -0
- nldcsc_elastic_rules/rules/macos/persistence_creation_hidden_login_item_osascript.toml +139 -0
- nldcsc_elastic_rules/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +114 -0
- nldcsc_elastic_rules/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +121 -0
- nldcsc_elastic_rules/rules/macos/persistence_crontab_creation.toml +118 -0
- nldcsc_elastic_rules/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +138 -0
- nldcsc_elastic_rules/rules/macos/persistence_directory_services_plugins_modification.toml +111 -0
- nldcsc_elastic_rules/rules/macos/persistence_docker_shortcuts_plist_modification.toml +115 -0
- nldcsc_elastic_rules/rules/macos/persistence_emond_rules_file_creation.toml +117 -0
- nldcsc_elastic_rules/rules/macos/persistence_emond_rules_process_execution.toml +143 -0
- nldcsc_elastic_rules/rules/macos/persistence_enable_root_account.toml +115 -0
- nldcsc_elastic_rules/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +136 -0
- nldcsc_elastic_rules/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +115 -0
- nldcsc_elastic_rules/rules/macos/persistence_folder_action_scripts_runtime.toml +126 -0
- nldcsc_elastic_rules/rules/macos/persistence_login_logout_hooks_defaults.toml +121 -0
- nldcsc_elastic_rules/rules/macos/persistence_loginwindow_plist_modification.toml +92 -0
- nldcsc_elastic_rules/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +123 -0
- nldcsc_elastic_rules/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +119 -0
- nldcsc_elastic_rules/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +92 -0
- nldcsc_elastic_rules/rules/macos/persistence_screensaver_plist_file_modification.toml +114 -0
- nldcsc_elastic_rules/rules/macos/persistence_suspicious_calendar_modification.toml +117 -0
- nldcsc_elastic_rules/rules/macos/persistence_via_atom_init_file_modification.toml +115 -0
- nldcsc_elastic_rules/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +124 -0
- nldcsc_elastic_rules/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +139 -0
- nldcsc_elastic_rules/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +125 -0
- nldcsc_elastic_rules/rules/macos/privilege_escalation_local_user_added_to_admin.toml +119 -0
- nldcsc_elastic_rules/rules/macos/privilege_escalation_root_crontab_filemod.toml +119 -0
- nldcsc_elastic_rules/rules/macos/privilege_escalation_user_added_to_admin_group.toml +121 -0
- nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +129 -0
- nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +137 -0
- nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +141 -0
- nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +139 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +146 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +148 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +162 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +140 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +141 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_suspicious_login_activity.toml +145 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +133 -0
- nldcsc_elastic_rules/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +135 -0
- nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_information_discovery.toml +137 -0
- nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +137 -0
- nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +137 -0
- nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_process_discovery.toml +137 -0
- nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_user_discovery.toml +136 -0
- nldcsc_elastic_rules/rules/ml/execution_ml_windows_anomalous_script.toml +138 -0
- nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +133 -0
- nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +145 -0
- nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_user_logon.toml +150 -0
- nldcsc_elastic_rules/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +114 -0
- nldcsc_elastic_rules/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +119 -0
- nldcsc_elastic_rules/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +102 -0
- nldcsc_elastic_rules/rules/ml/ml_high_count_events_for_a_host_name.toml +93 -0
- nldcsc_elastic_rules/rules/ml/ml_high_count_network_denies.toml +113 -0
- nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml +112 -0
- nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml +94 -0
- nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml +120 -0
- nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml +93 -0
- nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml +120 -0
- nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml +117 -0
- nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml +117 -0
- nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml +91 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +144 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_rare_process_by_host_linux.toml +144 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_rare_process_by_host_windows.toml +188 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +156 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +201 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +186 -0
- nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_service.toml +136 -0
- nldcsc_elastic_rules/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +147 -0
- nldcsc_elastic_rules/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +126 -0
- nldcsc_elastic_rules/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +141 -0
- nldcsc_elastic_rules/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +121 -0
- nldcsc_elastic_rules/rules/network/command_and_control_cobalt_strike_beacon.toml +105 -0
- nldcsc_elastic_rules/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +105 -0
- nldcsc_elastic_rules/rules/network/command_and_control_download_rar_powershell_from_internet.toml +129 -0
- nldcsc_elastic_rules/rules/network/command_and_control_fin7_c2_behavior.toml +66 -0
- nldcsc_elastic_rules/rules/network/command_and_control_halfbaked_beacon.toml +103 -0
- nldcsc_elastic_rules/rules/network/command_and_control_nat_traversal_port_activity.toml +82 -0
- nldcsc_elastic_rules/rules/network/command_and_control_port_26_activity.toml +94 -0
- nldcsc_elastic_rules/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +144 -0
- nldcsc_elastic_rules/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +133 -0
- nldcsc_elastic_rules/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +122 -0
- nldcsc_elastic_rules/rules/network/discovery_potential_network_sweep_detected.toml +118 -0
- nldcsc_elastic_rules/rules/network/discovery_potential_port_scan_detected.toml +113 -0
- nldcsc_elastic_rules/rules/network/discovery_potential_syn_port_scan_detected.toml +112 -0
- nldcsc_elastic_rules/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +113 -0
- nldcsc_elastic_rules/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +113 -0
- nldcsc_elastic_rules/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +126 -0
- nldcsc_elastic_rules/rules/network/initial_access_unsecure_elasticsearch_node.toml +92 -0
- nldcsc_elastic_rules/rules/network/lateral_movement_dns_server_overflow.toml +92 -0
- nldcsc_elastic_rules/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +91 -0
- nldcsc_elastic_rules/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +90 -0
- nldcsc_elastic_rules/rules/promotions/crowdstrike_external_alerts.toml +112 -0
- nldcsc_elastic_rules/rules/promotions/elastic_security_external_alerts.toml +114 -0
- nldcsc_elastic_rules/rules/promotions/endgame_adversary_behavior_detected.toml +71 -0
- nldcsc_elastic_rules/rules/promotions/endgame_malware_detected.toml +71 -0
- nldcsc_elastic_rules/rules/promotions/endgame_malware_prevented.toml +72 -0
- nldcsc_elastic_rules/rules/promotions/endgame_ransomware_detected.toml +69 -0
- nldcsc_elastic_rules/rules/promotions/endgame_ransomware_prevented.toml +71 -0
- nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_detected.toml +97 -0
- nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_prevented.toml +99 -0
- nldcsc_elastic_rules/rules/promotions/external_alerts.toml +111 -0
- nldcsc_elastic_rules/rules/promotions/google_secops_external_alerts.toml +114 -0
- nldcsc_elastic_rules/rules/promotions/microsoft_sentinel_external_alerts.toml +113 -0
- nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +85 -0
- nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +85 -0
- nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +85 -0
- nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +85 -0
- nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +86 -0
- nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +85 -0
- nldcsc_elastic_rules/rules/promotions/sentinelone_alert_external_alerts.toml +114 -0
- nldcsc_elastic_rules/rules/promotions/sentinelone_threat_external_alerts.toml +102 -0
- nldcsc_elastic_rules/rules/promotions/splunk_external_alerts.toml +114 -0
- nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_address.toml +187 -0
- nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_email.toml +167 -0
- nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_hash.toml +235 -0
- nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_registry.toml +174 -0
- nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_url.toml +190 -0
- nldcsc_elastic_rules/rules/threat_intel/threat_intel_rapid7_threat_command.toml +108 -0
- nldcsc_elastic_rules/rules/windows/collection_email_outlook_mailbox_via_com.toml +122 -0
- nldcsc_elastic_rules/rules/windows/collection_email_powershell_exchange_mailbox.toml +142 -0
- nldcsc_elastic_rules/rules/windows/collection_mailbox_export_winlog.toml +124 -0
- nldcsc_elastic_rules/rules/windows/collection_posh_audio_capture.toml +135 -0
- nldcsc_elastic_rules/rules/windows/collection_posh_clipboard_capture.toml +164 -0
- nldcsc_elastic_rules/rules/windows/collection_posh_keylogger.toml +146 -0
- nldcsc_elastic_rules/rules/windows/collection_posh_mailbox.toml +155 -0
- nldcsc_elastic_rules/rules/windows/collection_posh_screen_grabber.toml +126 -0
- nldcsc_elastic_rules/rules/windows/collection_posh_webcam_video_capture.toml +134 -0
- nldcsc_elastic_rules/rules/windows/collection_winrar_encryption.toml +129 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_certreq_postdata.toml +172 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_common_llm_endpoint.toml +158 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml +383 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_dns_susp_tld.toml +105 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_dns_tunneling_nslookup.toml +109 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +105 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_headless_browser.toml +102 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_iexplore_via_com.toml +119 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_ingress_transfer_bits.toml +173 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +303 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_outlook_home_page.toml +117 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_port_forwarding_added_registry.toml +120 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_rdp_tunnel_plink.toml +121 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_remcos_rat_iocs.toml +104 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +183 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +181 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_powershell.toml +191 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_scripts.toml +152 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_rmm_netsupport_susp_path.toml +102 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_screenconnect_childproc.toml +120 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +165 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +142 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_tool_transfer_via_curl.toml +121 -0
- nldcsc_elastic_rules/rules/windows/command_and_control_tunnel_vscode.toml +105 -0
- nldcsc_elastic_rules/rules/windows/credential_access_adidns_wildcard.toml +117 -0
- nldcsc_elastic_rules/rules/windows/credential_access_adidns_wpad_record.toml +113 -0
- nldcsc_elastic_rules/rules/windows/credential_access_browsers_unusual_parent.toml +125 -0
- nldcsc_elastic_rules/rules/windows/credential_access_bruteforce_admin_account.toml +141 -0
- nldcsc_elastic_rules/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +153 -0
- nldcsc_elastic_rules/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +163 -0
- nldcsc_elastic_rules/rules/windows/credential_access_cmdline_dump_tool.toml +160 -0
- nldcsc_elastic_rules/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +171 -0
- nldcsc_elastic_rules/rules/windows/credential_access_credential_dumping_msbuild.toml +170 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +149 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dcsync_replication_rights.toml +155 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dcsync_user_backdoor.toml +124 -0
- nldcsc_elastic_rules/rules/windows/credential_access_disable_kerberos_preauth.toml +138 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dnsnode_creation.toml +117 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dollar_account_relay.toml +113 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dollar_account_relay_kerberos.toml +129 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dollar_account_relay_ntlm.toml +128 -0
- nldcsc_elastic_rules/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +80 -0
- nldcsc_elastic_rules/rules/windows/credential_access_dump_registry_hives.toml +118 -0
- nldcsc_elastic_rules/rules/windows/credential_access_generic_localdumps.toml +123 -0
- nldcsc_elastic_rules/rules/windows/credential_access_iis_connectionstrings_dumping.toml +108 -0
- nldcsc_elastic_rules/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +112 -0
- nldcsc_elastic_rules/rules/windows/credential_access_kerberoasting_unusual_process.toml +181 -0
- nldcsc_elastic_rules/rules/windows/credential_access_kerberos_coerce.toml +126 -0
- nldcsc_elastic_rules/rules/windows/credential_access_kerberos_coerce_dns.toml +118 -0
- nldcsc_elastic_rules/rules/windows/credential_access_kirbi_file.toml +103 -0
- nldcsc_elastic_rules/rules/windows/credential_access_ldap_attributes.toml +158 -0
- nldcsc_elastic_rules/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +105 -0
- nldcsc_elastic_rules/rules/windows/credential_access_lsass_loaded_susp_dll.toml +160 -0
- nldcsc_elastic_rules/rules/windows/credential_access_lsass_memdump_file_created.toml +172 -0
- nldcsc_elastic_rules/rules/windows/credential_access_lsass_memdump_handle_access.toml +201 -0
- nldcsc_elastic_rules/rules/windows/credential_access_lsass_openprocess_api.toml +216 -0
- nldcsc_elastic_rules/rules/windows/credential_access_machine_account_smb_relay.toml +105 -0
- nldcsc_elastic_rules/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +109 -0
- nldcsc_elastic_rules/rules/windows/credential_access_mimikatz_powershell_module.toml +132 -0
- nldcsc_elastic_rules/rules/windows/credential_access_mod_wdigest_security_provider.toml +118 -0
- nldcsc_elastic_rules/rules/windows/credential_access_moving_registry_hive_via_smb.toml +118 -0
- nldcsc_elastic_rules/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +176 -0
- nldcsc_elastic_rules/rules/windows/credential_access_posh_invoke_ninjacopy.toml +136 -0
- nldcsc_elastic_rules/rules/windows/credential_access_posh_kerb_ticket_dump.toml +146 -0
- nldcsc_elastic_rules/rules/windows/credential_access_posh_minidump.toml +131 -0
- nldcsc_elastic_rules/rules/windows/credential_access_posh_relay_tools.toml +152 -0
- nldcsc_elastic_rules/rules/windows/credential_access_posh_request_ticket.toml +139 -0
- nldcsc_elastic_rules/rules/windows/credential_access_posh_veeam_sql.toml +134 -0
- nldcsc_elastic_rules/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +103 -0
- nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml +98 -0
- nldcsc_elastic_rules/rules/windows/credential_access_regback_sam_security_hives.toml +101 -0
- nldcsc_elastic_rules/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +130 -0
- nldcsc_elastic_rules/rules/windows/credential_access_remote_sam_secretsdump.toml +119 -0
- nldcsc_elastic_rules/rules/windows/credential_access_saved_creds_vault_winlog.toml +110 -0
- nldcsc_elastic_rules/rules/windows/credential_access_saved_creds_vaultcmd.toml +117 -0
- nldcsc_elastic_rules/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +121 -0
- nldcsc_elastic_rules/rules/windows/credential_access_shadow_credentials.toml +120 -0
- nldcsc_elastic_rules/rules/windows/credential_access_spn_attribute_modified.toml +124 -0
- nldcsc_elastic_rules/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +172 -0
- nldcsc_elastic_rules/rules/windows/credential_access_suspicious_lsass_access_generic.toml +129 -0
- nldcsc_elastic_rules/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +126 -0
- nldcsc_elastic_rules/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +109 -0
- nldcsc_elastic_rules/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +143 -0
- nldcsc_elastic_rules/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +147 -0
- nldcsc_elastic_rules/rules/windows/credential_access_veeam_backup_dll_imageload.toml +112 -0
- nldcsc_elastic_rules/rules/windows/credential_access_veeam_commands.toml +129 -0
- nldcsc_elastic_rules/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +96 -0
- nldcsc_elastic_rules/rules/windows/credential_access_wbadmin_ntds.toml +124 -0
- nldcsc_elastic_rules/rules/windows/credential_access_web_config_file_access.toml +96 -0
- nldcsc_elastic_rules/rules/windows/credential_access_wireless_creds_dumping.toml +153 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +175 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +177 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_amsi_bypass_powershell.toml +175 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_amsienable_key_mod.toml +132 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +129 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_clearing_windows_console_history.toml +133 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_clearing_windows_event_logs.toml +121 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_clearing_windows_security_logs.toml +87 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +139 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +149 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +279 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_create_mod_root_certificate.toml +172 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_cve_2020_0601.toml +89 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_defender_disabled_via_registry.toml +136 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +148 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +104 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_disable_nla.toml +110 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +129 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +105 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +133 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_disabling_windows_logs.toml +136 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_dns_over_https_enabled.toml +111 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +125 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +109 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +104 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +118 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +151 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +144 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +130 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +116 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +155 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +124 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +146 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +124 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_file_creation_mult_extension.toml +133 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_from_unusual_directory.toml +194 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +103 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_iis_httplogging_disabled.toml +107 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_indirect_exec_conhost.toml +93 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_indirect_exec_forfiles.toml +92 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_indirect_exec_openssh.toml +93 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_injection_msbuild.toml +111 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_installutil_beacon.toml +100 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +111 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +129 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml +96 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +257 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_communication_apps.toml +167 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +146 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +144 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_trusted_directory.toml +132 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_werfault.toml +150 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_microsoft_defender_tampering.toml +158 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +147 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_modify_ownership_os_files.toml +111 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +133 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_msbuild_making_network_connections.toml +164 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_mshta_beacon.toml +103 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_mshta_susp_child.toml +111 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml +124 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_msiexec_remote_payload.toml +110 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_msxsl_network.toml +98 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +199 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_ntlm_downgrade.toml +103 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_obf_args_unicode_modified_letters.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +149 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +140 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_assembly_load.toml +224 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_compressed.toml +192 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_defender_tampering.toml +151 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_encryption.toml +110 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml +147 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +170 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +157 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +158 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +154 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +170 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +159 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +168 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +164 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +155 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +159 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +178 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +166 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_posh_process_injection.toml +163 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +141 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +176 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +123 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +124 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_regmod_remotemonologue.toml +136 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_right_to_left_override.toml +122 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_root_dir_ads_creation.toml +106 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_run_virt_windowssandbox.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_rundll32_no_arguments.toml +146 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_sc_sdset.toml +121 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_sccm_scnotification_dll.toml +87 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +123 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_script_via_html_app.toml +144 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +112 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_sip_provider_mod.toml +112 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +139 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_certutil_commands.toml +153 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +139 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +174 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +96 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_scrobj_load.toml +112 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_short_program_name.toml +141 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_wmi_script.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +161 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +161 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_timestomp_sysmon.toml +109 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +192 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_untrusted_driver_loaded.toml +137 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_ads_file_creation.toml +193 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_dir_ads.toml +109 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +101 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +128 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_process_network_connection.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +98 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_via_filter_manager.toml +155 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +104 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_windows_filtering_platform.toml +154 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_workfolders_control_execution.toml +108 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_bash_exec.toml +133 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_child_process.toml +124 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +104 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml +98 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_kalilinux.toml +113 -0
- nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_registry_modification.toml +108 -0
- nldcsc_elastic_rules/rules/windows/discovery_active_directory_webservice.toml +96 -0
- nldcsc_elastic_rules/rules/windows/discovery_ad_explorer_execution.toml +126 -0
- nldcsc_elastic_rules/rules/windows/discovery_adfind_command_activity.toml +147 -0
- nldcsc_elastic_rules/rules/windows/discovery_admin_recon.toml +133 -0
- nldcsc_elastic_rules/rules/windows/discovery_command_system_account.toml +126 -0
- nldcsc_elastic_rules/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +111 -0
- nldcsc_elastic_rules/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +121 -0
- nldcsc_elastic_rules/rules/windows/discovery_group_policy_object_discovery.toml +100 -0
- nldcsc_elastic_rules/rules/windows/discovery_high_number_ad_properties.toml +98 -0
- nldcsc_elastic_rules/rules/windows/discovery_host_public_ip_address_lookup.toml +161 -0
- nldcsc_elastic_rules/rules/windows/discovery_peripheral_device.toml +96 -0
- nldcsc_elastic_rules/rules/windows/discovery_posh_invoke_sharefinder.toml +154 -0
- nldcsc_elastic_rules/rules/windows/discovery_posh_suspicious_api_functions.toml +206 -0
- nldcsc_elastic_rules/rules/windows/discovery_privileged_localgroup_membership.toml +207 -0
- nldcsc_elastic_rules/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml +91 -0
- nldcsc_elastic_rules/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml +86 -0
- nldcsc_elastic_rules/rules/windows/discovery_whoami_command_activity.toml +130 -0
- nldcsc_elastic_rules/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +140 -0
- nldcsc_elastic_rules/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +126 -0
- nldcsc_elastic_rules/rules/windows/execution_com_object_xwizard.toml +123 -0
- nldcsc_elastic_rules/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +166 -0
- nldcsc_elastic_rules/rules/windows/execution_command_shell_started_by_svchost.toml +208 -0
- nldcsc_elastic_rules/rules/windows/execution_command_shell_started_by_unusual_process.toml +127 -0
- nldcsc_elastic_rules/rules/windows/execution_command_shell_via_rundll32.toml +139 -0
- nldcsc_elastic_rules/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +188 -0
- nldcsc_elastic_rules/rules/windows/execution_downloaded_shortcut_files.toml +110 -0
- nldcsc_elastic_rules/rules/windows/execution_downloaded_url_file.toml +107 -0
- nldcsc_elastic_rules/rules/windows/execution_enumeration_via_wmiprvse.toml +149 -0
- nldcsc_elastic_rules/rules/windows/execution_from_unusual_path_cmdline.toml +271 -0
- nldcsc_elastic_rules/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +175 -0
- nldcsc_elastic_rules/rules/windows/execution_initial_access_foxmail_exploit.toml +115 -0
- nldcsc_elastic_rules/rules/windows/execution_initial_access_via_msc_file.toml +140 -0
- nldcsc_elastic_rules/rules/windows/execution_initial_access_wps_dll_exploit.toml +113 -0
- nldcsc_elastic_rules/rules/windows/execution_mofcomp.toml +120 -0
- nldcsc_elastic_rules/rules/windows/execution_ms_office_written_file.toml +128 -0
- nldcsc_elastic_rules/rules/windows/execution_nodejs_susp_patterns.toml +119 -0
- nldcsc_elastic_rules/rules/windows/execution_pdf_written_file.toml +134 -0
- nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_authors.toml +136 -0
- nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml +357 -0
- nldcsc_elastic_rules/rules/windows/execution_posh_malicious_script_agg.toml +150 -0
- nldcsc_elastic_rules/rules/windows/execution_posh_portable_executable.toml +175 -0
- nldcsc_elastic_rules/rules/windows/execution_posh_psreflect.toml +194 -0
- nldcsc_elastic_rules/rules/windows/execution_powershell_susp_args_via_winscript.toml +115 -0
- nldcsc_elastic_rules/rules/windows/execution_psexec_lateral_movement_command.toml +134 -0
- nldcsc_elastic_rules/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +171 -0
- nldcsc_elastic_rules/rules/windows/execution_revshell_cmd_via_netcat.toml +97 -0
- nldcsc_elastic_rules/rules/windows/execution_scheduled_task_powershell_source.toml +110 -0
- nldcsc_elastic_rules/rules/windows/execution_scripting_remote_webdav.toml +120 -0
- nldcsc_elastic_rules/rules/windows/execution_scripts_archive_file.toml +123 -0
- nldcsc_elastic_rules/rules/windows/execution_shared_modules_local_sxs_dll.toml +73 -0
- nldcsc_elastic_rules/rules/windows/execution_suspicious_cmd_wmi.toml +117 -0
- nldcsc_elastic_rules/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +100 -0
- nldcsc_elastic_rules/rules/windows/execution_suspicious_pdf_reader.toml +143 -0
- nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml +141 -0
- nldcsc_elastic_rules/rules/windows/execution_suspicious_psexesvc.toml +115 -0
- nldcsc_elastic_rules/rules/windows/execution_via_compiled_html_file.toml +180 -0
- nldcsc_elastic_rules/rules/windows/execution_via_hidden_shell_conhost.toml +144 -0
- nldcsc_elastic_rules/rules/windows/execution_via_mmc_console_file_unusual_path.toml +146 -0
- nldcsc_elastic_rules/rules/windows/execution_windows_cmd_shell_susp_args.toml +179 -0
- nldcsc_elastic_rules/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +144 -0
- nldcsc_elastic_rules/rules/windows/execution_windows_phish_clickfix.toml +143 -0
- nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml +188 -0
- nldcsc_elastic_rules/rules/windows/execution_windows_script_from_internet.toml +132 -0
- nldcsc_elastic_rules/rules/windows/exfiltration_smb_rare_destination.toml +138 -0
- nldcsc_elastic_rules/rules/windows/impact_backup_file_deletion.toml +125 -0
- nldcsc_elastic_rules/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +111 -0
- nldcsc_elastic_rules/rules/windows/impact_high_freq_file_renames_by_kernel.toml +114 -0
- nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml +100 -0
- nldcsc_elastic_rules/rules/windows/impact_modification_of_boot_config.toml +109 -0
- nldcsc_elastic_rules/rules/windows/impact_ransomware_file_rename_smb.toml +117 -0
- nldcsc_elastic_rules/rules/windows/impact_ransomware_note_file_over_smb.toml +117 -0
- nldcsc_elastic_rules/rules/windows/impact_stop_process_service_threshold.toml +97 -0
- nldcsc_elastic_rules/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +124 -0
- nldcsc_elastic_rules/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +148 -0
- nldcsc_elastic_rules/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +137 -0
- nldcsc_elastic_rules/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +151 -0
- nldcsc_elastic_rules/rules/windows/initial_access_execution_from_inetcache.toml +143 -0
- nldcsc_elastic_rules/rules/windows/initial_access_execution_from_removable_media.toml +93 -0
- nldcsc_elastic_rules/rules/windows/initial_access_execution_remote_via_msiexec.toml +136 -0
- nldcsc_elastic_rules/rules/windows/initial_access_execution_via_office_addins.toml +160 -0
- nldcsc_elastic_rules/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml +124 -0
- nldcsc_elastic_rules/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +145 -0
- nldcsc_elastic_rules/rules/windows/initial_access_rdp_file_mail_attachment.toml +118 -0
- nldcsc_elastic_rules/rules/windows/initial_access_script_executing_powershell.toml +145 -0
- nldcsc_elastic_rules/rules/windows/initial_access_scripts_process_started_via_wmi.toml +146 -0
- nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_exchange_files.toml +110 -0
- nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_exchange_process.toml +147 -0
- nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +129 -0
- nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_office_child_process.toml +175 -0
- nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +162 -0
- nldcsc_elastic_rules/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +121 -0
- nldcsc_elastic_rules/rules/windows/initial_access_url_cve_2025_33053.toml +120 -0
- nldcsc_elastic_rules/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +158 -0
- nldcsc_elastic_rules/rules/windows/initial_access_webshell_screenconnect_server.toml +127 -0
- nldcsc_elastic_rules/rules/windows/initial_access_xsl_script_execution_via_com.toml +112 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_alternate_creds_pth.toml +102 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_cmd_service.toml +127 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +127 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_hta.toml +120 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_mmc20.toml +119 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +103 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +121 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +158 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +122 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +110 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +109 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +163 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +106 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_incoming_wmi.toml +124 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +151 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_powershell_remoting_target.toml +127 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_rdp_enabled_registry.toml +132 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_rdp_sharprdp_target.toml +108 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +108 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_remote_service_installed_winlog.toml +131 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_remote_services.toml +174 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_remote_task_creation_winlog.toml +93 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml +107 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +123 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_unusual_dns_service_children.toml +124 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +97 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +126 -0
- nldcsc_elastic_rules/rules/windows/lateral_movement_via_wsus_update.toml +105 -0
- nldcsc_elastic_rules/rules/windows/persistence_ad_adminsdholder.toml +103 -0
- nldcsc_elastic_rules/rules/windows/persistence_adobe_hijack_persistence.toml +154 -0
- nldcsc_elastic_rules/rules/windows/persistence_app_compat_shim.toml +117 -0
- nldcsc_elastic_rules/rules/windows/persistence_appcertdlls_registry.toml +121 -0
- nldcsc_elastic_rules/rules/windows/persistence_appinitdlls_registry.toml +196 -0
- nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml +111 -0
- nldcsc_elastic_rules/rules/windows/persistence_dontexpirepasswd_account.toml +108 -0
- nldcsc_elastic_rules/rules/windows/persistence_evasion_hidden_local_account_creation.toml +104 -0
- nldcsc_elastic_rules/rules/windows/persistence_evasion_registry_ifeo_injection.toml +134 -0
- nldcsc_elastic_rules/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +191 -0
- nldcsc_elastic_rules/rules/windows/persistence_group_modification_by_system.toml +104 -0
- nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_job_creation.toml +114 -0
- nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_task_creation.toml +109 -0
- nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_task_scripting.toml +97 -0
- nldcsc_elastic_rules/rules/windows/persistence_ms_office_addins_file.toml +111 -0
- nldcsc_elastic_rules/rules/windows/persistence_ms_outlook_vba_template.toml +102 -0
- nldcsc_elastic_rules/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +117 -0
- nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml +121 -0
- nldcsc_elastic_rules/rules/windows/persistence_msoffice_startup_registry.toml +118 -0
- nldcsc_elastic_rules/rules/windows/persistence_netsh_helper_dll.toml +117 -0
- nldcsc_elastic_rules/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +129 -0
- nldcsc_elastic_rules/rules/windows/persistence_powershell_profiles.toml +176 -0
- nldcsc_elastic_rules/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +189 -0
- nldcsc_elastic_rules/rules/windows/persistence_registry_uncommon.toml +193 -0
- nldcsc_elastic_rules/rules/windows/persistence_remote_password_reset.toml +122 -0
- nldcsc_elastic_rules/rules/windows/persistence_run_key_and_startup_broad.toml +188 -0
- nldcsc_elastic_rules/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +107 -0
- nldcsc_elastic_rules/rules/windows/persistence_scheduled_task_creation_winlog.toml +104 -0
- nldcsc_elastic_rules/rules/windows/persistence_scheduled_task_updated.toml +98 -0
- nldcsc_elastic_rules/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +125 -0
- nldcsc_elastic_rules/rules/windows/persistence_service_dll_unsigned.toml +219 -0
- nldcsc_elastic_rules/rules/windows/persistence_service_windows_service_winlog.toml +148 -0
- nldcsc_elastic_rules/rules/windows/persistence_services_registry.toml +147 -0
- nldcsc_elastic_rules/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +172 -0
- nldcsc_elastic_rules/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +166 -0
- nldcsc_elastic_rules/rules/windows/persistence_startup_folder_scripts.toml +168 -0
- nldcsc_elastic_rules/rules/windows/persistence_suspicious_com_hijack_registry.toml +197 -0
- nldcsc_elastic_rules/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +182 -0
- nldcsc_elastic_rules/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +153 -0
- nldcsc_elastic_rules/rules/windows/persistence_suspicious_service_created_registry.toml +119 -0
- nldcsc_elastic_rules/rules/windows/persistence_sysmon_wmi_event_subscription.toml +100 -0
- nldcsc_elastic_rules/rules/windows/persistence_system_shells_via_services.toml +160 -0
- nldcsc_elastic_rules/rules/windows/persistence_temp_scheduled_task.toml +109 -0
- nldcsc_elastic_rules/rules/windows/persistence_time_provider_mod.toml +172 -0
- nldcsc_elastic_rules/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +115 -0
- nldcsc_elastic_rules/rules/windows/persistence_user_account_creation.toml +105 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml +126 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_bits_job_notify_command.toml +109 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_hidden_run_key_valuename.toml +139 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +127 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +141 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +182 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +121 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +210 -0
- nldcsc_elastic_rules/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml +149 -0
- nldcsc_elastic_rules/rules/windows/persistence_web_shell_aspx_write.toml +109 -0
- nldcsc_elastic_rules/rules/windows/persistence_webshell_detection.toml +216 -0
- nldcsc_elastic_rules/rules/windows/persistence_werfault_reflectdebugger.toml +114 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml +91 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_create_process_as_different_user.toml +106 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml +121 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_credroaming_ldap.toml +111 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_disable_uac_registry.toml +163 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +90 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +95 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_driver_newterm_imphash.toml +156 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_expired_driver_loaded.toml +105 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_exploit_cve_202238028.toml +127 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +125 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_group_policy_iniscript.toml +144 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +106 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +161 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_installertakeover.toml +156 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +119 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_lsa_auth_package.toml +114 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_make_token_local.toml +109 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml +119 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_named_pipe_impersonation.toml +148 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml +100 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_persistence_phantom_dll.toml +214 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +128 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_posh_token_impersonation.toml +219 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +108 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +159 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +104 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +155 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +180 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +110 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +119 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +192 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +110 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml +94 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +127 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +140 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +143 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +137 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +153 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +137 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +179 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +179 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +177 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_unquoted_service_path.toml +108 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +180 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +128 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +145 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml +158 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +106 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_via_token_theft.toml +157 -0
- nldcsc_elastic_rules/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +127 -0
- nldcsc_elastic_rules/utils.py +7 -0
- nldcsc_elastic_rules-0.0.8.dist-info/METADATA +3 -0
- nldcsc_elastic_rules-0.0.8.dist-info/RECORD +1536 -0
- nldcsc_elastic_rules-0.0.8.dist-info/WHEEL +5 -0
- nldcsc_elastic_rules-0.0.8.dist-info/top_level.txt +1 -0
|
@@ -0,0 +1,1536 @@
|
|
|
1
|
+
nldcsc_elastic_rules/__init__.py,sha256=Q1e_hA0UWS0saeVTTT-JK4LFhAr5dFoDZ-VfeqaeRts,26
|
|
2
|
+
nldcsc_elastic_rules/utils.py,sha256=ARrzmx6IIGjhxOXngl9X-vfbVFMFA-CrLlfUsIM5O0U,148
|
|
3
|
+
nldcsc_elastic_rules/rules/README.md,sha256=74MF8KLotXS4bnoVVlsWqrFsJcimUd0OJ-_hfg0SfPQ,2862
|
|
4
|
+
nldcsc_elastic_rules/rules/_deprecated/apm_null_user_agent.toml,sha256=P1Ob5RxPCMFTR8Z_fRaFpfLNgZmJekBbg1ihzeuHpeY,1466
|
|
5
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml,sha256=L9n522sl79myzYEWozsyKhrtM9oD9n7xlHhsOq_-D-4,3405
|
|
6
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_dns_directly_to_the_internet.toml,sha256=qlYl28lEc69nJXQRHz0Z-nstI8SKLXttlll_4N_rnio,2841
|
|
7
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml,sha256=Ch4I743iqDRnHQBDzBJKPMvGxfD9cscKyWkNHkjChEc,2559
|
|
8
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml,sha256=Owf2oKiHH5RMdHs16mdW5NGlZfqacps7HCUB3NE2WJc,2506
|
|
9
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_linux_iodine_activity.toml,sha256=ik7mymIg2c2SRv5OG5UqT-rSRKzJmrcwxRTwLAo8tkc,1841
|
|
10
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_linux_port_knocking_reverse_connection.toml,sha256=17PowWGKOMFk8t2VMfTD5IBbPKYYAtAp4RVMyVJnlQY,5148
|
|
11
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_port_8000_activity_to_the_internet.toml,sha256=jgENNsuzg4kMtoUEaeBlpqG5F-3eCtwUVBUU4du7cXQ,2010
|
|
12
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml,sha256=uzqvyL_JvKsDojc_TCpVZW_4qUhuJ38kwUbsJwUkn4k,1568
|
|
13
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_proxy_port_activity_to_the_internet.toml,sha256=N123c9tBYL3PqNd2xMKyRTZpkWdX9gQ4p8b2G7Q3N1Y,2443
|
|
14
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_smtp_to_the_internet.toml,sha256=OmyIkHqqO3OdQJLBLARCht0UsqkRlUjOkXUX7lXOHE8,2119
|
|
15
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_sql_server_port_activity_to_the_internet.toml,sha256=KDNeLrIR2fb2FNdMzS4mH_Mw6Ky7EhIttMD57ccXiCI,1916
|
|
16
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml,sha256=dT3rK50ocmiI9aTi2AO9kK7SgczzjsAxOFswYRynrjk,2757
|
|
17
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml,sha256=EfQzNOi7HQFnTMZT5QrVj50Sgr6iY6GOYrhLumicXcE,2151
|
|
18
|
+
nldcsc_elastic_rules/rules/_deprecated/command_and_control_tor_activity_to_the_internet.toml,sha256=NF4Fl59KsJLdABK6K5FwmXr1tdu7NXaedQfVnuhTaDw,2329
|
|
19
|
+
nldcsc_elastic_rules/rules/_deprecated/container_workload_protection.toml,sha256=ZqrqcH1CYEgP7GBj3AvAcgvuRwK0B0zsk5QglX1QgPo,5755
|
|
20
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml,sha256=hcnMsA_PtTpgFCf58IJI17y4mkwIQoEkK2Q18_rGXL4,6920
|
|
21
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml,sha256=xfbrReQylgBVP9_SX1_yJ_OI4HTGA-eCX0Difetaejk,7399
|
|
22
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml,sha256=0gn1XEwiyKKC2FAt2-86ONDaxDYB2Hue50-8xstoxd0,6831
|
|
23
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_microsoft_365_potential_password_spraying_attack.toml,sha256=ieBRSQIw3hk673O5dGw1hx8_JAklxKCYcicpjYjlTHc,1815
|
|
24
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_potential_linux_ssh_bruteforce_root.toml,sha256=t_1U00NJarwzYBhpUkhLxdhiV2ZoPaNUOZWbY3Wq6Dk,3966
|
|
25
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml,sha256=7j_GPh1Y8xV6DwggaLztMPdBk-F7jj8FIiVJ5FY0slQ,7014
|
|
26
|
+
nldcsc_elastic_rules/rules/_deprecated/credential_access_tcpdump_activity.toml,sha256=HjMr6vfU4ptYXikdukMUug9Um8DBKHXRbBwns9RriJw,1662
|
|
27
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml,sha256=xmyL9oBeFgVTsQiHxVhe6hGmu1nYihiHP_kb8Rz3j_o,1530
|
|
28
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml,sha256=sZ_95szs8hOpomQmmlSUVgG96KgfH9C0YRBS5icSmMw,1477
|
|
29
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_code_injection_conhost.toml,sha256=G6Yz_j7i3ly8I_QxT64BDHoVSIi2aeeVRaZjfIotC68,5188
|
|
30
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml,sha256=0DIN1D3-hRuLx57AlgtkBAOFDQUAEZ_BNMf1TG7rX9Y,1342
|
|
31
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml,sha256=JtVxnHzgZ_O9fPb5DxmRoiFW-Gxqw7ihShvbv4zorMM,1431
|
|
32
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_ld_preload_env_variable_process_injection.toml,sha256=N12tqet7lSXN0_AL0_CZAc9bbJlZBSyBZ2YMcjXm_Po,6018
|
|
33
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml,sha256=LpR9xyGxNGtcIHl1_CIXNuOUNq8fTIB1HDBbSJkXWI4,6580
|
|
34
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_mshta_making_network_connections.toml,sha256=-beMtzmAlThKxAhtC1QrgL6AQt76_S0sCHtgg1NeNJY,1491
|
|
35
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_potential_processherpaderping.toml,sha256=CrMLt3Zcji5ydCGpt-_p17w8NGWvdpC4i1uQ2vh-Vs4,1842
|
|
36
|
+
nldcsc_elastic_rules/rules/_deprecated/defense_evasion_whitespace_padding_in_command_line.toml,sha256=y1xyhawly-MX1X7wU8r7H33s61qjifj3O7MPD_9qHdg,5213
|
|
37
|
+
nldcsc_elastic_rules/rules/_deprecated/discovery_file_dir_discovery.toml,sha256=x3H7E_TjCpMrByzKuW5gFWFiSy46etE8-wfW2wy8tNU,4102
|
|
38
|
+
nldcsc_elastic_rules/rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml,sha256=xsfztpMiMrhlVsKSJs8jpbpIr-ifl5-kWmYHjXgniSk,1357
|
|
39
|
+
nldcsc_elastic_rules/rules/_deprecated/discovery_query_registry_via_reg.toml,sha256=yaFFIcpM9z2Z_xFL3zvhHcLyV9RU8BFtJtE_uhVhZko,1134
|
|
40
|
+
nldcsc_elastic_rules/rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml,sha256=fiwLKlnuZHIpUNTcvDcAVCecJmlpw4wpnrj6ox5n_do,7191
|
|
41
|
+
nldcsc_elastic_rules/rules/_deprecated/discovery_whoami_commmand.toml,sha256=NEUGhhng629IInRexo-_TVOgkNCVoLvO4uaXJ4tlsqk,1256
|
|
42
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_apt_binary.toml,sha256=FGsJSS6bii45TNR3PfSXcSXmUqRRW4g0Y01xBzzDpEw,1831
|
|
43
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_awk_binary_shell.toml,sha256=jEchJX9Jf9-VQeV1-vssqVRqdQPza-Pcanw-556MCBE,1729
|
|
44
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_busybox_binary.toml,sha256=IITvx4ReXM1up2gjvYa8Aec7QUgeDfILHFHeXC58zrM,1665
|
|
45
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_c89_c99_binary.toml,sha256=5VLXlYDqDHGC7A9hJDtKHai7WMhCzUzF1-lB1MfyY9M,1791
|
|
46
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_command_shell_started_by_powershell.toml,sha256=0SGoxLXFNej0Ffb8VvVq3PCqyvE4Jbay4eC1PifB8FY,1228
|
|
47
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml,sha256=wc03iGpqZHtW5St9fznTTNm0cTlik6l59jlsgr3Y4GQ,6314
|
|
48
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_cpulimit_binary.toml,sha256=Za3MQfcjwp3en5LUJsVZEPZxkv-Em2qjubwTLF5G5as,1792
|
|
49
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_crash_binary.toml,sha256=-wz6LJVZUeuLHLm6ZPEpavzyPZWbX2IQWyhpSg609i4,1606
|
|
50
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_env_binary.toml,sha256=2qq_ndk9zYy2_D3bli2eyWzNhSgJw7glh1Zq7r5wTJ0,1666
|
|
51
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_expect_binary.toml,sha256=BIU_NjT5DFy7XrtG7MJJ_zfkL1YkoKIN9bhbmraY7Zo,1856
|
|
52
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml,sha256=EixVwV70PVfr-W5nq020tJosjbvjWJaiksviP71YrVs,6901
|
|
53
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_find_binary.toml,sha256=PKvMdNYz4AEJ0ZfZxkwPLbCmQs1OVsBQ5QSZKLD3l8c,1719
|
|
54
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_flock_binary.toml,sha256=cePqGZZf4f9-0GobaxgxMcEByc9I7pTOju6KyakcOq0,1769
|
|
55
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_gcc_binary.toml,sha256=hqaGdpJ0pDyfe9Z3mLb9YQwRiSvAgiKyJbL1TtS6QJ8,1760
|
|
56
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_interactive_exec_to_container.toml,sha256=J0s8cBhLJPOkuBEHWESk1u0EftVJGVPc-MBktMh09Ns,7863
|
|
57
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml,sha256=o69H9bsIaLU0VaR9Dx4tltk_Qu83QfqKIAvoh1gnA9k,6492
|
|
58
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_linux_process_started_in_temp_directory.toml,sha256=Of0Ynl54K-ToNotSxvqmX7ZjEOpHOA4jPJwiTYAWvNs,1495
|
|
59
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_mysql_binary.toml,sha256=DhCMP0edAa6Z22WuHQxlg31aDSFfUWOVvG38eMr85m0,1728
|
|
60
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml,sha256=MRCiqVINi9uZdhdeTYaaHaSwMbtSbavIFPUIYZyaniI,7180
|
|
61
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml,sha256=ho8lidMGBTNyv3f5AT29uMlDs5PmO_UEhW0EPNLW9QI,2876
|
|
62
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml,sha256=M6bJXbB1RxvG7sNJifxwfKe8rn2WqRU2LOO1apmj17s,5431
|
|
63
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_ssh_binary.toml,sha256=wRBTyH4Z06Qgf7uSefoQzWzR_yZLZRXrTAqdu00kkcg,1915
|
|
64
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_suspicious_jar_child_process.toml,sha256=g7Y6xvGgfo0MTj6EGYxdDRUtE8VHgTVLnHEU8NSW_w0,5143
|
|
65
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_vi_binary.toml,sha256=rVx9fC5neqddpDzHI3cauhBO0O8eHaW1yeO0GqmPzm8,1693
|
|
66
|
+
nldcsc_elastic_rules/rules/_deprecated/execution_via_net_com_assemblies.toml,sha256=WoQfkdoC-v0pHjs5Z1CSF9JdwbEV-N3yiKzIfcZ05Yg,1517
|
|
67
|
+
nldcsc_elastic_rules/rules/_deprecated/exfiltration_ec2_snapshot_change_activity.toml,sha256=1G5HDecNxC7OnjHHAmJgTABviAJu6m5l8hrd94MErLQ,5984
|
|
68
|
+
nldcsc_elastic_rules/rules/_deprecated/exfiltration_rds_snapshot_export.toml,sha256=sWun5b-ABOXGlkaBRRU4D7IAhq0oxcSzRiARSbzyVrs,1587
|
|
69
|
+
nldcsc_elastic_rules/rules/_deprecated/impact_potential_linux_ransomware_file_encryption.toml,sha256=lOEgZWwU381xlheYMvcJFy9gO17FYaWP720PAL9IlUk,4275
|
|
70
|
+
nldcsc_elastic_rules/rules/_deprecated/impact_virtual_network_device_modified.toml,sha256=C1-KzN13Hafw3A9-Fg-37R4Bd9STq0xPe7i-vBfo69M,6954
|
|
71
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_cross_site_scripting.toml,sha256=QzRJdE2DmDPRpcI1GD05Zmv8ouf4zjpWvZFFtp57Nts,1617
|
|
72
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_login_failures.toml,sha256=_kOXSQ4PleBgeG68TjvkHXKMUomjZlIqBcP01JwEkPM,1382
|
|
73
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_login_location.toml,sha256=tz_uUjcVOnqB1UK96KKBXIbDjYBNfzaWgbis3_6XeSs,1370
|
|
74
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_login_sessions.toml,sha256=ANcZlbHYI9rAPIpTOVoBornOTDsvfhgikW-299X-CqY,1358
|
|
75
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_login_time.toml,sha256=_kljdiUN-qkj6Cl_sl-1JkYo3pxrfmPDQLWq8v9ndWU,1361
|
|
76
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml,sha256=Qwqv0Iuf1XK8f5-qP2KftZBIVXzV7Rwha_8MtLLG3uE,2587
|
|
77
|
+
nldcsc_elastic_rules/rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml,sha256=8IRjm-KURyYajs2vbpg_vlAUEQRwlXN5gpA0DlzcVO0,6893
|
|
78
|
+
nldcsc_elastic_rules/rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml,sha256=9psQ-KiT-Mi4cB1RCSHQ-Iy9adDa1vbLqdmG0N3nqh4,1489
|
|
79
|
+
nldcsc_elastic_rules/rules/_deprecated/lateral_movement_remote_file_creation_in_sensitive_directory.toml,sha256=cIF5BJVeQFXhcmk-oKcfIu5re0tjf_klOdBctLEIWXA,1956
|
|
80
|
+
nldcsc_elastic_rules/rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml,sha256=tMNkzlHomJ5txCvbGqU1ee9DtSyhLJM2Nsf3rKkEJaA,7081
|
|
81
|
+
nldcsc_elastic_rules/rules/_deprecated/linux_mknod_activity.toml,sha256=AtOAcnSD1gRdU8oeF1nL7vR-8st7W6Cx_FM9ZqYU5fU,1252
|
|
82
|
+
nldcsc_elastic_rules/rules/_deprecated/linux_nmap_activity.toml,sha256=4krPC1MpI7NrhqLNP_CvUd_WpeI7V4Wb_IFbB8xH7Co,1250
|
|
83
|
+
nldcsc_elastic_rules/rules/_deprecated/linux_socat_activity.toml,sha256=fpPixypMYwHucgfqOZtKJesiqM45VL5AJ3tm3djHPJE,1283
|
|
84
|
+
nldcsc_elastic_rules/rules/_deprecated/persistence_cron_jobs_creation_and_runtime.toml,sha256=9NuZqZnlMzwYsrsHmFaCufJDQ_EvyjmFm1F0pV020zA,1948
|
|
85
|
+
nldcsc_elastic_rules/rules/_deprecated/persistence_etc_file_creation.toml,sha256=aJuHvXlPf_fsjj4kyttJnRq8-7JJgBiZvnDU182TjCI,13625
|
|
86
|
+
nldcsc_elastic_rules/rules/_deprecated/persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml,sha256=YHdUhvXuabDtrsacccM1Js8ZjkslHGFALmVMHwNc56A,3682
|
|
87
|
+
nldcsc_elastic_rules/rules/_deprecated/persistence_kernel_module_activity.toml,sha256=NAumTSTdPVKKxNj_eawEiJj1O7NBc1BWsK95DlnIuuo,1570
|
|
88
|
+
nldcsc_elastic_rules/rules/_deprecated/persistence_shell_activity_by_web_server.toml,sha256=1XiZc6_XUztm5qrZuHU01sEh6QAS9TGJ4-SDVR1Vkmo,4985
|
|
89
|
+
nldcsc_elastic_rules/rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml,sha256=LtSWwzrUBa_tFgTJye-dUuiMkgBuKkXMwPl0jfqDUqw,6621
|
|
90
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml,sha256=xsbAB6GfLjr7jFwzii9J7HoZHBxWr7pd_HIBvvinyhc,6337
|
|
91
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml,sha256=FPINRz6iSlfk2sHVKA30AmwBavmIuhKHmxFxms6kFh0,1903
|
|
92
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml,sha256=z0OxMwyBUuyP95zI2UFyJTJbPG-DgFxGjLpRP6HWKro,2361
|
|
93
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_linux_strace_activity.toml,sha256=jFqD1L6vukg2SZmd_9Dl7BOlyvneLEp73MLrn8sPjKQ,1505
|
|
94
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml,sha256=LlnccY_yhKe25gydtnQnM8Bocq6fFQLwgIWXjn58608,6370
|
|
95
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml,sha256=M15KCZLyVfJZh1UMINC2ytHfwWWHwa-9uIio4orEx6E,6606
|
|
96
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml,sha256=KiYR_j8RWiLTh2vtFjYZB0luYSQ_Unj_YyI7LyAOLKU,6426
|
|
97
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_printspooler_malicious_driver_file_changes.toml,sha256=lpOfEQ3OwDo_dF1nPSHEf8PZOfLsszfNrnDDIRoajHs,1608
|
|
98
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_printspooler_malicious_registry_modification.toml,sha256=AlNF4rCdfNWp4xVMpUYEYHtYq1vGiWwb5-9VqY54qKI,1709
|
|
99
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_root_login_without_mfa.toml,sha256=6kHzxusnxxfrjOoAVzHg0ar3eiQfLdnoc35nbxqQFjc,5377
|
|
100
|
+
nldcsc_elastic_rules/rules/_deprecated/privilege_escalation_setgid_bit_set_via_chmod.toml,sha256=ByHDIGHwpb4ynYkU_6ZBQKW4Sn5nyPB6yLdtmPcojaE,1779
|
|
101
|
+
nldcsc_elastic_rules/rules/_deprecated/threat_intel_filebeat7x.toml,sha256=PgkZ1AHtQPmjxdB3aoq29HBkSf9Z3hesx-_1S2ptQas,6963
|
|
102
|
+
nldcsc_elastic_rules/rules/_deprecated/threat_intel_filebeat8x.toml,sha256=P2To_aycPXS9uQVquiZWjQpl-XZGY4DUggWiyuwf3qQ,7564
|
|
103
|
+
nldcsc_elastic_rules/rules/_deprecated/threat_intel_fleet_integrations.toml,sha256=apK4wtHuBhL5vRGdIiG5rYIVKca4gYicu3yPdEA9HdU,7588
|
|
104
|
+
nldcsc_elastic_rules/rules/apm/apm_403_response_to_a_post.toml,sha256=ZIpSHsNs0SlFDVlHmZPQIPMXnPPCeMzrN7-o-a5k5r4,5258
|
|
105
|
+
nldcsc_elastic_rules/rules/apm/apm_405_response_method_not_allowed.toml,sha256=2g1rszIMgvs0Zaf0WBQxJbW_yoqr2putP8tDyC7ZJV4,5248
|
|
106
|
+
nldcsc_elastic_rules/rules/apm/apm_sqlmap_user_agent.toml,sha256=jmZAnk7gHPZLC8ZxxDhtE3pRhAszY5Oy3_RvgewE5xI,4897
|
|
107
|
+
nldcsc_elastic_rules/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml,sha256=Go2LKCxIwI44xq5HVTFMsETaqkvxKt2qA6Vo-F4UDvI,6344
|
|
108
|
+
nldcsc_elastic_rules/rules/cross-platform/command_and_control_non_standard_ssh_port.toml,sha256=3_DX-8CDapGSHHEcypgTTMeNGzJVp138ovapx_nnrsA,6645
|
|
109
|
+
nldcsc_elastic_rules/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml,sha256=tItB8IUVDZBpAT1GAN0J_aCs9gI5FCMgJO8Twqeohf0,3069
|
|
110
|
+
nldcsc_elastic_rules/rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml,sha256=VLHwr8P3I196NlRDjCKUSFl83fQoeaQi2LEWNuqu9Ko,3492
|
|
111
|
+
nldcsc_elastic_rules/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml,sha256=wo0aI10tqeIBUOhqFjh0pIfjx21t41haiEXlt6BheZ0,6875
|
|
112
|
+
nldcsc_elastic_rules/rules/cross-platform/credential_access_forced_authentication_pipes.toml,sha256=IHaB480daLcQF6SdhYVjgnUlD_j1oYeY4WhBg9htTRw,6553
|
|
113
|
+
nldcsc_elastic_rules/rules/cross-platform/credential_access_trufflehog_execution.toml,sha256=LF0l3Xdr880z5DGlxMvY4CQHUOqrcXF6Nb9PmNLjip8,6135
|
|
114
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml,sha256=8By1JMm0oxNhJMVv-YvqlUUJAl4fFspoOkWc7dOeL08,5663
|
|
115
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml,sha256=v4b-B5_CfJmhEuMDcvMKsiS-oDrB6R3FFHhvJi1xByg,5444
|
|
116
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml,sha256=I7kDvpYce1Z8NL05OFP9CRr4CtzG6ts5fUh0ZdbM1po,5726
|
|
117
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml,sha256=xuPv4W02Mph4pmTNa1hHJI-M2hEqwW-cf8ENTS7Uyrk,7025
|
|
118
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml,sha256=Fy-VPOKg7wZcyfwryXSFMkPdsBCLnwqk2t76qrxinEE,7603
|
|
119
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml,sha256=NtNYmX0maYCnSuDFgzqK3ZpKsUleH2X7i5yKS41rmLs,5738
|
|
120
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml,sha256=kNlUelmrrAqnD2-N5LuQMUaF31PNavHRRWMpX3RDQvI,6548
|
|
121
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_timestomp_touch.toml,sha256=gBETYl57StM1FBnQ5Gmq5aFYpggw98UfdXHd7JDdXYs,6282
|
|
122
|
+
nldcsc_elastic_rules/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml,sha256=1lmsKs6XdJ-slajFLYnL2-bXFYGLvnlEzuBVJXTraWw,5670
|
|
123
|
+
nldcsc_elastic_rules/rules/cross-platform/discovery_security_software_grep.toml,sha256=fHAyhS8GEZA3hcVxvw_IgRabtDcUf23zpdv5YwO3lj4,6071
|
|
124
|
+
nldcsc_elastic_rules/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml,sha256=qlNGkyDHusBCazwgz2v_uXoibA_0aVp5G1n-bQW-FkM,6206
|
|
125
|
+
nldcsc_elastic_rules/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml,sha256=IZPl492ynOI3w89Uh0zBDVgSei_HIoh4UtGT5Y2sSqE,9419
|
|
126
|
+
nldcsc_elastic_rules/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml,sha256=c-W_WRw-VMMIAc1lxc3n2Jib2oFMTZjMdzVub6pmzKw,6646
|
|
127
|
+
nldcsc_elastic_rules/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml,sha256=s4VawGsT6CiQ0PuzLPFeJXJ-J7iS1JdIAlJE12SSnqM,5176
|
|
128
|
+
nldcsc_elastic_rules/rules/cross-platform/execution_potential_widespread_malware_infection.toml,sha256=oi_7e1y0axyH7TUHobRHu4Xnfr-n4yuyM_dxx98vOqE,6100
|
|
129
|
+
nldcsc_elastic_rules/rules/cross-platform/execution_revershell_via_shell_cmd.toml,sha256=gWaO0oJM9FUpvcGu8cqjzymHh3iPgs9m-Xjfz9sKflc,5050
|
|
130
|
+
nldcsc_elastic_rules/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml,sha256=6VAeVUKS8iHw5TtWtSJOa45RRb7zQP8GdBxfu77fwZs,7037
|
|
131
|
+
nldcsc_elastic_rules/rules/cross-platform/guided_onboarding_sample_rule.toml,sha256=p1GJtIMLs7uK8ueRMlMk5OP-sjUstczOGzDeo-nXdpU,4364
|
|
132
|
+
nldcsc_elastic_rules/rules/cross-platform/impact_hosts_file_modified.toml,sha256=pbQsZdl0HbwgBdhs8TKH0AketSeSGrtHeDRgrt7D8ng,6155
|
|
133
|
+
nldcsc_elastic_rules/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml,sha256=QxBch-urFJa_M8mBylw_KuBt7p40A6DExV-DgUaBSiU,6817
|
|
134
|
+
nldcsc_elastic_rules/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml,sha256=kGrG8Sn8eHRxpqVikaMpvH7lJ6F7n8rEHiaiiL5AZr4,6092
|
|
135
|
+
nldcsc_elastic_rules/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml,sha256=Cq9vuF3tyd_Uu2MvCBss_R48NrRBg3vZ5MiY0_rjwdA,5893
|
|
136
|
+
nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_different_tactics_host.toml,sha256=YLMtF4Cn35gxcDuWZwXylLQ0a9qvAr2bkdKXFVqotQA,4899
|
|
137
|
+
nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_edr_elastic_defend_by_host.toml,sha256=st7y6zZTVom0_tbTjVFe6RCYc8Vw9DTuUWVfwAHkzuI,6452
|
|
138
|
+
nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml,sha256=OAJLTcNgFIIxdLFnP2nXMKfo0TAz72fai7fp0z6g3jY,6474
|
|
139
|
+
nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_email_elastic_defend_correlation.toml,sha256=_cnbuXg8X4kY8xq8LlEjC0T3dhw13SInhXB_SHmRw2k,4189
|
|
140
|
+
nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_involving_user.toml,sha256=R_e4TuY_OuAnOg8njulV_E_b5UklfPEMLEz38Zmob38,5684
|
|
141
|
+
nldcsc_elastic_rules/rules/cross-platform/multiple_alerts_risky_host_esql.toml,sha256=ZzWOlUP78eoyDOEfLOwzo1CHDONNoII_BelLwyzlIRo,6830
|
|
142
|
+
nldcsc_elastic_rules/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml,sha256=Mu6PiL0ona9s9IUmmhZCZJ-uz1PPtdqWc5jdDKVp72Y,7560
|
|
143
|
+
nldcsc_elastic_rules/rules/cross-platform/persistence_shell_profile_modification.toml,sha256=8IVozmp2qkRLZx2tSNkhJ9Um5MxQyHJJvkQA6O0dYhs,6366
|
|
144
|
+
nldcsc_elastic_rules/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml,sha256=2lajnfi6SDRrsgYBIYAg1aP6LTDMxoEBEqzwn20W0t0,6998
|
|
145
|
+
nldcsc_elastic_rules/rules/cross-platform/persistence_web_server_potential_command_injection.toml,sha256=LrLUZCrGMv0pWkxHwyH0dBjREddYNSu9V_8NyuXamfY,12886
|
|
146
|
+
nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml,sha256=a_IsO0G6AtUDVfX99o8bfZJ_HZKy1lzpvVfDnNRf8ng,5795
|
|
147
|
+
nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml,sha256=cjzZu07IvTYj_uELIRHeezk37Maf_YDajZkMjBF7x_0,6615
|
|
148
|
+
nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml,sha256=fRZeGQc-XCwHNzzVbCIDPlVxQaU8MupIH0b-2MAxKew,6292
|
|
149
|
+
nldcsc_elastic_rules/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml,sha256=fTzelNHDFnODyBPm8AI1tuscKXABUqHPplcvX379wVA,5582
|
|
150
|
+
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml,sha256=_WAem94McY5zRjonuB8q1wkuEvLc4cXM1b4aHjnmDlE,6852
|
|
151
|
+
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml,sha256=fEVr0c2uw9_tNqCsglFgsv8mT1XR6BaPwjF37QNrUJc,6221
|
|
152
|
+
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml,sha256=4EWzpzh570MSAeIj9TIUhKInVpaMX7_76YUCiZiklqE,7019
|
|
153
|
+
nldcsc_elastic_rules/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml,sha256=qj8qHNXOa-B4LKKTEQ8kE9rKZtn1-OVPVJkVsXkF-HQ,9353
|
|
154
|
+
nldcsc_elastic_rules/rules/integrations/aws/NOTICE.txt,sha256=J_TLlzy-3FynutCsreov6dyNdxzN0cayBHv4dv9HzbU,1307
|
|
155
|
+
nldcsc_elastic_rules/rules/integrations/aws/collection_cloudtrail_logging_created.toml,sha256=RJP86WTPWoHmbKHwnGJClaA9JOj03xNMhyUIz_FAR3E,5318
|
|
156
|
+
nldcsc_elastic_rules/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml,sha256=BtUlfFLgg-ZFKLxfdQn4wBB1LHcCfHfBhebFcdWawyQ,7928
|
|
157
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml,sha256=Zl483bumOX2jzaim3VBkhMcoJNR3UER6hzujvitdm4s,5986
|
|
158
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml,sha256=3x_lY9eJMuLbhNL_9Wf20VYqGQfazIupiakUEsnDvfU,5813
|
|
159
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml,sha256=Lplp3cPy4uYyYqhxRgLuvMqCWIxae7hjwRgDiPIh3LY,4866
|
|
160
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml,sha256=Dke3i6EVk9RQdQFYkmgaanKgcNphvdeQvk1iMNN-jQ4,5649
|
|
161
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml,sha256=GOWA-GRrdoKYF3Udgcrhha3NuTzp1s5ujToeETnn9Dg,7932
|
|
162
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml,sha256=HC-z249LyYHOuh32nw9Pwsoe1zCXBKzCtcFPaB1lHrw,6827
|
|
163
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml,sha256=3Tga6qkDlIoWnFL8mI5TvsZjyCNVFEeaNzfoLQ8qurc,7614
|
|
164
|
+
nldcsc_elastic_rules/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml,sha256=EvYFiG84Oe8VL-vS8EvlpHIOH6tEZ78hkKmiC66LVgw,8307
|
|
165
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml,sha256=EAciUrKQ3CrPuShSzpA5g5BfkiKBuBGrQT4C1I_p53o,5029
|
|
166
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudtrail_logging_evasion.toml,sha256=q2DEv7kQ52n2jmG4ocrAHMFXSvh94RpvERLOLA0B2BQ,7536
|
|
167
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml,sha256=gGLRWxUwr_2ROU6NJz9d6Thu5Ky2Ts0y2JRgLAH7xJU,4971
|
|
168
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml,sha256=P7aG8NtJbrdLjzE9xWiRf5QyFwilNhkHSH4qeF0Nr58,8673
|
|
169
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml,sha256=EvLR0UlIS962RRxd_LEK3fupiuHe7k2AcsacK9oOmHc,6326
|
|
170
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml,sha256=Bm7t4lf61EmcSRie7i7NX5aFq_7szt8qbd3C0shbis0,6077
|
|
171
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml,sha256=kpkIvqJYuGkTiyFDfA0cKRLY7gSIqF4-QtXJ0FSF6Vg,6273
|
|
172
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml,sha256=Z9FAPJ9LpwBnBIbb0uW_24T3hKoF_3tZBbDXeJagZyc,6848
|
|
173
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml,sha256=GWFDAiG6tOyAvQ1BSbSVI56xPfIEuNjoz5D8XfM_HRw,6844
|
|
174
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml,sha256=tmV2GPEMcL5p3uJwK89FvjlWwLD9ENXnL3xaJvvkbsY,6649
|
|
175
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml,sha256=JIINOKPZzNCjc8PakKandRp5uYhCwo-8PcGPxed4Y_Q,7347
|
|
176
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_rds_instance_restored.toml,sha256=lUPa8G7AeiBmivXnwkjo7yfwgCH0UZVCRvlombHFgVo,6998
|
|
177
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml,sha256=JUKqj3LnC-QakpziQRgqSWmZKEFYy2Pr_SuTtuuBMN0,5278
|
|
178
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml,sha256=8pGC5ESemUKOP1Z8uw02LPnyIwLL2Lbltc0S_q0JufY,9296
|
|
179
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml,sha256=JNDaTM-Us7uqFRaghRwX4QQWnCDZxkueqTJdxv7rPWg,9452
|
|
180
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_s3_bucket_server_access_logging_disabled.toml,sha256=cjCjy3ph-cFDViP-Ni6_ssD0M043g8n05mwp3umhunU,7693
|
|
181
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml,sha256=_4i_7SMr01JJGlqEqzSloPLvjax1sM6CwmkQRnRhAtg,10927
|
|
182
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_sts_get_federation_token.toml,sha256=WYMAXl0YIuB24BsYo_K2CwyfEyWuHFLcz5k2tLUcCIk,7339
|
|
183
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml,sha256=lx3vB9Ntp1ADU73XyzCmYIxRobPe4uU3nch3sZe_D_I,6455
|
|
184
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml,sha256=TkoIXcSgrXGcyf9QoKX_jR_l9ZPkqoI5K3UyiDpFl0s,5863
|
|
185
|
+
nldcsc_elastic_rules/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml,sha256=XzFBbUA37QpLCTqudpKehvyjaQBghhuvYMZRhOUAdr0,6109
|
|
186
|
+
nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_deprecated_ami_discovery.toml,sha256=Pp0guprzdo4TOzDrPp8JaKAQ7oPyYeQMnpI0j6VEdOg,6206
|
|
187
|
+
nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml,sha256=AmNxhpiM6q_pxttTXg8Qk87nGUQMNogHboogamWX0ZM,7295
|
|
188
|
+
nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml,sha256=ard1d_HCx-z_4mMslbROYuPe7R0Nku5io6-9f8ToHbY,8119
|
|
189
|
+
nldcsc_elastic_rules/rules/integrations/aws/discovery_ec2_userdata_request_for_ec2_instance.toml,sha256=cK4vVEyZJcoQUf4kW2Cs25ruBbARH5DLFsqniSpFp3M,7032
|
|
190
|
+
nldcsc_elastic_rules/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml,sha256=Sbjdn7tQpDly2NjPCnKwsY7NRe3pnWiqG5QIjc3DO_o,7145
|
|
191
|
+
nldcsc_elastic_rules/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml,sha256=OGNblHLq3ztuIdMkn0Yg_juMnAnN1ZBa6mfVPnH9ktU,7740
|
|
192
|
+
nldcsc_elastic_rules/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml,sha256=b8OGtmRNTTFzpqJCW4GtDi79Qpzle0lVsfY42JQXfag,5900
|
|
193
|
+
nldcsc_elastic_rules/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml,sha256=FG3ni4WD5Z-X-dkpNBuyGW77kXognJSoTQUtbt365qA,6612
|
|
194
|
+
nldcsc_elastic_rules/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml,sha256=AI0QYOEfCnXjaIpaapAgWo3mHXysuZMJgAU0tlB7zvg,6212
|
|
195
|
+
nldcsc_elastic_rules/rules/integrations/aws/execution_ssm_sendcommand_by_rare_user.toml,sha256=CHN3Js8Z2f26aS6ZTrJVnrTaPFz51jJWaeJV9r31uE0,7461
|
|
196
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml,sha256=uSwHYyeApM3W52e0ImPXQE45ozry_dYZGbnIiqdCoEM,6565
|
|
197
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml,sha256=9ly2vTdA8rZ5WA8GN-0kYCY3ojH4JImIpeAazgDoirE,6096
|
|
198
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml,sha256=GfJtWty62DGwiPXI6gKHtJysNIv0XtIUhucsiDvC7mo,6548
|
|
199
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml,sha256=LG7Omj_2lAUI5Li59reJAcTIEpP2ujQTVn_ILicuP0M,9224
|
|
200
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_export_task.toml,sha256=QPJq_y1kHmqkp0wKq4KJ9USWEPbRhDEfQzCqDGhMpqM,7183
|
|
201
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml,sha256=99ippCgv0lT8A5NWK9PQz6wXocH0yvUSoH91ud9UyEw,8389
|
|
202
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml,sha256=I9QmIpHhmMSkzBh7ADvIY1Z2TwWGCrScNPYPj1c016k,5911
|
|
203
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_export.toml,sha256=aD3ifWgNQkZQBXMRK5J5-GRSACi4BsURnkWvs-uCY1Q,5575
|
|
204
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml,sha256=UVu61OyqBBMXd51YTpEFWQZx1MlpGNwluWBD2EaECHs,6436
|
|
205
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml,sha256=M_8H3WVPvQEGVuadwMDl14-0jZMX3mn3nv7GdwV_JIw,9944
|
|
206
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_public_access.toml,sha256=-xN6LZ2pQMa4qsZYfLYqnbRTks00pZPjCL434Fob6Ig,8974
|
|
207
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml,sha256=JhkcNos1KlBpjxxrbubI3i1fyQSADMjgc2qJPw2Pe2Q,5163
|
|
208
|
+
nldcsc_elastic_rules/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml,sha256=CBa6dItgrGD2M4P2stOobu-8kUsE8jMnYt0RDOfKqWI,7314
|
|
209
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml,sha256=TXfHWEchHOPgYzDUekxZV-4SKVhaGw1LnlaDXycJt9A,6153
|
|
210
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml,sha256=bdy-SzK7qyXUUtQMhPP7ca2dSK-nzUyc-9_xq0VhcC4,8137
|
|
211
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_cloudtrail_logging_updated.toml,sha256=rA66pT6SdGvjXZx6aI9AtMgGidDmaCZCH86q5XorKOY,5327
|
|
212
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml,sha256=vg1OV8KMozSV3DmGS8sBzAQ3gfHJA-O7pD8LNSItVZU,8321
|
|
213
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml,sha256=jmA0sBoKwoObqs01MBgFLFSdEuR5oUXPmbOROTY3iGM,8091
|
|
214
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml,sha256=Ib4oGxt1WJNDahBBRE4w3U8n_SnXCS0Bxvq2VREabvM,9367
|
|
215
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml,sha256=tgDHWSD5StwsCA_JIG1IL7BaC59fbiFPQPTfCoTYulE,9383
|
|
216
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml,sha256=MP3L8aqJ8rRbVQt1hvS2nMMQEnTVx12d7g4uySsE78M,6057
|
|
217
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml,sha256=PqP5VqX8332IKaLhGHibCdq72XMGHfLdokABRANU8rM,7608
|
|
218
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_iam_group_deletion.toml,sha256=cplF2-JcadpDB6wZo4QT_g-_j4sqa1YtKPAgDYyjgXw,5207
|
|
219
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml,sha256=CVze6V_A-Zxj-PAULTL0M3GMrUb3qd7C_aOW4svy2W8,6334
|
|
220
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_rds_group_deletion.toml,sha256=IfRWDlv8ScLpUOlJNg7fn7-cH-Rre9fVAxuz_62LGM8,6096
|
|
221
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml,sha256=a2mTygEDNMZQeFxDGjl6I3a5ON_TjuiXWV_5ieKLRRo,6794
|
|
222
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml,sha256=eSptNB3U73QWHxFj6ZQeEo73UtDIS0c7qSbGA1TcXOQ,5824
|
|
223
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml,sha256=jH6bfF6gNhUDH6hTjeqMzA2D__MSv867zYGBPBAgQPU,6035
|
|
224
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_rds_snapshot_deleted.toml,sha256=0TtTv7EqBNXf3CfzKUtskvOqYO_3HYU0I7BsepFRU5c,6045
|
|
225
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml,sha256=C5cVMG25p-CNbJdsqn4qAJmIM5-yr1jd0nhfpYYDN68,10275
|
|
226
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_s3_excessive_object_encryption_with_sse_c.toml,sha256=ysmVfQghjRUK6-2GlTRduF_0uS24RPXhyX7xS1COYrg,5774
|
|
227
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml,sha256=PE54c96NMy8O2r66eFep6rFL08_MqtTAvI3I9rSEsEI,7731
|
|
228
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_s3_object_versioning_disabled.toml,sha256=MTzBZImV6kF9v7c6H6SRzHEAZ7bDC4GmTmiCcBURb7w,8503
|
|
229
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml,sha256=kgmHccgJB8i7MmXQKVcNeZr9fyN_uYslIPHTYiWNCGQ,5740
|
|
230
|
+
nldcsc_elastic_rules/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml,sha256=9BSFjpzMQC75RFXMZWO7KpaJL5_JglPayCx74SK1V_w,5890
|
|
231
|
+
nldcsc_elastic_rules/rules/integrations/aws/initial_access_console_login_root.toml,sha256=WssE20BS5d9i4TOXVfP5ONubFXBWnj2-KLsbk75rm9Y,8313
|
|
232
|
+
nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml,sha256=Wd2wSxKSVvHyK3-eb-8pgiRi_uA_zOHJ_gfQoPYyfUc,11228
|
|
233
|
+
nldcsc_elastic_rules/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml,sha256=FdM5pt2Yrujf6-zApli2OY76kWtZz47-586RLUMcK_g,3392
|
|
234
|
+
nldcsc_elastic_rules/rules/integrations/aws/initial_access_password_recovery.toml,sha256=Lb39-UgXSGimgLxhtlDE7y1flrC2hzyKrQOpSL1USiI,7095
|
|
235
|
+
nldcsc_elastic_rules/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml,sha256=4GeyrSDf3opUNKNlLAu_Z9-H8-GqDbeFUAheGws8mvU,7071
|
|
236
|
+
nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml,sha256=BZHh5attQT4tzcRhiTdcpsux29lP7PevgqJUXSyXJgs,5714
|
|
237
|
+
nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml,sha256=JbgYqC15dr6N9Q-yf-JHvcXA4KOIO1telQU71MonrgY,8030
|
|
238
|
+
nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml,sha256=pXl1Oh5Di0qsDcTKDPD0HuFOaPkFzNbRR2CEhJUkNo0,9025
|
|
239
|
+
nldcsc_elastic_rules/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml,sha256=Rq9AI1rT5ruemMRe2RuDDD_wVSy3t0wMKLYI3qw2YpI,8412
|
|
240
|
+
nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml,sha256=HpmzelFvpv51Bs-a1dDMBPG7rBV1xkOADD0XsePgoZ4,7557
|
|
241
|
+
nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml,sha256=HCvWw4_vIoxx29SUa5EV3_971mSTPN1ggBO_TEJ6PEQ,7731
|
|
242
|
+
nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml,sha256=_kwA7nqeQLnxlspzubF7ToHLWhWcHIKBFTIa0zzMMAY,8018
|
|
243
|
+
nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml,sha256=ZK6t84mjqNg-5fctgNcRQg7-STmu_gOPVf0Rreu8STU,8033
|
|
244
|
+
nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml,sha256=G7-0RT5HWrWINzcS7Qn_BGLbj86Jox7F54j4bGB3EKg,7797
|
|
245
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml,sha256=FQGpbv5ykz8X9ML-Fr9H8FPKu6M2X80ASp4ldo3Ns_U,7965
|
|
246
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_network_acl_creation.toml,sha256=wa6QpnNQ0eT6ISVrWSe_-sS0lVTBTqtviluJ-HT4bY4,7500
|
|
247
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml,sha256=8m8lYosDwNcJbnyRTF7D4K9XhW5s0FV-7eoRWr2tMH8,8229
|
|
248
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml,sha256=LKXjEnNMDVWPzxFvk0DyNW_dlgU1XdTJFPSsxaRboMY,7754
|
|
249
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml,sha256=zVOYOcbL3fHGNq0ZvRJcxv5NFdgLOjXIi0fo19Dwjjs,8204
|
|
250
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml,sha256=Ba9CwlnauE6_tR6bMDmzQEFfAqR9f9-fZh3NDni3jhQ,9654
|
|
251
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml,sha256=6G6y_Ldq9H3qCBwofGJMBMKCXgArQJoS8wP2sc8GZaU,6978
|
|
252
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_group_creation.toml,sha256=Pp6tDk8Xy85asGrduZrFDsgHOA0a5ka1bliDqn7_458,5873
|
|
253
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml,sha256=bH_ob7wj33BssVacLLjQdFo2PgSQG73o15adGAxuha4,8003
|
|
254
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml,sha256=dVqIV7D1fLDyyEtCUIjbw14VZj_y5L5l0-sYd5nkjBg,8037
|
|
255
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml,sha256=Mb0Mhah_nFolphPN3ONirb8lhX7AXjbSz8HzXjl3UKg,10399
|
|
256
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml,sha256=q01z_zfIKt75_sAm8R2o7SoS6Xx51wwDMth5ReR7Y0M,6155
|
|
257
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_cluster_creation.toml,sha256=lklvnHv2VDTSMNxoTFNjcE6yiF8YjLJUU2LOM5dHql0,6716
|
|
258
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml,sha256=GakLKDtxguBEAZuP10MtUo_8OEPOW8u6y_Q4V7wRoS0,6685
|
|
259
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_group_creation.toml,sha256=KH6wNnPxbv7T8Dn6Blfb17F6xN2yFYj-nTsxrdpA6Cw,6106
|
|
260
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_creation.toml,sha256=SkSA6z-JXI9tzxOOM4v4WYtfYtD8WLgT6-udM0WdQJE,5885
|
|
261
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_instance_made_public.toml,sha256=QX0enKc6uc1PrgoFFKjoSJG1a3Nmx85cDAywXRVO2ns,6506
|
|
262
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_redshift_instance_creation.toml,sha256=K9m7VlNEDlhIFE37AR6J5_RcDMXEFzIeiAZAa1kS16A,6106
|
|
263
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml,sha256=i3IM0x00LEyAW19nyALNw8zaNisnz9MKr6olk7G5hs8,6370
|
|
264
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml,sha256=bOqCz6IVGEQdIgYoFqgTY9OL_sCqmk5NEaH8nZU7dx4,6042
|
|
265
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml,sha256=ZU9o24n_nx4TOzrAm1y_QFxMw0DxfL5yExM4ZcpL0hM,5702
|
|
266
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_route_table_created.toml,sha256=gme5ElF3SKLOHxpe15ju9V9XW8pl-UAFQD_KBhg4AJs,6674
|
|
267
|
+
nldcsc_elastic_rules/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml,sha256=xn48toyHgwnBblI5TtlLeoraihaLMUBqBDNIsLo-gEw,8011
|
|
268
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml,sha256=c5CRL8inCRMicluuhrkj_huSyMSFPcrlSiOt6rnjEWk,7366
|
|
269
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml,sha256=FzTT0NoE-tWfHzsSi9xn0b0J72Vxjaxn2JB2sjSN92A,7294
|
|
270
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml,sha256=HXcJKt3ABsKeWvt2g1Cqr6VcHx03RS2kzBqdwWKzLY8,8150
|
|
271
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml,sha256=rwTAIIJwd0acpcGiuCoiIGNryCcS-v84OYQoyAvJOCY,7760
|
|
272
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml,sha256=rRK3mR4K5EAIJtOFonJSC7aqSDFBSwnfIa-3si8SwMw,8018
|
|
273
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml,sha256=0fFZSwyGkMh9CHqCrxwD1LeDGufRjHv1OwHRC1t7bI0,7306
|
|
274
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml,sha256=9ECtwk5j0n76IHEOsu-H6rWRcarai9nGPXBU6WTIKGA,7597
|
|
275
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml,sha256=_YroOLuUvZxsgL7Bj_qODFZcL0NCJyIg0TLCKI3dQgc,6991
|
|
276
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml,sha256=CJ4890fqiR6BDOGl2LIrYtTvfLT1fSns4z8iyodgrxU,8184
|
|
277
|
+
nldcsc_elastic_rules/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml,sha256=bvw3qAjChOQ7nAerHUxQC-r5RFg5w8JgxxfB3UfN5bw,8895
|
|
278
|
+
nldcsc_elastic_rules/rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml,sha256=LkyN7cjoaQTOf3nruuH9niphBHOhSl10Suss_1Ir10I,7000
|
|
279
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml,sha256=c0cevT1mzWoFBX3gWSkDPj8yS7-hrq20C32I5yVCM-0,4847
|
|
280
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml,sha256=PqwbgjDSYma97wSBCrHkLxWG-TXDQY4FxI6cX7Yks1c,4857
|
|
281
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml,sha256=25G1pGkA_Pm9YsvEGJWJUzPADbmoepeGrWBn16IC4vw,5269
|
|
282
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml,sha256=sdLX9ZiabRdEBxm1GHsEQpd3C5gQKgyL013aOEcXmOM,5314
|
|
283
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml,sha256=T4DmttjFKaD-rI7yuuB6r_ahvOoJFRbW7HY1BujplYw,5036
|
|
284
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml,sha256=u2c1QgxZcO68JmBCn_r7Ofd20lERSpnWi-QnGbepXDw,4568
|
|
285
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml,sha256=7AXcjkalDO0nyTjJV3Hdmab9dqpFUN6z-O9QDvillHQ,4748
|
|
286
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml,sha256=3Quejfd2m3jCBtrnbtnf1nQp6PvuUPX1Ol7JezXROUI,4638
|
|
287
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml,sha256=tfMEkbWtIQ-hePLJTUuWB_9q1D6Uirbc2JSbzFumlvE,5019
|
|
288
|
+
nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml,sha256=YCDnc0Ztis4S7XDXsLcPROoVqWtBpaznHl3mLesDxM0,4652
|
|
289
|
+
nldcsc_elastic_rules/rules/integrations/azure/collection_azure_storage_account_blob_public_access_enabled.toml,sha256=0GkNqHNLowP9mmdjTVAxMNb95ZbLV2g0XjuE1sPGptE,6092
|
|
290
|
+
nldcsc_elastic_rules/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml,sha256=NM4ic7IydF1t5jWexWybyr-Pnm_y887xufzevTVtuTk,6931
|
|
291
|
+
nldcsc_elastic_rules/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml,sha256=2AGF1nAZUzBljOG1MZXCLnU-lYa99akb8yIp7SQ3AuY,6776
|
|
292
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml,sha256=2t-Os6k1qY7u8HOyvFizO1ElJzbnLrzCbCOotTUGjE8,7711
|
|
293
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml,sha256=j92m5z6V8wxXJJgJX5PKKl-0TnN_LJ7VqkCSojtlANo,10331
|
|
294
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml,sha256=MawhtArdpXoYBKdvMrJKYdChAKIcGPSTsIjZCcbqIcQ,5979
|
|
295
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml,sha256=2pOG3RDi5nkJxjL3vjgiwmQishbAaQGPqMtXOUb28io,10966
|
|
296
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml,sha256=SxC4R00OxnBCKPx88JY77TwMu51ukRwvL3Snf8TyEzw,8490
|
|
297
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_azure_storage_account_keys_accessed.toml,sha256=9CUi2i0wbXjstu7SAIJgDTywOcKN9El1xE0v_T6bDd0,7267
|
|
298
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml,sha256=OLRu1nEkE8oOnZFSwvBbSEPmQCNY2IHDoEX7AMxE0AQ,14220
|
|
299
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml,sha256=wKsjwH7ollQoeRLqi2WZuszbjaJwD2DDg8gcY1Nis1s,6576
|
|
300
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml,sha256=A8mllBRUeCQetUzZ0DgGYFQmC0uGlAEeOMbb3zADw5c,14610
|
|
301
|
+
nldcsc_elastic_rules/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml,sha256=TbGOqWOCd5OAOYfKKTh8wIJJ3Wymmu8YRWo8ZqvlAdo,6633
|
|
302
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml,sha256=CLfE6vVnbd9pr-ephxa3qLgG8FQZupGeqRsWZz0XxcI,5458
|
|
303
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml,sha256=m02TjgWXmpz1K3CBJ3IPjEmELPQ-KVBIJdoySixDG38,6203
|
|
304
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml,sha256=rtys8CyV8EuO16Om5zHfV2iJnd7fBBb0wTpLFtT7qbU,6954
|
|
305
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_event_hub_deletion.toml,sha256=hSrYUm0jw0Pt0ySMYYnA7fen5Jbz5mc9Zw6ONIbvBKY,6336
|
|
306
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml,sha256=geSxNkSDnwUyHp_2b6idgOXtaN9rIW0gSHqav9d-eLQ,6253
|
|
307
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml,sha256=K2dFQEAPVHQ-t0npiFN3rds6iP0AN70tYW8dGCBD93M,6014
|
|
308
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml,sha256=x7RFSa6BATzcYVWQ_9_iuhLGvOBzLGYePf-bWrT8J4o,6205
|
|
309
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml,sha256=-8ZWwnBdrtfH2FDHjZWcoJ5vzVaw0yMmzVfKjKnjj4k,5971
|
|
310
|
+
nldcsc_elastic_rules/rules/integrations/azure/defense_evasion_suppression_rule_created.toml,sha256=Ic2sHumhkOuxjhJqSqlIvUFurJrhhcs6q3cyWPX8ej4,6483
|
|
311
|
+
nldcsc_elastic_rules/rules/integrations/azure/discovery_blob_container_access_mod.toml,sha256=v3Qmi22l_0s4DjlkBrs6-F_7Y_40uPSJQjhMnXrGblM,6510
|
|
312
|
+
nldcsc_elastic_rules/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml,sha256=k907_l0eHYmAqisP2YPXac80mH_ef0HujhkgVLw8zQg,7370
|
|
313
|
+
nldcsc_elastic_rules/rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml,sha256=F7N7KMc9cpkbDnErEvdwD375dmqw0qwremhZLFCKdXY,7855
|
|
314
|
+
nldcsc_elastic_rules/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml,sha256=UxvJ653wBiWtkHYy16KxLgixGFWAcbTId65tpb4iIQg,6291
|
|
315
|
+
nldcsc_elastic_rules/rules/integrations/azure/execution_command_virtual_machine.toml,sha256=8HcdiZDy-AbbHxKEOUVzEuDKdAnFq0EgnGzPS_fvPUg,6359
|
|
316
|
+
nldcsc_elastic_rules/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml,sha256=71S7vrY8fSDdAFVLDtHGQS9GnHBtNy2-ySB4o5xPwX4,7353
|
|
317
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_restore_point_collection_deleted.toml,sha256=URI6Pz-knl3zhZEYCJKuM9qi16V66TjYNsGcO1U-jKs,6118
|
|
318
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_restore_point_collections_deleted.toml,sha256=YDg6ORQyvI3CyJ4WrD92PgAOR0kL2j6AisdYg4G7BLc,7889
|
|
319
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletion.toml,sha256=kqYvdtBwsJlcqb9yjJRXF6blhc1eNQDvTET5Jx7ee54,7383
|
|
320
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_compute_vm_snapshot_deletions.toml,sha256=f1deZKfGr-f03ibDiJ1eURqJ6Axs2vrjPjSQY92uUQA,8380
|
|
321
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_key_vault_modified.toml,sha256=ca5sGzBimF6KAwUBevkUfQJSFwNcYmZVK74pPPjYajU,5783
|
|
322
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_storage_account_deletion.toml,sha256=fsxy0B1VMkBPrzpUBNXF1pF_C7bHuoya6ZCoUX1x4JM,6164
|
|
323
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_azure_storage_account_deletion_multiple.toml,sha256=-qL2nZgaNOgfK0hDd17iqtLFAMS3Nnc_XsUTq53I9ao,7010
|
|
324
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_kubernetes_pod_deleted.toml,sha256=gcV_qexlXJKkVy1MN2uUYOJjUL4ZxeUSiKAqdXhmJ_Q,5931
|
|
325
|
+
nldcsc_elastic_rules/rules/integrations/azure/impact_resource_group_deletion.toml,sha256=tU5eNwHz-AmTPUeWGya-zw10hvXUx8crQeeLXYt1-ro,6679
|
|
326
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml,sha256=Z5wHmmtO32VXwQJPZTybnkA5AbL5l7vqPxN4xeHVY4o,5228
|
|
327
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml,sha256=HymEZSNijfX2RH6-yDZG3ULrZLD1bwsTi3qUjmDIhsA,6047
|
|
328
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml,sha256=tBCuNKwT25BTsBUE5QWIQUt4P5cUgM0Mg4PQTXAPHk4,12000
|
|
329
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml,sha256=KBJvECFZn3ebu-xY8CIqh5gNEyRqUmbldF0zleK33i4,6044
|
|
330
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml,sha256=k7R7MAzmo_mDMqrMN-vY-88A3wT2AsuMP1M_I1LYLOU,7463
|
|
331
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml,sha256=Yh_S8rQfds3uT_cFKFU4h7Xoh5n0RYbSAQUJSCiIVZU,5125
|
|
332
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml,sha256=_uuH9kmBlgcWWBTRNUPwUeUleWTVitysV9BVOjcxEWo,9833
|
|
333
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml,sha256=dw8fH9x3Rn8j0BnajEB3TnsYhCvKjcjNmCmXCVCUnR0,7297
|
|
334
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml,sha256=4AhWhu3C862RnekA7sAmgW6yr3HFXPxGyEyYjjwFvCE,8721
|
|
335
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml,sha256=fpCgZaV7RF42PjzsIAKwmoi-cOOK7yN30RkpMpgECw4,8460
|
|
336
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml,sha256=lkbgMHsDes2rx9MtG-FRBZ_VHATThqJkaJxdugO-8BI,13164
|
|
337
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml,sha256=rDKuceuvfMWgRT5Xz1uab-GXs-XOVerNjR88sBeV6tc,6539
|
|
338
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml,sha256=E9iMnK4bk-f2h3pNDLnQrRcy_waMwqaqfHcLcllaEs8,4832
|
|
339
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml,sha256=i_uu5jLSoQ1XjTzLzdoFY97SO3DcHKqzn35bZNuCXXs,7118
|
|
340
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml,sha256=D8OFF9zSqJs4UyutHV03VOUyD1UIxG6cwpD1pbvbLss,7914
|
|
341
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml,sha256=GrX9d7RsyUyumJqFY-GJxucyIxBRsl6U0B9qd1MJXGY,5430
|
|
342
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml,sha256=MRaH796HH7uXjLJ5bn2ClH9GoSiezAe5PHlZLTBSUdE,9018
|
|
343
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml,sha256=ShbZg9wnIyAEYc6sJkvQSnnYh91HX-Y0HzB_k06cqhE,8847
|
|
344
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_external_guest_user_invite.toml,sha256=nEhMCfQp5uNayZKRCcoezB1HzRWZaFljEyJKyqtMtT4,6393
|
|
345
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_first_time_seen_device_code_auth.toml,sha256=QSaPp-LThIMo4-cA5ERY8qrZnZIxC7IJvzwxi54fRl0,7918
|
|
346
|
+
nldcsc_elastic_rules/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml,sha256=G_fktDxgC6Hap66t9tLAl2_YBc41iw1FTBjJhmFTnq0,6489
|
|
347
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_application_credential_modification.toml,sha256=uc1QLRfU9rV4vq0xiTJsRnEB2KcWk4DbniXnfTwFMsM,6406
|
|
348
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_automation_account_created.toml,sha256=HVDz3et3jxZHloBC_0Sr-yYF5lZp4bs-JF9aXbfLew0,6072
|
|
349
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_automation_webhook_created.toml,sha256=sk2unPzhdRfFfq2VvLGPsIxXSOXdvvpirb1UJy5CeQM,5914
|
|
350
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml,sha256=ZGmsADVINfegMVPo9n_ej1Jcc2xK34uaH1Khx4ky2sQ,6581
|
|
351
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml,sha256=qDZKw9ZodwxuC4dysA_SLxrzx_ih0RVje7ZIYtFVNLc,6387
|
|
352
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml,sha256=iw2ayGySpvNbumQ12FnOiTONCLg6UEw-l_596PtQYLM,5676
|
|
353
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml,sha256=N8U7TG9h7jlrsth4Jl96K8dn0YcWG8IhYHisk5u1pjo,5990
|
|
354
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml,sha256=_Fb0p44qzj4-7wXKz6HTdZnvJlPL9kSaDiYlxOPE4Uc,5160
|
|
355
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml,sha256=6e5juIy3RgmxyCW2LB-GZViX7ldylByx1PnIWAjnmuc,5561
|
|
356
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml,sha256=P4XBfRRNrsAKuBoU22x7yDSdlEYY0NBZ_Coo41yB-cA,5487
|
|
357
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml,sha256=V9Lq5zS1INPpwvKnjEr2ZEGlrFxVJh7yj4aVut4r_9A,6583
|
|
358
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml,sha256=PbdEzjkmlOTHEqluWv65L255WAVNjDUN57-C-idaShs,6108
|
|
359
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml,sha256=pG7yX--C_PQ3yMqFyDrJPPJat14XRT4AXT9GT8keG_o,6185
|
|
360
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml,sha256=LQQer2N6i0wI1LGdvBRBzGgzv1BIfYjjtKeZ2QuA1UU,6998
|
|
361
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_service_principal_created.toml,sha256=u1ymKfrDC9vQBORVBlnds2DFJHPu9FvBCPZAnWVg4lw,6356
|
|
362
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml,sha256=bnjZRG6Yu0_0-TJ-2aevxY7lcIYlYorq4XaqWvhl4vg,5388
|
|
363
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml,sha256=f7UhIjKMSppJNNZBAW_CPl9yxezkyaW62KChKoI4tc0,6076
|
|
364
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml,sha256=1l87ktKB0J988sVTjUpDqy205Op4GximGnlZw1d6IDM,6636
|
|
365
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml,sha256=TQwu3zuFQEZsRb-YvR-PVmblCbiGVdB9NimH-2lpDJ4,5571
|
|
366
|
+
nldcsc_elastic_rules/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml,sha256=j-9xPb92sG9wcc8F4Gc7wwwHry4gHxI26kEvwiJAXm0,5800
|
|
367
|
+
nldcsc_elastic_rules/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml,sha256=CBdOJigumTXPDEkpI5Wd261yYH6a49eeNUBaQhK1GFw,6712
|
|
368
|
+
nldcsc_elastic_rules/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml,sha256=RV6hzF6OWHwVBklikvmsjgymkvrwINPDkcsPX8ggJZ4,5706
|
|
369
|
+
nldcsc_elastic_rules/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml,sha256=Epm1ApbtU22pMufV5nLO5awKPkW6_l7nUDQTGT0oMfc,5441
|
|
370
|
+
nldcsc_elastic_rules/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml,sha256=k7TmTJjP6U4hoMWtkHZpeml2xar7ddOs03uiXjsIZEQ,5996
|
|
371
|
+
nldcsc_elastic_rules/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml,sha256=VOiDNib8m07nXzBHp1CdpkkhZKPAL79HtetheJ23OZ0,5792
|
|
372
|
+
nldcsc_elastic_rules/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml,sha256=vvjnYVCilaJqtKtgE-vmX-yNqO46CEZD96uE2c8LUXM,5754
|
|
373
|
+
nldcsc_elastic_rules/rules/integrations/beaconing/command_and_control_beaconing.toml,sha256=beqZ3uSu0G5aH7G3fKbarjXleVf8_6UQJ_genng6buw,7890
|
|
374
|
+
nldcsc_elastic_rules/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml,sha256=-DmlSn5FbfmH3rukFMNzcXUBGzjdmEKvyHfGgFRrq8I,7270
|
|
375
|
+
nldcsc_elastic_rules/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml,sha256=g1PZStfMBEpfo26iVV7jxoTzO3YYmWDQNv1M5vnrBvg,2055
|
|
376
|
+
nldcsc_elastic_rules/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml,sha256=7wpibNWzfpXG_z8ZuQpApIOHaWyzGMqdpzHB-dsW5zs,2327
|
|
377
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml,sha256=yUyqYWbt_-tPnZWiee092frdu7OC82y6QnR6cghIbiE,7035
|
|
378
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_ip.toml,sha256=-e2f9NQKVz2R0sOFDBeCLpQ2ZwNTDLotMvwj1BYm0ng,7146
|
|
379
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml,sha256=siLAoIEQmcwd6tVe9USiWZ0u-Ng-VD6aV0MzA87mVZw,6972
|
|
380
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_destination_region_name.toml,sha256=VPcnBSb6qATSBvTIGlSEk8M6ohHZJjdxtuo4wr5YR9A,7073
|
|
381
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml,sha256=HW-jgRxFbK8BUBEwalAQW-IqkzxSQUr88jMBApjiQJ8,6752
|
|
382
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml,sha256=YwqryqA_PZkg-tcb_4UXyqdQuliOp1v1knfEKKMJ1B4,6950
|
|
383
|
+
nldcsc_elastic_rules/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml,sha256=Qer-2B4zlg72eYoJxrQ2qV3Kdjj4lSDD2Ps-QCgs2MQ,6622
|
|
384
|
+
nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml,sha256=L-Y-ZYGXvI2YoMN2zwZPf_2QguPQFAOPlXaoCgWN9Kw,7844
|
|
385
|
+
nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml,sha256=bP0I6i5aZiQS0LZ-BvdG1UdkPeL4EMgPkYBVjMUj4x8,8160
|
|
386
|
+
nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml,sha256=Pz6Zy-U8hQ65GFhn392uSWj5aGwowLgYVYJ6q1N3SOo,7586
|
|
387
|
+
nldcsc_elastic_rules/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml,sha256=5TaN8Xq5OERJenm80EgOFLxa-ywrQZwHiWXaVBqnuBg,7601
|
|
388
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml,sha256=6aYCF6vJq9jFoeHmEQlHki90_jomKfVU1xiuXmejeZc,8837
|
|
389
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml,sha256=K_i3j0ZsXFiJruD8AFPfkTWSsTnrwlxGUYxFjyVrnaY,8814
|
|
390
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/elastic_endpoint_security.toml,sha256=7JuxGnkWghYWeJrQTlNC_QP-4ErFwhZUw_9TWnPhCR8,6892
|
|
391
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml,sha256=oINVbk8RAmb4vcg7D_kzJ-eNr6ZvN4jjo38bz4UpU8E,6928
|
|
392
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml,sha256=HqxuwMpWU0DdAPsca_DN7_huN0C-UD4StK9ePoxSRxo,6907
|
|
393
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml,sha256=j0CdnaijJeAt9XYH333dOfAzwNQHyPQuGY4ylgwRoE4,8719
|
|
394
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml,sha256=-ZPqaZmP2z-Su3cEmdqW4knt99pjQm2JQtU7eTBXHY0,8697
|
|
395
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml,sha256=i0euPpVIU9ybfJMJd_KLq6vgW0eYJAXZ5AuzkKx-RKk,8674
|
|
396
|
+
nldcsc_elastic_rules/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml,sha256=hWJgYtCQYC05-sA4f2dzwKiHOK8nylNPT8AizyzDBLo,8659
|
|
397
|
+
nldcsc_elastic_rules/rules/integrations/fim/persistence_suspicious_file_modifications.toml,sha256=9wSprMy3phqTQEhQ5hEagN4aIp4dxnfvpuFEALsz1P0,14597
|
|
398
|
+
nldcsc_elastic_rules/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml,sha256=zn9hBV5cGzj6-NFmzyMD59E_lBRPIQHudV0k1yM5Cyo,5620
|
|
399
|
+
nldcsc_elastic_rules/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml,sha256=Opz-8ulSqyD7ksLmIISm_ArZiKPHox6Lc3yr_eWErgY,5776
|
|
400
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml,sha256=ok9-iJDOFd6AZ0ABCZfGZTdxnPUqH7gtzolcAVryvhE,6431
|
|
401
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml,sha256=w6q8AvmuTR31EGniMLOCpF4GLBYFh9Z9x06nskkH2TQ,5892
|
|
402
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml,sha256=iPe3TCAU_V98J5x-pNQky_MCQ8hDB8iTNOVdQ_k1DAw,6042
|
|
403
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml,sha256=cFbhrrDKfVtxDUXi6YMT4ZwfWHa8RScbP7Rkvs3CHhE,6151
|
|
404
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml,sha256=INvRjYZmsaip6PvvTSGbaLQyDiwCgJ2tIxWDlpD8lvg,5886
|
|
405
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml,sha256=wKV_Hk6Rhz1PgkLX_fXSqsbWF_40J8dh5gaui-0CgxQ,5720
|
|
406
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml,sha256=cednGFdqAbG2SINUVZs82VSRrb8WXQZ1rsPo2KSEGHg,5898
|
|
407
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml,sha256=BZmS7CE65xmIBWtff6ZRjBWTKL8jeE1ALpTP4Cq4YYs,6073
|
|
408
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml,sha256=kBGGqBq0quX66cHDzDnlMW8HoRAHpDBt2vevlqvEMOE,5893
|
|
409
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml,sha256=iAyswdK3dd3psGlsshkrCwWSaUJAQmlS2zaxm1-nZao,5871
|
|
410
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml,sha256=0wlViS2g2Uu8K0yqbgrsOh2fFQuIJwlSCOL69BEjl5c,6257
|
|
411
|
+
nldcsc_elastic_rules/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml,sha256=p6yRyEvj6XBnwt4bEJBIc483bUCYdsjSkC36ofUJoz8,6165
|
|
412
|
+
nldcsc_elastic_rules/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml,sha256=lzx-HGw4W9iJpoQQC83yXXnHtsbhNmJisO9bUdTxHYk,6122
|
|
413
|
+
nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml,sha256=3xfXkaIMaiu9kR5Nx7HvZCTl9Pjx7t5GCccBm1jTR7w,5732
|
|
414
|
+
nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_service_account_deleted.toml,sha256=kAVEKToZy2zBmx6TPL3f1kWgw3PZTWpNKBKIHA93yoE,5721
|
|
415
|
+
nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_service_account_disabled.toml,sha256=I08lGtCXy11ojZfYMlsYe8XzJxSnYdFja1wDGrAVmrg,5645
|
|
416
|
+
nldcsc_elastic_rules/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml,sha256=Qf-ZZH_3z9brqN-0klxtL-FsZAjFiZZS36Sn-qzTqwI,5489
|
|
417
|
+
nldcsc_elastic_rules/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml,sha256=fLfQBKs7ImYg1DxYvMwSalz5i0ZE3F0cg1a-EL3fC0I,5977
|
|
418
|
+
nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml,sha256=bHIsaQHQrybqxO11obuciwWWsNU5sYxdG4PgtsrnxhA,5711
|
|
419
|
+
nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml,sha256=7XqyO_jEKz6Dp8SqKZeCRCpK4BHJJq49xyMZ1tuZwbw,6128
|
|
420
|
+
nldcsc_elastic_rules/rules/integrations/gcp/persistence_gcp_service_account_created.toml,sha256=OBfAb9oxCppW3-P5tG0A3E-4scrqHPDEnM7iHpVL4Nk,5604
|
|
421
|
+
nldcsc_elastic_rules/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml,sha256=0jBQsfFARBCG0gwjWqgohVi9u8XBVJinyUZ0IRWEGtU,5375
|
|
422
|
+
nldcsc_elastic_rules/rules/integrations/github/execution_github_app_deleted.toml,sha256=lUaccDzoJSUVeSFCFcYp3TMlV5O2ezDJk_Vpi4xPSY8,4793
|
|
423
|
+
nldcsc_elastic_rules/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml,sha256=WHTSMMTXGx-_evL-naeTN9QS64PnM2idGY3PQs60q8Y,5079
|
|
424
|
+
nldcsc_elastic_rules/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml,sha256=6q-SntMIphiYXYTB1_Th2IH790UQp_-7pI2uqtWrzi8,5139
|
|
425
|
+
nldcsc_elastic_rules/rules/integrations/github/execution_new_github_app_installed.toml,sha256=MkD6gHp77xXX-SCceSoWrfQgAXS392mBTPt5W875thw,5030
|
|
426
|
+
nldcsc_elastic_rules/rules/integrations/github/impact_github_repository_deleted.toml,sha256=IJJ2S5jZqlKAdtz5HlQLJM-_BFACYGWErZ0csvPqwp0,5248
|
|
427
|
+
nldcsc_elastic_rules/rules/integrations/github/persistence_github_org_owner_added.toml,sha256=LbXN15NvNoQagu6h-A5Wt7xT_UZ1EsM4BVHQOQDyl1c,5336
|
|
428
|
+
nldcsc_elastic_rules/rules/integrations/github/persistence_organization_owner_role_granted.toml,sha256=krgvUBqURO0EJgbO6O85jZCU2lDcAmCo-MGbodiUFY4,5126
|
|
429
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml,sha256=FlES1Pm0gy22moYPW4LO5uRdluGsEU4Nz9JpucNUnwk,6762
|
|
430
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml,sha256=vc-vHBfyOJj9pOcvvFG9v6kFS-K7oCgxOU8ALWrRJP8,6657
|
|
431
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml,sha256=EsDdILNPqFI0qC1KZnR2kRM8wy_IUmucSfKAbvtqrDU,7615
|
|
432
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml,sha256=f9XJiZmSnOAcNvv9_zuyjv8p-BWqv86WcTJiVqXK94Y,7579
|
|
433
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml,sha256=oz9xb0Clo6Q__vpjux7sSRPaxxdHIahowVGlPa0JZcs,6026
|
|
434
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml,sha256=00OHyV1qyLjVGEWBS3KT09yi5VFW8RN5b8aVnl-iP6o,6346
|
|
435
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml,sha256=bQbSfMHmOi0sz-WDXLBBwFgNJb-0nkDbRsCtxzI7Lm8,7618
|
|
436
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml,sha256=Z_uqwiUaPO0otQYWIWhUUkte7Y9ugTSICxTs93CKON4,7579
|
|
437
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml,sha256=bBR7s_FEaulvwd7td3iDT311L_aMiELyQrxYGCizNtM,2219
|
|
438
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml,sha256=gHwhsvgSxaZGWUC78TcyWyXyhpRrTWEOwb3sZ1WU-1c,6262
|
|
439
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml,sha256=LJ0F_nKmneK-cymEcEAWt12wczoP_DVR-oukq13GQQ0,6228
|
|
440
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml,sha256=kFPuv5XFpFmVLygTxCFH8JNSJIut8JU344giQagrhj4,7000
|
|
441
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml,sha256=dGGxBIhxitxerDSijj753Or8TLmzQe_tBWNmbIrtc-o,6820
|
|
442
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml,sha256=DlRq0x180q0cFfOR_cFtnphIKHtbhR6Q1z3FvERI_90,8249
|
|
443
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml,sha256=9C4P40l5Cg-bP2hXwmIby3MEir7N3JD2xW-1Knhv7Jc,6721
|
|
444
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml,sha256=h-ZM6nLfvY2UmT0pBmZO3Rrbv2rfo08mty2w0fxTHuc,6728
|
|
445
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml,sha256=eHvwHLRiUzFQK5Z-23N0v09ny1wlln7dWlJFRrKcPEk,7484
|
|
446
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml,sha256=yADwDxtcVCGaosfr8ILvpmL4xtecbbq1hBrPJZOansM,6905
|
|
447
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml,sha256=p2ePG03eMu2bAmzR4BRA3gt0oPqcd6NJ4VFbUNYbSqM,7209
|
|
448
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml,sha256=99AySUmjxq_noPxSMLBV7YYn6cLYQpZDXo8OXzGxhhs,6891
|
|
449
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml,sha256=ppX37krjo76hOtGp2MsrzB58ZZWIghf0S-dZ3mHYVW0,7110
|
|
450
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml,sha256=oxAYWeX_CgvxFlHCzr2o4v8-TtKVEgXsvDQlOeUF3Io,7313
|
|
451
|
+
nldcsc_elastic_rules/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml,sha256=IGkaCHQZng1S2xfIWby2niHPmLInChdW0lLLTfHs4T0,6272
|
|
452
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/defense_evasion_events_deleted.toml,sha256=zNLc6c-JnG4VUpO5oIZS4E1OEXPYIzViIRU1YhPLuEk,5695
|
|
453
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/discovery_denied_service_account_request.toml,sha256=dH2fFQLV0nmbY3JE9y8Yk1Ydu8PDu9o0pHaWQICtFxg,6350
|
|
454
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml,sha256=Wupl-CL_2NqC-xEaOwiA2Y6ZCyw9mf-z9wjVA--ZIoE,6704
|
|
455
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/execution_forbidden_creation_request.toml,sha256=W7HwCH0kSdS26wB97DjXoKCstFVza-554j1XTJXgGQY,6471
|
|
456
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml,sha256=F5paEqflG8gP_eVg1HBVV8H1g8mqdT5bJk6x4gvt_JQ,5789
|
|
457
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml,sha256=VnQ1CbNh1xib7ddERaNoalMgECYd6IyWiApc3u8Y4ww,5531
|
|
458
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/execution_user_exec_to_pod.toml,sha256=lJ2e2ekx96XSzniRUVzpYeVCeTU28pVaIFGLXRn5cz0,6526
|
|
459
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml,sha256=Mrq2Vfeu3OmptjSxkygD8DHPqMCyPKQY3wcMhcyOUPA,5869
|
|
460
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml,sha256=hsrAhHYdkgBCnpnwwBQlpCrYo7TfkDCpFjY3XNWN0Tg,7391
|
|
461
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml,sha256=UyqGblumaBF4blTnd67EnA2mEJo_WQ-OZz6hDunTI2E,4615
|
|
462
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml,sha256=0NQBcx0zSpEyO1C2TGZ8--7iVvVAD-FjEY3LzObIbhg,7187
|
|
463
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml,sha256=VLMa2eWBzoqUwDsByF008n-0q60Y5jQZH3tG92ns1QE,6703
|
|
464
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml,sha256=gr6Hfvy9P1GEZzipht0o5FVNX3yfnuoFBUOlb10qjtc,7589
|
|
465
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml,sha256=6gCC17k_7b7ne0LrkFYnW-q_xMTr9lQuwQt-8CsG2RY,7800
|
|
466
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml,sha256=Ng3rNLSGxQuOTclgq7KfVlyCV4EJzf_SqM2olayiK-Q,7094
|
|
467
|
+
nldcsc_elastic_rules/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml,sha256=4ZUkLUJpPU2m9yTMUxsg3CIuntPrvnNnrd_A4xJ_DWw,6741
|
|
468
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml,sha256=2M9bFXoLPQr---e6OntckGMUQoch-dnsXxIfjZ2KBjU,6833
|
|
469
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml,sha256=xNtBmfkLEpd9RsGfpIf2rwgQA79KudqIHMm-SHtHwrk,6686
|
|
470
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml,sha256=BA2WHHuS9J3XY9M2EcheFPudUnGeJu3ZnAkOyOBCnHs,6860
|
|
471
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml,sha256=lWeMxIirBrvHvcyKkZfNaNflS4tJ9sJV9G0lMHRcW6M,6770
|
|
472
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml,sha256=qd0s3ospvyAfR1H0ZBhpCqBXxjSDYJRi1gP5AbmtFMo,6992
|
|
473
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml,sha256=4_gvXkrySCPeRUQ5A2DKUD-1PxrxBgE1sGOCmHXgcl4,6496
|
|
474
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml,sha256=KLs_OaW8_KFqYnE-knOM6Y0ag1iW9WdrDDQSw40XXC8,6801
|
|
475
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml,sha256=Rp5zVrAUSxDhWSy7Xu0EcR4Rg1PCyWAjkwiZP8m0YdA,6606
|
|
476
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml,sha256=PPUw_J8yOXw-oRKRhaa1GTCuwn7B8qrnlTPCq_mNIDg,6688
|
|
477
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml,sha256=TplfXzUlLqEWWqx5DAu4DjofgJzoC8O4fV8Ydsnu-WY,6908
|
|
478
|
+
nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml,sha256=gTJ70gaYRKanzKUpIsLYlvTC_Pd_cfaIBAX0c_wReE4,6757
|
|
479
|
+
nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml,sha256=g79V0ABJLK33BYTmsgV-YseWDQqHoozCvSJHEYQ2msE,7487
|
|
480
|
+
nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml,sha256=QgEjGZvo7vMT7KhrUv4fstgivv-OQM5an2htugvEij0,13146
|
|
481
|
+
nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml,sha256=DVKnxmSWgFj9dw5wA3uxt0wycwKeAY_mMPnN2vSU9Sc,6905
|
|
482
|
+
nldcsc_elastic_rules/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml,sha256=d2MFbarCiiDCBRgbjsJcqHtCwFsa6YCm0_5pLSVX7NE,6201
|
|
483
|
+
nldcsc_elastic_rules/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml,sha256=G381iayYS3tdK5EEPdYtxbEiQdnuMO-3q3WlIKmFPnA,5764
|
|
484
|
+
nldcsc_elastic_rules/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml,sha256=PjYBhnQe0BN_BB-xDCNTz-b2U_xmqcMzRJRxi8Akn7I,6618
|
|
485
|
+
nldcsc_elastic_rules/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml,sha256=IaSWU_sNcVZVZAkaexIJ3_MqatDXz1iENyoJAG59fto,8769
|
|
486
|
+
nldcsc_elastic_rules/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml,sha256=eBDahqxyTEtS7x_npt_0cK2btx51dr9GTA7UG081yFk,5701
|
|
487
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml,sha256=Cce9WOAIKABm1MiKmmB-5DHRoNW1GYeuWxgC3ne35G0,5943
|
|
488
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml,sha256=idhrist2nHRMsuoO7gjXI1YL9w2l0lKpON7q6P2HLAg,6082
|
|
489
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml,sha256=wH8URt0Yf5-6MZJKRAOlFQ4Gwp9ir9s0QuCTwSVOfjc,6587
|
|
490
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml,sha256=Sr6oZrVYNmEzW_jPeaqlLpJ1dkaP5YwmGkQrmdtSZI0,5526
|
|
491
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml,sha256=bGtXYecYKuiRZbLlppyzk8FUQWuV2y1Q1DEfYTV0s6w,5887
|
|
492
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml,sha256=4Nt2ExPQDxuvCTQwHB-EK0todtNFcgKinVUOLzQVCao,5889
|
|
493
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml,sha256=RuWHA7qw8Kovi1sTdC5lxwmrHY_5J83TUdetILzGorU,5921
|
|
494
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml,sha256=5DvSjb_Fk4giFCd7Uv4MoGsJWbz4E01XkSBm2o4bKYg,5998
|
|
495
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml,sha256=XiPajXQ9aljh3Xp6tzxy95cinyAMGfzQt-9diROn83Y,6275
|
|
496
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml,sha256=1fvfbI4vfJxL3WMN4CNYTSq4sNsrBUXtq_mtEDJv0Xs,5811
|
|
497
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml,sha256=0NGtCTVp7irC9Byz6lLB5qsCNWb9LphOkWx60qvpEPI,6247
|
|
498
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml,sha256=ncPtLiNi2dJh-cQ3TbaS4G9J_mzH5dIECnRew9wQSqc,6572
|
|
499
|
+
nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml,sha256=g0LDwjoJjfj5aemgWatRNlZAY_cC5zcXqBIYz_KuePM,5595
|
|
500
|
+
nldcsc_elastic_rules/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml,sha256=GdMTaFyfyH1DsCoB67SO2RqJitcvg4Rmg3n7L3PWcS8,5548
|
|
501
|
+
nldcsc_elastic_rules/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml,sha256=smApfEY9PUySBSu0SpXXRgwYnZTEYdDSu08xNUVv77I,6161
|
|
502
|
+
nldcsc_elastic_rules/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml,sha256=CeWSXE70VqjUawpp2Vaodcl8ulNnS43aPSG3_94ybs4,5799
|
|
503
|
+
nldcsc_elastic_rules/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml,sha256=KQfZJK49gWjTnDAJBkEWyQb9HO8AkDYSIRFxaGewwdk,5846
|
|
504
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml,sha256=DfERsYJMERYPBB6rnqy9q-dDZzUXCB-9TvZxSz0dEkQ,6249
|
|
505
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml,sha256=LUNFNIxfJbB7k-euUFhdoymOQ2YQArKsIuR2k6qm8i8,5567
|
|
506
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml,sha256=DsJZqg_nKvXPzwo0N3U0xAJrdYoXP3lh6yXhCfg3v2I,5446
|
|
507
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml,sha256=PRe9qXU0C6Xh9fFMLVYtXVXOh20KQD-BiS2T8tAEid8,6685
|
|
508
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml,sha256=TW8EBGECLQUbHXiNlcHl4vOAI1ib9tpQCDdxtYUeQ_U,6503
|
|
509
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml,sha256=sevoMuw466Za-got78OEI-mqghlK-M5gqMJqtWFhiCc,5613
|
|
510
|
+
nldcsc_elastic_rules/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml,sha256=paRaJqfe-bH5Cq3nTljA5vlgnp7yKihKbkjWPtPdSzA,6328
|
|
511
|
+
nldcsc_elastic_rules/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml,sha256=BipDXl_rpWJgXyRiFEsUSII1mME6CcOEg6DHDzT7VOI,6597
|
|
512
|
+
nldcsc_elastic_rules/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml,sha256=MCfZ1IUylEJieNqFha6F2jqqxPOi9fgoACupvGoDVYs,6601
|
|
513
|
+
nldcsc_elastic_rules/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml,sha256=Ehf16gym-RBFXgt8a9yRre7P5PSLQOF0V4k_H44GH_A,5997
|
|
514
|
+
nldcsc_elastic_rules/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml,sha256=C_shgEDlAwrlMScKsTGyrFhTOgFBlcqv0_hGanwixsY,5723
|
|
515
|
+
nldcsc_elastic_rules/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml,sha256=YTYhCYSOMioUm89HTQMKo8uDIFcZ5i6Cte4CzbL7KUk,5534
|
|
516
|
+
nldcsc_elastic_rules/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml,sha256=1_HartCs8VwQYccCl4qjpOBViJAAq5DVK9cRD0d41WE,5684
|
|
517
|
+
nldcsc_elastic_rules/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml,sha256=LTU0TnB6GUOr6ZJzdyg-RTdmz-ymhk9GPeMrC3o10j8,6464
|
|
518
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml,sha256=sA57d01eFVTByjMXqeJrTOH2Yzg7FIDZlomLAYNVBXw,4602
|
|
519
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml,sha256=gk6DdcFn-oQJY0ZqkGgZAZLTk3XjyBEPeDXytVe3N1I,4467
|
|
520
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml,sha256=eqm0sduRv9TzF8_9D3q1sA-o3WJAayvclGH9ojXtnzk,6651
|
|
521
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml,sha256=fFlAhwPklAvEcxUQsBG4cM0dhXxezw-2brwI4Zg2DX8,6331
|
|
522
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml,sha256=JOvKG7UooxG8bDo9kNPlsHkuOJViAymFr7ieL6nbMiE,4746
|
|
523
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml,sha256=SKA4rIupqWcP0wmKvdT0wCtH1ECifGHlJulsrSjDoVQ,8097
|
|
524
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml,sha256=3dl9-vS0yRHV7pgWcdARQdkvgHw4XCATZvAvuxc6EHI,7820
|
|
525
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml,sha256=R6BRjfLbDLm2B46U9-F-5BWPOpU3v-f5ntDZ2P063No,4230
|
|
526
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml,sha256=bAiIf2czN9ZO8nTtYnPaDzL68ZIU3uS5mkpScvbTkpM,4934
|
|
527
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml,sha256=kjJAtefR9Usf_wnut7tW_cK0_GEFrxfF37dWC8I_4ME,8396
|
|
528
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml,sha256=VUxFWnqtFhLBiLg-Yo-H-G5ZKLPlqRHsosllUCvyXPs,5081
|
|
529
|
+
nldcsc_elastic_rules/rules/integrations/okta/credential_access_user_impersonation_access.toml,sha256=E-CNCnMlZ8z_OrD1m4JBaVbXRo0Dd8Jzl-koapPzxoM,3908
|
|
530
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml,sha256=EAoonBbpfY_vtpTosj_F4YJ-tonptDnzulz33_wvYfQ,4365
|
|
531
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml,sha256=aLu9u7ml_OWplRG4NLBLL-H-Mlgn4oZngrBgI3aR_x8,4387
|
|
532
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml,sha256=hdTP8uTy4Ww_cJa-cyrqFIwInTFkkF7Bt2wQMX4Js2Q,6820
|
|
533
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml,sha256=s6nWPWhW2ElRgnio0tD2ful2KuYTVZk90JpBPaTzm1M,5257
|
|
534
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml,sha256=jC8gt3ju3ZajKZMNqd-eobcPANjmWrbVuZ7P05K0pP0,5234
|
|
535
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml,sha256=Zhi-kh8mdlFvDLHrL1uzp_7GBxgyLk9Txic3DHGO9Vk,5132
|
|
536
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml,sha256=kAFQRxnHAbP0wV8QBgAWwq43Zdwbnzl_H440MkECAVE,5053
|
|
537
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml,sha256=ke3DBgzy8c9Jl8tgJvg-044bfJGdmB0Bn6Zm52Wx2GU,5070
|
|
538
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml,sha256=EBG32-0JRPBGbi6xyVRJrwfERg34OrSzCJ8EQ1rsLec,4208
|
|
539
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml,sha256=6xN6XpNOkyoTOrLzIh2iCDXrYvYexcZv7H88wLVPz8Q,4630
|
|
540
|
+
nldcsc_elastic_rules/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml,sha256=UIT4NqYFJMas9rmvDx0SVKQjnnxcO05Y2EZCu7b-970,5365
|
|
541
|
+
nldcsc_elastic_rules/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml,sha256=svKxk8ZXaRBgq8cVWSIE60Homf1T-2WNoR-VFDL6eec,3631
|
|
542
|
+
nldcsc_elastic_rules/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml,sha256=0t1yW1jhlTzwmAOPhqEZiNIvdtkP5iUpoQTstDd46Y8,4372
|
|
543
|
+
nldcsc_elastic_rules/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml,sha256=h5LoMs9NTAxlgnmm5ut-6YuM_tYbN_6PJMKoPmKpUOg,5763
|
|
544
|
+
nldcsc_elastic_rules/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml,sha256=3MOYprdRdrI3rcDBah--hqcVBs8KEwkWqOKXHcGMERk,5671
|
|
545
|
+
nldcsc_elastic_rules/rules/integrations/okta/impact_possible_okta_dos_attack.toml,sha256=pJSXQPE48JGh3mIzgWYngOBctFuhubsk7WGAhQ_IUJk,6045
|
|
546
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml,sha256=PZWWtOEu3Fy3tL50iPW6M6T-RBp46Ati1rTJb4vpAv8,4242
|
|
547
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml,sha256=ggrlM5cLApBWTHXGvyPrYdu4p-49sZjojVgIsXWALdQ,3931
|
|
548
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml,sha256=viy9G7om7zLnCSerXoOlEHwIyrKobMJ_xLpi3LxJjlw,6037
|
|
549
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml,sha256=Fb3zNtrOQC2Wkq8dLKzOoymc7bokJUhe_0Tecfiw4Dg,5807
|
|
550
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml,sha256=lfDtQQgA-ILQjmfeAh9F5bWCADdPydsn7dbYXMp__KU,6367
|
|
551
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml,sha256=Jmpv0CneliXc9sMrHK7LhE_Ay9Gi2t50m5ENXc1eSW0,5565
|
|
552
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml,sha256=F5OoQhp4g2trjQNvxZo9q7s-JE0rOSadvCmyxqw469E,5788
|
|
553
|
+
nldcsc_elastic_rules/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml,sha256=QEovOSoUQTY_mXIEyUCNtcu6QwcJam1M7qUXk3w9K4c,6613
|
|
554
|
+
nldcsc_elastic_rules/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml,sha256=dX0GqdtxNK3Y7AoiADEp8KXss9IddxtrZTHSmdtzQEU,6405
|
|
555
|
+
nldcsc_elastic_rules/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml,sha256=HWE1o_-bvXjirvO5seDWROOPFwFyWTxVtHwfr4n28u8,2396
|
|
556
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml,sha256=XprehOAXZkmcIdQeskgkeOGChzxDWMuCgfXYpO2C44w,6031
|
|
557
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml,sha256=xKDNyS-q7SNH6wKNRs8lvdBUdlyhc0lWhwugDsgIgWM,6130
|
|
558
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml,sha256=aPsi3hMm8oGoaCCKyx-RRLH3FawS50NfHH4Zv0Ym5-o,5620
|
|
559
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml,sha256=qgMObZ-jQALt-pniNNGBC4yS7DB8pjlnyixbKiIqROI,5681
|
|
560
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml,sha256=ekxNAAwu2Gsx7OccJKZeErl1eAK6slKIPc9aZxg2sRs,4886
|
|
561
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml,sha256=1CnqYcuk4CGXPMYK5eLWSrUQsD0tcRCJqChaV5ozigo,4366
|
|
562
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml,sha256=YC5uUXyT87ueVBuKBtRkcrR3IDCY1U9ejzqgR_5x2R8,5977
|
|
563
|
+
nldcsc_elastic_rules/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml,sha256=VD9ZT3XnWRHyffoQQzr2AjQxvpY8usW9pkn1PnCG7iQ,5854
|
|
564
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml,sha256=Wl9pTqEsSCPtaurWoRMIKF_aHst9EkdHT8qWrp6HYXo,7202
|
|
565
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml,sha256=zdU5nWCVZI5s5UrA_VAGBovoGTNyBHVZ61Cv-lPA9U4,6699
|
|
566
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml,sha256=pOnFpbho8knSbghfFDSVl7FrPeWtJjcDzjpaHOnnWbM,6677
|
|
567
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml,sha256=M2i_MouCBWGtYWbQpHNMtK_RFP-TSlwEgoGRDMzWqRo,7194
|
|
568
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml,sha256=nxmCF5yuVI--xS1eZWutbMpuBbaccJYc5o-g-Kk4vlE,6862
|
|
569
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml,sha256=8swNF9qGv2fJD-TbQ7vhYQTpVHvRVh3lNVfyWJUXc6I,6911
|
|
570
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml,sha256=dp09bjr3LAQmK9m-keT37IMPAv20_n_mElMTM2iZvvc,6556
|
|
571
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml,sha256=IQU5OHjLVlSz8IxavxetrXeBxqELBUUqRSIW8GguwyU,6755
|
|
572
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml,sha256=l0ftDIbYM65LiIY_gqfdNNO13BsCOnzrEvRAkRhyFy0,6937
|
|
573
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml,sha256=c_Eyvv7F6EUuDAtSQDfdpODwvsgA6XtmJEIvAhn5zvA,6745
|
|
574
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml,sha256=u0AGt7Bc3denjjhRKmjYTlUFLdy9su1F7CYuMBcl964,6735
|
|
575
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml,sha256=j6wIc3hb4S3AMuKiRw9oN1_R-BWNlItyczSNphb77Eo,6833
|
|
576
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml,sha256=seSo9JXXai-o4Cuweiq2iNiC_s6aTz6GIsjYNlqWq5c,6869
|
|
577
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml,sha256=E7JKxcOvxk4EeDBLGDHb0w-V-e6oxGTfJbz_ucXqqfk,6893
|
|
578
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml,sha256=3pISlH6sfAdWbzmndIWjF4VduwU8huvFg4r7tW4M4hM,7016
|
|
579
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml,sha256=w6U-_xuSA7mPDVPS6iZh-ZWM6w5-5dv81DrwjnWgXBE,7366
|
|
580
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml,sha256=n_phVSzD6PuEwCEbgBRPscDfB1gZOPP-BPkrwVHheW0,6746
|
|
581
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml,sha256=Ho9jQrPWyuhMWpwIH_ww_npXE-jiuyIbEJIpROF4ZNE,7727
|
|
582
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml,sha256=NT8aDP65pypjhGOdfw7oJfUGQtccau9k6L3nUkjXqpM,7134
|
|
583
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml,sha256=ZsXg3q_O7upoj5IT9RQBH-Oxb1by7mC6dXKDwXb2Dro,6721
|
|
584
|
+
nldcsc_elastic_rules/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml,sha256=wQfknX1HeEUw8ofJ5K5LZywlU54wwDDhLL5c8sa3bCM,6999
|
|
585
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml,sha256=lGO4fwMXScZx85oXzPbN2xj6m2y9Y6X-BziYjko1P9U,7116
|
|
586
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml,sha256=FfiYW0rsH69SoV4ZOrtH_8wYtIrhxrUc25G8RlmkZpM,7084
|
|
587
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml,sha256=M0p_YiyPrs7ILHfgQAfcI-nTYtpEhqzUDVaDPY3KD28,7251
|
|
588
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml,sha256=sQgiTquBXhCwsxO_zFvKBSt5vgICXa9RMpqHfepDnOw,7682
|
|
589
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml,sha256=XLNsLZ522TUZPOvqwpa-uOC4t1fkSck8tnupNf46y0I,7448
|
|
590
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml,sha256=EoLIDJol3lLc8az15wG9n440bNT75pvMfPtMz8Ty24U,7423
|
|
591
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml,sha256=xMvDfmMt0eMrJ22rijR1ITdicRjjLFrsrC3JKIsf910,7657
|
|
592
|
+
nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml,sha256=zkarSPRMalu9eipDQ9_UhVDkYXCQRy0dzEXW_6QbpEQ,7401
|
|
593
|
+
nldcsc_elastic_rules/rules/linux/collection_linux_clipboard_activity.toml,sha256=uK1IW1QJGzUQVDU1MANVqBVz5Vbu0yrh5LKQJjYLm6Y,5637
|
|
594
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml,sha256=MJcXt9gmVtSZJz7rsTKAtz7FSszuEm7s8vIr4w_wbUg,5664
|
|
595
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_cat_network_activity.toml,sha256=k-h-Q4TvHrWGIbBwqoxOI6Uyl-KhyAi4ZR292QnBcyc,10055
|
|
596
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml,sha256=c89NL_yBFDR1FTTPACEVqVa4-pI0E8Fo6WzKRQjSnWY,8141
|
|
597
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_curl_socks_proxy_detected.toml,sha256=JcqLSyW2-yLr61Xh-auuxMSl09CGSl2NzBvxrOyyLnk,9140
|
|
598
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml,sha256=8xPvn6fFS__HSDFU-jKdfV1hCj4dOleT_25I-b37SgA,7540
|
|
599
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml,sha256=EoauyMXmyTeHRNRRBHcKg0hIEzvvcW2MZyCLr8us8jQ,9242
|
|
600
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml,sha256=b26_MQsQ_Zbe1_yUv1lmdpgqnpBTt3fI2zqZ_aR6ZEg,8775
|
|
601
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_ip_forwarding_activity.toml,sha256=aW8A9MMEdL_QxWoYNIMVFLBq11OCTJEmn60HF_9rb78,6284
|
|
602
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_kubectl_networking_modification.toml,sha256=1qpQoTougzw8j2XNTNGtvEm118jo1LTlGPa0MXIf5PQ,8370
|
|
603
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_chisel_client_activity.toml,sha256=EECParxOJtw_rl2pI2yIQMpvwjzG8NIrNajSEHKw3rg,10354
|
|
604
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_chisel_server_activity.toml,sha256=jHPkhYZgpC8iU2tlFXHCGPi93LOEHiNaQbtjb1IAfHw,10342
|
|
605
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_kworker_netcon.toml,sha256=7Ahb2Lnev8krBvqRvjSQR62JHr1I8ofg84OGWpVEQeI,8487
|
|
606
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_proxychains_activity.toml,sha256=WFoW216c0JNrkkwo0-KHqFhesjDayB20X-UbjquVwuI,7833
|
|
607
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml,sha256=Ez0ojkdZpL98zBcNYNUdObQ8io5Bp-CssW9x4gIsGls,7549
|
|
608
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml,sha256=hd0ghXc8z1E4W6eRryaAeiQJqgt1pvLodKIJXWPxK-Q,10323
|
|
609
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml,sha256=4wZHsV3Hlxrk4NkEeWFKTwMR423uyGXIuOn39fBRwm8,10812
|
|
610
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml,sha256=5NGyLJJn_agFiKPlnu2CDHJ2k-ZrT6PMlYUuwadYcLU,8087
|
|
611
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml,sha256=Pt0EufHvRp9_LnsciX6Ogz2guSVZvi4s4ZJbGyY_0X0,14975
|
|
612
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_telegram_api_request.toml,sha256=DbyerCcEdpPAVb94-h2QCugp97RNJvbqJz1s_-s14mY,8340
|
|
613
|
+
nldcsc_elastic_rules/rules/linux/command_and_control_tunneling_via_earthworm.toml,sha256=KWrMskJDrfKWLMFl6camZZqfjYvp6dJQmtrF_BAiRUo,11228
|
|
614
|
+
nldcsc_elastic_rules/rules/linux/credential_access_aws_creds_search_inside_container.toml,sha256=VPgyTsVKeShW_BcR_v2mbGKJUigzAj0FyZ5iKUlt7vE,8324
|
|
615
|
+
nldcsc_elastic_rules/rules/linux/credential_access_collection_sensitive_files.toml,sha256=lDfKDfajsgOgk2ELKmKWsj6c1PB01QTm3hUs382EWMs,10493
|
|
616
|
+
nldcsc_elastic_rules/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml,sha256=fn26osSXbfqgYE4RZBDwvdaJaCLLCWMSW8m2M-YhE28,8434
|
|
617
|
+
nldcsc_elastic_rules/rules/linux/credential_access_credential_dumping.toml,sha256=Ss2BsfuQGpDj-adDT9knW-FmntqDJs3NkoF05T5Qa2A,8180
|
|
618
|
+
nldcsc_elastic_rules/rules/linux/credential_access_gdb_init_process_hooking.toml,sha256=IsiuIdPElI5iUzo99jVFHYJFfW1NlX8bAhs8AkyqVBo,7861
|
|
619
|
+
nldcsc_elastic_rules/rules/linux/credential_access_gdb_process_hooking.toml,sha256=kFvmVkghmRpPY-uXxU9OfYNt5QizMwJt47SkFneqWXQ,5973
|
|
620
|
+
nldcsc_elastic_rules/rules/linux/credential_access_gh_auth_via_nodejs.toml,sha256=Hv-eJVIlwDoaDCidpQJGnb18otoqaoAuiNqr6Gj8bos,4539
|
|
621
|
+
nldcsc_elastic_rules/rules/linux/credential_access_kubernetes_service_account_secret_access.toml,sha256=Y8hoYtoMg3lUsOQlc0Nw4uBox7iDaFgvEOq-hOFBehI,8656
|
|
622
|
+
nldcsc_elastic_rules/rules/linux/credential_access_manual_memory_dumping.toml,sha256=FmS5uROE39eqN11dm51C9afqOMIhjBLMmWCq4Q47UaE,8586
|
|
623
|
+
nldcsc_elastic_rules/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml,sha256=Yu0g5RgBoGQMrUwdP6gWg6Old3ukRUh93Sg3eiboYAI,7674
|
|
624
|
+
nldcsc_elastic_rules/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml,sha256=nCsx4a95PZvBbb1zEqrMUx8-nOopx3X3NeQp_pQLUkc,6243
|
|
625
|
+
nldcsc_elastic_rules/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml,sha256=_NiwbTQVCyhiwVbFpOif8fHPkHn6HeUSx9R-o8wwlaQ,5805
|
|
626
|
+
nldcsc_elastic_rules/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml,sha256=swR-8jUl-ML8yNg7K9PfgnQoHjJKvq6aJ99BIVaCAE0,9417
|
|
627
|
+
nldcsc_elastic_rules/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml,sha256=JJMeTeF-wQDPTbh5uu9qcdcPvPXCckoqNUa9-xLtay0,9669
|
|
628
|
+
nldcsc_elastic_rules/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml,sha256=h71U9GRUmpAthuv4_lw1IEQAX70CumPctWQ1Be_gygI,6846
|
|
629
|
+
nldcsc_elastic_rules/rules/linux/credential_access_proc_credential_dumping.toml,sha256=iybSixK9HnSxClu8C6eQNqYEeEl08ELe-2pCf_P1pR4,8837
|
|
630
|
+
nldcsc_elastic_rules/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml,sha256=2JhfD6VHnROtP-GsHdhXbSY_vf-pKC9vmuc2znBDvNc,8277
|
|
631
|
+
nldcsc_elastic_rules/rules/linux/credential_access_ssh_backdoor_log.toml,sha256=4pCnr7uM6aqV-tyYWBx5dTAkoU96jFq3EkaHNEsp3Bs,11178
|
|
632
|
+
nldcsc_elastic_rules/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml,sha256=NdUFvdVG7LbuOtv8F1bWim0xPr2MkYs1JjfnPSLn9pI,5608
|
|
633
|
+
nldcsc_elastic_rules/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml,sha256=nIefM5oiRIqxbr2dipBhXWp9qtql2FdG5KP6Hy3yVfI,10717
|
|
634
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_acl_modification_via_setfacl.toml,sha256=R3IUhsIXC-MQkPqGq6H_YHoizSbU8FP2R7haWSFIYuM,5682
|
|
635
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml,sha256=rT1pJZFYzAElnZ4Mgo_g_kbU4HHpTp3Gmn5u-FiI52g,7808
|
|
636
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml,sha256=XAM2QqmJKRd-siwO-6-Ihj3yAo9FMdBCgshHKViyHVU,8644
|
|
637
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml,sha256=LYHgYTdKY95lGw4iSAbWVMKZDGio3IfkCT9asksKZqA,9780
|
|
638
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_authorized_keys_file_deletion.toml,sha256=vBfpQe1FS5DW_cbReSv6yW3ZyEkbkYieo7l3VVEZ9X0,7794
|
|
639
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml,sha256=MYeupA3OTG3uhD5-9Ml9lT8gzXRk5ZO-k2a0BTeQ2ew,9541
|
|
640
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_base64_decoding_activity.toml,sha256=Z7FaCe3A-o9o9DMhRaaTFyRV7-YcknjeJtPMVn0Nbqw,10348
|
|
641
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml,sha256=MG1jOaf2-7CdJH3YwjoK1q5shAJ4ioPjDSCFyxq6bVg,10508
|
|
642
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_busybox_indirect_shell_spawn.toml,sha256=jfzhhJJOkWjPvGILtaEwcqJeydqi5QM8Eio8tnWh7Rs,8851
|
|
643
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_chattr_immutable_file.toml,sha256=Iaxk7AjYjl10p8V-Z3q8v77F9pUG2ORku3gZoUG7ot4,10042
|
|
644
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml,sha256=x3VSpu08Qb9ro5f66qHwEQz4-iCMLZhVKccDBwPrrUk,7903
|
|
645
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_creation_of_hidden_files_directories.toml,sha256=GE138nQWb70mymgqLL-55Vfur11XD0iDeqkfYHJNYjo,5434
|
|
646
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml,sha256=lAgFYdkGSQguSzn288bGUY_76XY-CvYhgzNh9soVYno,12398
|
|
647
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_directory_creation_in_bin.toml,sha256=clziZnjrbdzz2Ss71hF2gusnn54ExqBEsjwBLLcK8Oc,8265
|
|
648
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_disable_apparmor_attempt.toml,sha256=GrYEXe7wIF4xnuVL8srII-IMW7tKM_fdvDbqOOgWNiA,8513
|
|
649
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_disable_selinux_attempt.toml,sha256=cl0j9us4u1W5IjRPTual1UvD3YZR_RetCuP02e_bZJs,9277
|
|
650
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml,sha256=TP2v-fOtbyN1br4Ss7wxZ-fF83LgiwWRNVW0gtL6Yyk,7579
|
|
651
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_dynamic_linker_file_creation.toml,sha256=ki_aOv37YNyous1rvS_ygKRulboxeWQRuxG8oCo80k4,10311
|
|
652
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml,sha256=LR7nv5kcnab8M6Zy11Nj1eCYG9cTJjlbwCE1S4iGGZI,8400
|
|
653
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_file_deletion_via_shred.toml,sha256=8972NmVPXUtb-KDYgvl5DdFd_O7KqFeKnwNnh7blNyc,7466
|
|
654
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_file_mod_writable_dir.toml,sha256=yoiW_nL3_Q1cuWHqjyKNVvhbd6pdIYFp0rS5pGi9-3E,9193
|
|
655
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml,sha256=r4q_GWiN7uV8Zr31FZHMcFMEKTRd55BtKIWWoVmH5qU,8174
|
|
656
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml,sha256=rjLe8NDJRfd2Po4QtR4rGvPlaMki-OX3BO-s5Qsz3HY,8900
|
|
657
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_hidden_directory_creation.toml,sha256=eUr1PnrpGUHleYpbvzsJE2OKAIQe669MwcuvzYdLNmg,8592
|
|
658
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_hidden_file_dir_tmp.toml,sha256=7X0lYxFDNsvuyZtGpbdHfzGXnKcGIThqB6f1hUznGsU,10139
|
|
659
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_hidden_shared_object.toml,sha256=DyZOSUdJm13EKvm40Wv27oslt2A2k9MgwephFXOMqis,9370
|
|
660
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_interactive_shell_from_system_user.toml,sha256=oHEL8fApPlhcXpX0J6uKkvJctN8AYeW5eGDf2QyDnnY,8716
|
|
661
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml,sha256=cS4dozqVYfBM31aNOb-9wTYV95DIdctudce0-kdM0tU,9739
|
|
662
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_journalctl_clear_logs.toml,sha256=9f6Iwiz5Nqffk-HsqtdoOpt-PfhCToGl-hMvZZ9VCDQ,8455
|
|
663
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_kernel_module_removal.toml,sha256=SFl7aLki9e-gGF66ptvt8pz1nHnz9CWmtN4EmiywfHQ,8934
|
|
664
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_kill_command_executed.toml,sha256=IBc3aw-1IqTEcujD0RgPuppz0otB-RDR8YIWcoO_mcQ,8729
|
|
665
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_kthreadd_masquerading.toml,sha256=P9bYH7WrrkfBe-kXB1RBSXtEwDSFxgUEeKSWcD_ScYU,8286
|
|
666
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_ld_preload_cmdline.toml,sha256=9bnESLpNVJ7P_I4YPfpazE59HFqHd5UWD_w4iyIVUS8,9136
|
|
667
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_ld_so_creation.toml,sha256=X6XTAweelS7RibQixAhQRHi7OM7cc0rzRK-c1nhfMNQ,9841
|
|
668
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_log_files_deleted.toml,sha256=h5S4TEJosQV-fG-VX3hJ6nisPTqTAONpSfF471qV-2k,9983
|
|
669
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_mount_execution.toml,sha256=x3vibhNeuAzIFXwUuIxQTA-Y-M55TLsE0-PYKNeAb6s,8321
|
|
670
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml,sha256=L4bHidhAGX2pHlvvsQZe88sOw42f-5sL_honUvPO7Fs,9885
|
|
671
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_potential_kubectl_impersonation.toml,sha256=gydZdOkGJ4GhsyY3EGjc7Nk4NJaASHKeVzoaSjGvATU,9553
|
|
672
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_potential_kubectl_masquerading.toml,sha256=eTkcfjrhjKSc2oae5YzFWldt4uNUdTWabI-0gS6q-nQ,9459
|
|
673
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_potential_proot_exploits.toml,sha256=IUeLNM4lF7hrpiHSEIZQcDnPkSkSnP7wSxDgN4OFs9E,8416
|
|
674
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_prctl_process_name_tampering.toml,sha256=2uOdyRgy_V50sv1cjwUkItF-38UryJ_NS5rrSsq128g,7776
|
|
675
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_rename_esxi_files.toml,sha256=2HP1otKV_J4ORl8xNOBfmM8amM0c57EeWtOoaVa6h80,7984
|
|
676
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_rename_esxi_index_file.toml,sha256=dFTxYDKC-usyBUsFwUMLUlbJ5BZZY1WRMlC8-EikRYw,7672
|
|
677
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_root_certificate_installation.toml,sha256=ofXQRwv0EGG8pguFIbajJDRzlnIZqGvyoGMntJ3tfVc,8791
|
|
678
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml,sha256=V-rcN2Hq6YE4XADmC5wwHcFslL7SKXt1ncndZjNVm8g,8159
|
|
679
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_ssl_certificate_deletion.toml,sha256=avxtK6cRJwiBiXDvfYODW0Q1Lc9J8C0XbAum-MVH-Cg,7836
|
|
680
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml,sha256=GmWkqFwbfHEQRek7IwGajDPZ1rqWY3zJt-oucY20gxY,5850
|
|
681
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_suspicious_path_mounted.toml,sha256=szuSuFJ8vXnYMaYsFaFfgmT0oUS6z2BhKKXdydMyYGs,7433
|
|
682
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml,sha256=1kYTN68rb66D_Drbu8xEMe3oL_BH09iWYCxUXhaGev4,6487
|
|
683
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml,sha256=4GNXzJVAi-ZdBPgXyR4rc6xiS-cFCOu_sm-zPiroQj8,7630
|
|
684
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_unsual_kill_signal.toml,sha256=qiWF2bxZJq52zrTYCbq996SP7Q9Goj-jBt9RGQLT_70,7079
|
|
685
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_unusual_preload_env_vars.toml,sha256=R7bWqPjQL_EkMiX_u3pK0dZ4J9wSHBILk0pxXSpHgTg,9045
|
|
686
|
+
nldcsc_elastic_rules/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml,sha256=FjLuB_Cc8iwmsm13kyu2jyNO5OLzQ6l1wSA6Po5dUnQ,8738
|
|
687
|
+
nldcsc_elastic_rules/rules/linux/discovery_docker_socket_discovery.toml,sha256=FFdZYzgVZSaijYWdfJo6DgWknhmUBmdLznWZQFw_Zks,8273
|
|
688
|
+
nldcsc_elastic_rules/rules/linux/discovery_dynamic_linker_via_od.toml,sha256=QYdiXxbq_vcOC4fdiSkRW3piwtFTxW21BxUD1rTBTiM,8053
|
|
689
|
+
nldcsc_elastic_rules/rules/linux/discovery_esxi_software_via_find.toml,sha256=0MUkHr-T3RQBTxFUtJu7sRyd573xXXLzeV2isyYrrKo,7880
|
|
690
|
+
nldcsc_elastic_rules/rules/linux/discovery_esxi_software_via_grep.toml,sha256=l0g_EMtPVQjctIw5I8fkValC4iGBpXMgys_Y005ek6c,7942
|
|
691
|
+
nldcsc_elastic_rules/rules/linux/discovery_kernel_module_enumeration.toml,sha256=_abjthsr2DNHQgqb2YBmXb7qCtreUkYWoMQELwZ3SnA,8323
|
|
692
|
+
nldcsc_elastic_rules/rules/linux/discovery_kernel_seeking.toml,sha256=eXFGimxYR79SvZ_4rxsoO6SAnj0yZJlkKPpAMR1GZNs,7976
|
|
693
|
+
nldcsc_elastic_rules/rules/linux/discovery_kernel_unpacking.toml,sha256=vr9ZszrzoERj57tIpJYIe7MguFq2htV53YtHaH-pHnk,7855
|
|
694
|
+
nldcsc_elastic_rules/rules/linux/discovery_kubeconfig_file_discovery.toml,sha256=qNVBwo_4lMu8jVumbQ2T8IwCLLx2qyo0ujudzDrrFHk,8819
|
|
695
|
+
nldcsc_elastic_rules/rules/linux/discovery_kubectl_permission_discovery.toml,sha256=r08KA-KSJQvml2WcBx5L9lO9ULdZ_LL1SMrfjcies-c,7527
|
|
696
|
+
nldcsc_elastic_rules/rules/linux/discovery_linux_hping_activity.toml,sha256=fWCXh_okLQKIUZPNJclqOpo7RPpJfk5h6nPGibcCzfA,9494
|
|
697
|
+
nldcsc_elastic_rules/rules/linux/discovery_linux_nping_activity.toml,sha256=XwEtWlP4qmOMEfuttoyF2c2MG2CXSuHMAA8Jw5ScVFA,9359
|
|
698
|
+
nldcsc_elastic_rules/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml,sha256=upblsRFNqpG7AkcmKLaZ1gKktQLzXZ7eBeTvkVLfK8I,7880
|
|
699
|
+
nldcsc_elastic_rules/rules/linux/discovery_pam_version_discovery.toml,sha256=tios0yOguXMeOYD2qAX3OU0Z8LAb53IBc4krEr7AnfI,8594
|
|
700
|
+
nldcsc_elastic_rules/rules/linux/discovery_ping_sweep_detected.toml,sha256=V0mlKQ_mphl0YZPemANW7sGZGXs6qgKus7UTct2gMS0,8007
|
|
701
|
+
nldcsc_elastic_rules/rules/linux/discovery_polkit_version_discovery.toml,sha256=kRWdUnlb76y-GcXbhQpsNVMpgxUAxWcHR-BaR_1sL6M,7522
|
|
702
|
+
nldcsc_elastic_rules/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml,sha256=5Xg_4Vs0dSLwtbOKOrcgip6Bbbe_9dXO9z_7Dp-B1Ew,9621
|
|
703
|
+
nldcsc_elastic_rules/rules/linux/discovery_private_key_password_searching_activity.toml,sha256=-m_muXUbiMdX5yD5_SqoLuDmsMfGJSB_WISEryCEhk4,7694
|
|
704
|
+
nldcsc_elastic_rules/rules/linux/discovery_proc_maps_read.toml,sha256=Ve4G1lmaEHDE7AIm6KzEnvdhIURQpoSctK0CbfDlc5Y,7886
|
|
705
|
+
nldcsc_elastic_rules/rules/linux/discovery_process_capabilities.toml,sha256=AxkmvYlG_rkuOrm6dRxUkILYyLHAwSaNLmsKNoWu7A4,7236
|
|
706
|
+
nldcsc_elastic_rules/rules/linux/discovery_pspy_process_monitoring_detected.toml,sha256=0T8nUasnbZAFEo_kCWKxTNzvalGFf3NyzbaeuFg1COQ,7416
|
|
707
|
+
nldcsc_elastic_rules/rules/linux/discovery_security_file_access_via_common_utility.toml,sha256=gDC_3JSb8waoscGYlm9T0AD9-cDuzkOk7SGYqCWEP8Q,8091
|
|
708
|
+
nldcsc_elastic_rules/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml,sha256=1C60XLFGP3ZmNpC-eZkeP0_lgmiZirtONXCkIo5wS3Q,8641
|
|
709
|
+
nldcsc_elastic_rules/rules/linux/discovery_sudo_allowed_command_enumeration.toml,sha256=4ao0p2kDS6PdcaWBMSNwStAqjryYmKZL968Xzjef-uA,7424
|
|
710
|
+
nldcsc_elastic_rules/rules/linux/discovery_suid_sguid_enumeration.toml,sha256=SXQc1h3-uGM6IOrGCGgDS11far6Ax1GK67cxpEuUwWc,8692
|
|
711
|
+
nldcsc_elastic_rules/rules/linux/discovery_suspicious_memory_grep_activity.toml,sha256=YT9_MGy3v6ocm-pBdtWgssDoA3K3561y3uiWo76Lluo,5758
|
|
712
|
+
nldcsc_elastic_rules/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml,sha256=PB2ZRKPoPFncDGyiFMZTLp_zKqSjCCSXpPxG0d10maw,8720
|
|
713
|
+
nldcsc_elastic_rules/rules/linux/discovery_suspicious_which_command_execution.toml,sha256=TpOc_GM-b4mDIcAmm6e50TVQNt3Yw0BMx7O3J6bHtHg,5815
|
|
714
|
+
nldcsc_elastic_rules/rules/linux/discovery_unusual_user_enumeration_via_id.toml,sha256=2Uv-MFknZGBjJY81vD4EJGOvvG8A_CiV_1KX0xas6wg,7551
|
|
715
|
+
nldcsc_elastic_rules/rules/linux/discovery_virtual_machine_fingerprinting.toml,sha256=70HhHMdpC6benB_yZTOQWMTfB7wqK8Eh9peh2Z9p_r0,9361
|
|
716
|
+
nldcsc_elastic_rules/rules/linux/discovery_yum_dnf_plugin_detection.toml,sha256=xyRgVIWtlv8Sb4Pa78Aw9xSvuplhPXxl-wWUPVykwdc,8054
|
|
717
|
+
nldcsc_elastic_rules/rules/linux/execution_abnormal_process_id_file_created.toml,sha256=avDSzJ0mLQGaaZkNs3PZnxfXvJEjNt57aC380xOm7Os,8882
|
|
718
|
+
nldcsc_elastic_rules/rules/linux/execution_container_management_binary_launched_inside_container.toml,sha256=P6OXJ_ChfSHDidkxonMdbjsjA2xCCmp7w1DQFfBve5w,8125
|
|
719
|
+
nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml,sha256=wh0CPDLFkpp4-vp290LrcooBRf_SLUlaNj-DmmupCcI,7781
|
|
720
|
+
nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml,sha256=Toa9mei2AXfTOQKS_KHAC7jqkIjLyLhhglfzvhe1NA0,7903
|
|
721
|
+
nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml,sha256=20ecrSU5dJRRFt6RbnLuHr6_K5-GKzr218L7SWh2PX8,7921
|
|
722
|
+
nldcsc_elastic_rules/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml,sha256=bPUwa6M_T6-3B8daseeA3TV-Jc3pQc50Y507IJ4CVXs,8623
|
|
723
|
+
nldcsc_elastic_rules/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml,sha256=OA91f5f01dSABvv5i7uVgf400fWMnPzWJmafrnAJpn4,9319
|
|
724
|
+
nldcsc_elastic_rules/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml,sha256=up-G9AHuUbgvJVR3e1VVZlZjPmeK0qstjYTDKYEKM94,7057
|
|
725
|
+
nldcsc_elastic_rules/rules/linux/execution_executable_stack_execution.toml,sha256=U5ckXsRVzpATgLyS0SStXNATn0gOA-16STv92_2g_bg,6941
|
|
726
|
+
nldcsc_elastic_rules/rules/linux/execution_file_execution_followed_by_deletion.toml,sha256=40NVfmlrkhc0UPo8ZnnF7q25t-SMOtd4kUeFzTFZQR8,8603
|
|
727
|
+
nldcsc_elastic_rules/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml,sha256=64u6dnD8Nj-X5bLrr3ILi6-ukRjDmFlGPSRkML1xYS4,8443
|
|
728
|
+
nldcsc_elastic_rules/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml,sha256=5u43vY2SdAr1x98IsQFg3sF_I9AX5xWXlX-b1dAmRbY,9493
|
|
729
|
+
nldcsc_elastic_rules/rules/linux/execution_interpreter_tty_upgrade.toml,sha256=-fgUh7MzhT2ONMYwFF47xIeWh200dD32-tRgu4Yv8y0,7944
|
|
730
|
+
nldcsc_elastic_rules/rules/linux/execution_kubectl_apply_pod_from_url.toml,sha256=ahBV23kgxkIGbse9pLLAatFUPZB1Q-HYMX31HckAzkw,8066
|
|
731
|
+
nldcsc_elastic_rules/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml,sha256=ejvxU4WxDV0ANKy2HffElWmg3v-3-tQoExIodF5dE3w,9068
|
|
732
|
+
nldcsc_elastic_rules/rules/linux/execution_nc_listener_via_rlwrap.toml,sha256=pHofOZ1YyHJD_6zprpLnoXpIMMCidSlhHLgsTMdxXDs,8017
|
|
733
|
+
nldcsc_elastic_rules/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml,sha256=6iug8rD3B_x91dCXefwcuE7UW9Wgh7sR6EnVQ_NfU2k,8257
|
|
734
|
+
nldcsc_elastic_rules/rules/linux/execution_network_event_post_compilation.toml,sha256=lJzNXEkk3HeBj3nTcMXc-i8yS1EFOI_Fw9u2LLIxhog,8552
|
|
735
|
+
nldcsc_elastic_rules/rules/linux/execution_perl_tty_shell.toml,sha256=JJeESLbrU2r2c-5SSs5bFgKoWK4q8fi2G1YJhjUXWJQ,8762
|
|
736
|
+
nldcsc_elastic_rules/rules/linux/execution_potential_hack_tool_executed.toml,sha256=Yo9knz_kZ5hVrofQURQ30zxPEL24RVnSrlZPX9DYX8c,8312
|
|
737
|
+
nldcsc_elastic_rules/rules/linux/execution_potentially_overly_permissive_container_creation.toml,sha256=DNkxyM_2xyfrQYo7qSSONU6OnnP-zlW6BKoeBvHLFHs,8392
|
|
738
|
+
nldcsc_elastic_rules/rules/linux/execution_process_backgrounded_by_unusual_parent.toml,sha256=jxUD-WdLnVyKCvPaZ2oFQThZZmQ1u6iAJEbIhw62myE,9414
|
|
739
|
+
nldcsc_elastic_rules/rules/linux/execution_process_started_from_process_id_file.toml,sha256=Hszt_h0pZh_4VqhrNfBCEBtV6ac8f8y9L9VoFu9Rc3k,5209
|
|
740
|
+
nldcsc_elastic_rules/rules/linux/execution_process_started_in_shared_memory_directory.toml,sha256=qO8slMyjXXRMuEt1ywJSlE9XTkmnmFQaFQ34fYCyies,8464
|
|
741
|
+
nldcsc_elastic_rules/rules/linux/execution_python_tty_shell.toml,sha256=k0Qdq5WNx09LccoomKhLzglg8n_E8AnSDNov47wU-3k,8080
|
|
742
|
+
nldcsc_elastic_rules/rules/linux/execution_python_webserver_spawned.toml,sha256=jGh_C-kvzN6MsriUsPYzGU92v83s7N6eldS9f6GJhGU,8270
|
|
743
|
+
nldcsc_elastic_rules/rules/linux/execution_remote_code_execution_via_postgresql.toml,sha256=PSuKOaqG2YYIG3A14UkVCvHNxBoOZ8OgVnrhJyEs-KU,8196
|
|
744
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_evasion_linux_binary.toml,sha256=iytKqmdFMI6k2LlmdgCiRrk8CthZY4SAZfSAG75WgCc,12126
|
|
745
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_openssl_client_or_server.toml,sha256=0oMvwWwJJEuNEpSBwMuB2Y_GPMVKG11my_SYR3ciNaA,8566
|
|
746
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_background_process.toml,sha256=G_uH-1Vplgkpcz3RI_r6uifm4SlvyIK9NROwUDRDURM,8264
|
|
747
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_child_tcp_utility_linux.toml,sha256=rPCY71CXTs0c_z-011C3fNCs2-GEcRnaGpq63Ujuow8,9102
|
|
748
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_java_revshell_linux.toml,sha256=0fSoQxi7FVV_hrtK11h6tjL9PSZxF477h-P5LrUF97M,8737
|
|
749
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml,sha256=dLUeJZovFImrkLzh_WnTw_kHaAG6_qnSmqUIUjfForw,10016
|
|
750
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_meterpreter_linux.toml,sha256=dL763FfUDSVEKkwzv9PKtkQyjF2F-poLCi-75Ou310E,9979
|
|
751
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_suspicious_binary.toml,sha256=2AADA5P3KtoDTh7A978IBrh7eVZ-yy7h3Xa7cjdK1UU,9352
|
|
752
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml,sha256=FRY2yK3SakatmrPxnA9Gfu7eez3WMZMe5aK4Nsvir-A,8749
|
|
753
|
+
nldcsc_elastic_rules/rules/linux/execution_shell_via_udp_cli_utility_linux.toml,sha256=mMYNWQUJVSW5cl_HfFOP99e8CjPdJ3kDCw4MIxZRFlw,10675
|
|
754
|
+
nldcsc_elastic_rules/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml,sha256=WL68FGJsj8hPF9mW7NFjmvKo11runxHm04MDd9k6eA0,8727
|
|
755
|
+
nldcsc_elastic_rules/rules/linux/execution_suspicious_executable_running_system_commands.toml,sha256=NQiopV19sl79cdiY0lp9N7KihuJ8_iqoBPQCGz8nodE,9335
|
|
756
|
+
nldcsc_elastic_rules/rules/linux/execution_suspicious_mining_process_creation_events.toml,sha256=CqD2pvtdwm5CLHdDGarc0cz3EqhTeHcYd-WLFz-typs,7706
|
|
757
|
+
nldcsc_elastic_rules/rules/linux/execution_suspicious_mkfifo_execution.toml,sha256=M5cfy5vI56PMpP4tLP1nAm7zVQj_mk_GZneQTQ0wfck,8406
|
|
758
|
+
nldcsc_elastic_rules/rules/linux/execution_system_binary_file_permission_change.toml,sha256=7F9NBgskVZbcFD61VDBf5YVfsyEssBH-9GNLwLthZGE,8023
|
|
759
|
+
nldcsc_elastic_rules/rules/linux/execution_tc_bpf_filter.toml,sha256=_n2KpsJyMmmo9EfGtvjXTvesw96fWKNMTPvRaK5zky8,8024
|
|
760
|
+
nldcsc_elastic_rules/rules/linux/execution_unix_socket_communication.toml,sha256=B7KrcxpVnHg0-kxEcopciAVsx7rxs05pXdAM8qR8BFg,6311
|
|
761
|
+
nldcsc_elastic_rules/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml,sha256=esny6sWgMMph2MgG5lL9UNzFdTvclKa34Mue2drDVdQ,7423
|
|
762
|
+
nldcsc_elastic_rules/rules/linux/execution_unusual_interactive_process_inside_container.toml,sha256=ywJRI7IBiDJ7VG843NJSGZp9fa4CTBVSlGmYdRyJy_8,3881
|
|
763
|
+
nldcsc_elastic_rules/rules/linux/execution_unusual_kthreadd_execution.toml,sha256=EcrQUjk3U3kYdp2DQgfajr_qgfwXhoPzHi5Db-dgzCU,9373
|
|
764
|
+
nldcsc_elastic_rules/rules/linux/execution_unusual_path_invocation_from_command_line.toml,sha256=jguS7E52cebBeGICzGGMJYo_9PlbRTMdKxlF_kIDcx8,8772
|
|
765
|
+
nldcsc_elastic_rules/rules/linux/execution_unusual_pkexec_execution.toml,sha256=utz11cI2LWl2JXjVSvjgbrcE7jZ_kBKmlaa_d1UfWoU,9900
|
|
766
|
+
nldcsc_elastic_rules/rules/linux/exfiltration_potential_curl_data_exfiltration.toml,sha256=7jsXbFSIcIvyuSWegdGTe7mZwU3RUoGvLausu42KSCE,8938
|
|
767
|
+
nldcsc_elastic_rules/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml,sha256=8SZHM9u7RwB5g5iDaNbG6xLfJAeAxGvRm5_V2iFeqLs,8196
|
|
768
|
+
nldcsc_elastic_rules/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml,sha256=z4l9RncvXw0OOubzlqQ8kmmL5jt9m5dG9T0vurII5bo,8164
|
|
769
|
+
nldcsc_elastic_rules/rules/linux/impact_data_encrypted_via_openssl.toml,sha256=QcPppT47tN1kzfeyLKdmytW5EhhZJeYqica2sgrOdng,8114
|
|
770
|
+
nldcsc_elastic_rules/rules/linux/impact_esxi_process_kill.toml,sha256=nFccfQHUQKCSbNB22SsNxwNxVdEpawETSFu7yK1y_Bs,7730
|
|
771
|
+
nldcsc_elastic_rules/rules/linux/impact_memory_swap_modification.toml,sha256=xHSiHl4NVy91Tm6PjmIeTPT9fPot3Lxfpjo6_hbNb_4,8510
|
|
772
|
+
nldcsc_elastic_rules/rules/linux/impact_potential_bruteforce_malware_infection.toml,sha256=_aUNJjuq3UMP077y1CO4z8s5QwRiELxlKZAwcGUyOJY,10216
|
|
773
|
+
nldcsc_elastic_rules/rules/linux/impact_potential_linux_ransomware_note_detected.toml,sha256=Eqis12yT2u1ztQ67Npkts6n4i99_WgFEptnfajW3O2s,8952
|
|
774
|
+
nldcsc_elastic_rules/rules/linux/impact_process_kill_threshold.toml,sha256=OHlaZ0NF6tWBTreifJm3erXRB_v4Sk1a5GibwA_UFU8,5875
|
|
775
|
+
nldcsc_elastic_rules/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml,sha256=N-w5Id7sGqGQ1pIXSSMk94F4JY7PqggFGk9Szz_pTH0,9666
|
|
776
|
+
nldcsc_elastic_rules/rules/linux/initial_access_first_time_public_key_authentication.toml,sha256=-102miVXcsFZI-XeQ0AdrHqkIdSLCcTNjsVuwdSrPxY,7652
|
|
777
|
+
nldcsc_elastic_rules/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml,sha256=_oEWyNB6jOQBVUnAFIazwzrmAg7NFFltS1ZrPUmXqwc,7039
|
|
778
|
+
nldcsc_elastic_rules/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml,sha256=n7o_Gv3M-HquGQfSQkQGlIa1jzSreQbDHVtb64Jehfw,5188
|
|
779
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_kubeconfig_file_activity.toml,sha256=ygyfNb6DKJa-kUxw17UIJyGIHMh5VtAbxVAUsZUPKHc,8937
|
|
780
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml,sha256=n1eGg9GnwzJ-t_Ih5NKRJKGOvzjV4LJyBjFr9erwyto,9563
|
|
781
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_ssh_it_worm_download.toml,sha256=gCOT4xz0jciHTSs96DebameD7K90xCpRzHPgLMVrVuc,8772
|
|
782
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_ssh_process_launched_inside_container.toml,sha256=1x9FI0_e4ae66z-8RpKMgJi7LDYU6h2uErcqMVcxaNk,8715
|
|
783
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_telnet_network_activity_external.toml,sha256=RtVR9EWzESTZs3KGJ086UxxUlZUDwLkTJIhhPRTmJ1w,9754
|
|
784
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_telnet_network_activity_internal.toml,sha256=VROZbAq_UOHcmbSbwuaV0oPbk_RYBOWKXP3rAa9p1qM,9737
|
|
785
|
+
nldcsc_elastic_rules/rules/linux/lateral_movement_unusual_remote_file_creation.toml,sha256=gazNYJvXmJmYslY1dvH6OOUNow6zTGEZvKYLumDf1m8,9859
|
|
786
|
+
nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_execution.toml,sha256=zVnlpYm0Hyy93XbmgZsU1xQlCvcZuHsyjkHMcyHIoTY,9830
|
|
787
|
+
nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_file_creation.toml,sha256=mpknpHIcWzMJ0dEHhDF3xlkUDk7KS6-zU2qT1ZWcVsU,10085
|
|
788
|
+
nldcsc_elastic_rules/rules/linux/persistence_apt_package_manager_netcon.toml,sha256=LcnVX5WQgHGEKHz5DgEceFXbPaY56fT-OyxlHf7e0RM,9796
|
|
789
|
+
nldcsc_elastic_rules/rules/linux/persistence_at_job_creation.toml,sha256=iT_N5VtTBSTj7DPOZtSrC_KnWb7MVnslzq5LX43PTaA,9983
|
|
790
|
+
nldcsc_elastic_rules/rules/linux/persistence_boot_file_copy.toml,sha256=FXmoWEUm0HS3zG5JONnECmK-sS9JgSJc_mAbbBRYlIs,9171
|
|
791
|
+
nldcsc_elastic_rules/rules/linux/persistence_bpf_probe_write_user.toml,sha256=GO_d9TsPDtd0IjUnMuw2KPbjwW7VEkWjFjAglBNPrmU,7504
|
|
792
|
+
nldcsc_elastic_rules/rules/linux/persistence_chkconfig_service_add.toml,sha256=ckRod__ON03736h45WCBoP_fkLSDtNXtI2Q7xU79rEM,12141
|
|
793
|
+
nldcsc_elastic_rules/rules/linux/persistence_credential_access_modify_ssh_binaries.toml,sha256=8_GMau2X12boPzEJLPdhKT854an4nRkePl2m0ohjYOw,12611
|
|
794
|
+
nldcsc_elastic_rules/rules/linux/persistence_cron_job_creation.toml,sha256=VZmQt_Wc01Csmjv0CRx4VxtFqmj-DcqF-_aEQbcbyn4,14522
|
|
795
|
+
nldcsc_elastic_rules/rules/linux/persistence_dbus_service_creation.toml,sha256=tqSAFOySunFyq2tscaFsLuqio0oqum7Q77ZztD3mwbQ,10302
|
|
796
|
+
nldcsc_elastic_rules/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml,sha256=0FRpkMSml8NIDxeHcdHXQMb3WJVJzT9VRjhxvcuUv14,8747
|
|
797
|
+
nldcsc_elastic_rules/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml,sha256=Oo8hVnXHUOxDu3LULcJMz6OTPElnbhFcCluSnEQaT3g,10128
|
|
798
|
+
nldcsc_elastic_rules/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml,sha256=S6Aun6GFEE7Km5cpVUz1D-jcOaPgkVJI8bxEFO0Wmsc,8570
|
|
799
|
+
nldcsc_elastic_rules/rules/linux/persistence_dpkg_unusual_execution.toml,sha256=dRWflDh0WRABW-7PqJzA439oGeDZt02-TZvyX72iOkc,8856
|
|
800
|
+
nldcsc_elastic_rules/rules/linux/persistence_dracut_module_creation.toml,sha256=r9nLEyCff9CnFR_oT2co1kyW7_1LQVfEKu3P31reN4Q,10388
|
|
801
|
+
nldcsc_elastic_rules/rules/linux/persistence_dynamic_linker_backup.toml,sha256=i3B5HNMkdg-u10CsNCvX9HwXpqbaj9EOvS_olGPDkng,11809
|
|
802
|
+
nldcsc_elastic_rules/rules/linux/persistence_extract_initramfs_via_cpio.toml,sha256=_V17YOpkqk33RxvBgzMyunkvZbTyvDn5L0KA1Q1KAPk,8589
|
|
803
|
+
nldcsc_elastic_rules/rules/linux/persistence_git_hook_execution.toml,sha256=sxtVQRXSWlFTh8ExdxU7dVNK_dS3gRZFZRijmMckXP4,8762
|
|
804
|
+
nldcsc_elastic_rules/rules/linux/persistence_git_hook_file_creation.toml,sha256=MD9QF4lnAs8kN9lFElKMcLTTA8t74wLniTnD5inHJ_o,9725
|
|
805
|
+
nldcsc_elastic_rules/rules/linux/persistence_git_hook_netcon.toml,sha256=nZUIwAsJMOa8YY4LRoru2o7Cz7i0WMQpH-sh8v6uH6A,9605
|
|
806
|
+
nldcsc_elastic_rules/rules/linux/persistence_git_hook_process_execution.toml,sha256=jRVg9GRYLpj9JymhUspyMlZHUP3GQ2j-edaVm5Tnj1s,9528
|
|
807
|
+
nldcsc_elastic_rules/rules/linux/persistence_grub_configuration_creation.toml,sha256=b49QprlnvQgeQ69smze_f6GjdqY9LewLA4DXufkl5C0,9942
|
|
808
|
+
nldcsc_elastic_rules/rules/linux/persistence_grub_makeconfig.toml,sha256=9AFVxkgU_4j3xPniouaA9jWtK_z9RRvPyGAXeiJEPKU,8331
|
|
809
|
+
nldcsc_elastic_rules/rules/linux/persistence_init_d_file_creation.toml,sha256=8gsKShZsH_JRJj4VufOvJQTtnTYSecqdpU35d4134Cc,12203
|
|
810
|
+
nldcsc_elastic_rules/rules/linux/persistence_insmod_kernel_module_load.toml,sha256=7d5OQklPwF8yYpHmG6ixtd0EDayaSUI_O6r1zDchW74,11075
|
|
811
|
+
nldcsc_elastic_rules/rules/linux/persistence_kde_autostart_modification.toml,sha256=tXYtL5Z0WiA_LHD7uBQ0disSrE3RPu_YXilq7YzreMY,16432
|
|
812
|
+
nldcsc_elastic_rules/rules/linux/persistence_kernel_driver_load.toml,sha256=DxfD31AcKQjAIUExxQJLlcydUDtyw_Jc4e9ApWC8wOE,7725
|
|
813
|
+
nldcsc_elastic_rules/rules/linux/persistence_kernel_driver_load_by_non_root.toml,sha256=savqqulL2ycLCAd2KhafoABGCYcYB2EscuB19XlN2rw,7959
|
|
814
|
+
nldcsc_elastic_rules/rules/linux/persistence_kernel_object_file_creation.toml,sha256=Thwl3xL6TY0fPe-5hgALPdoZ0c7OldFm_ifoV6qEK6A,8152
|
|
815
|
+
nldcsc_elastic_rules/rules/linux/persistence_kubernetes_sensitive_file_activity.toml,sha256=UxCFEfqmZXFvVTWaOTdMTw7ABK4eHucyxC96-xRSrCc,8479
|
|
816
|
+
nldcsc_elastic_rules/rules/linux/persistence_kworker_file_creation.toml,sha256=duFt3vI3B_5RpledOVtM7H3LQhxlsb3BUoHlU-7DzwQ,11218
|
|
817
|
+
nldcsc_elastic_rules/rules/linux/persistence_linux_backdoor_user_creation.toml,sha256=T-WXyaXWyeHDDK19N6CFKMJYd2ufJyvXVIMNlLw11u4,8389
|
|
818
|
+
nldcsc_elastic_rules/rules/linux/persistence_linux_group_creation.toml,sha256=qDmWbmR21LfRV26dl7Vx553DqZ11q0pWJlNbfpJm8Eo,7268
|
|
819
|
+
nldcsc_elastic_rules/rules/linux/persistence_linux_shell_activity_via_web_server.toml,sha256=i5p3IO4z3L5Cv2JkABeiqcq4rJjVyaQ34kSvI2ZMi2U,10271
|
|
820
|
+
nldcsc_elastic_rules/rules/linux/persistence_linux_user_account_creation.toml,sha256=qKjxuG7b26HMMFupsvI_pG4i7HZOr2ZH8MiVHaeJEYE,7142
|
|
821
|
+
nldcsc_elastic_rules/rules/linux/persistence_linux_user_added_to_privileged_group.toml,sha256=cwtgIPtGrYNaWvwE9F_MlM4MJi-_ryNOJFC_iIb_kjo,8234
|
|
822
|
+
nldcsc_elastic_rules/rules/linux/persistence_lkm_configuration_file_creation.toml,sha256=WMzUDvN3zbN58y6EI-p6hxcvg-EEmSUnCaftrDTx6jo,7982
|
|
823
|
+
nldcsc_elastic_rules/rules/linux/persistence_manual_dracut_execution.toml,sha256=d_bPHRobfXqX_xT2Eo66a5eV1pI_Qii-GAGfCJHSm2k,8302
|
|
824
|
+
nldcsc_elastic_rules/rules/linux/persistence_message_of_the_day_creation.toml,sha256=Fsnv7CCQu_LU8_184vFM9b1Orkn3BdKlRcbVkqGp2us,10662
|
|
825
|
+
nldcsc_elastic_rules/rules/linux/persistence_message_of_the_day_execution.toml,sha256=3Va3AnNEupp6YTwfb59LaT3TkwkPTKdEpaBpuY-qYG8,11299
|
|
826
|
+
nldcsc_elastic_rules/rules/linux/persistence_network_manager_dispatcher_persistence.toml,sha256=S_nnxNc2tS3OJB7p8zZMWPf8T3uugMN42n4Jx8ohm8s,10303
|
|
827
|
+
nldcsc_elastic_rules/rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml,sha256=Q3pQVQL7GiwHWhRu8js4dalDORAg86m8AFO6FNWXYVg,4686
|
|
828
|
+
nldcsc_elastic_rules/rules/linux/persistence_openssl_passwd_hash_generation.toml,sha256=HMTiLsHyMCpsJz5-Q6OlD3LWDhgDwqwLZ8kCVxMKWLQ,8306
|
|
829
|
+
nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation.toml,sha256=28HEBVh0Yv1pZUtPw1pSdLZ7oEvlR58akB8O4lipltM,8282
|
|
830
|
+
nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml,sha256=4daNwJdC-dCm35V6LHn2YT2k88JzyeNM4Ay1QlAz3tk,6934
|
|
831
|
+
nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml,sha256=w8l8BHW9HDTtLNKzkFblLUVuBBdnM3EgzOytpLv2g40,7106
|
|
832
|
+
nldcsc_elastic_rules/rules/linux/persistence_pluggable_authentication_module_source_download.toml,sha256=sOe1szhNzSEf7z_7QIohWYKs3eAw9izord5or9yv9Fs,6250
|
|
833
|
+
nldcsc_elastic_rules/rules/linux/persistence_polkit_policy_creation.toml,sha256=-webliLnZvU-9DBXUAERJk4RVnG_NKFTzWtyPd8y0FQ,8028
|
|
834
|
+
nldcsc_elastic_rules/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml,sha256=luMf-uBI_9mszIFPHaVfBUxgcZVRY_TT0Wc0rRUV48A,9769
|
|
835
|
+
nldcsc_elastic_rules/rules/linux/persistence_process_capability_set_via_setcap.toml,sha256=LmCztA6z-RROpqPNDoCU-Kv5egmGmOFc1JJz_6zJgkU,7677
|
|
836
|
+
nldcsc_elastic_rules/rules/linux/persistence_pth_file_creation.toml,sha256=MHC_VYIyNdX4vL0Uy0Ir_eynnnc7AqdO-VCzpxpovmE,9179
|
|
837
|
+
nldcsc_elastic_rules/rules/linux/persistence_rc_local_error_via_syslog.toml,sha256=92turJDNe1mhjp4JX4Sgz0mtUKbfHY72Ru4zk8FGfV4,7634
|
|
838
|
+
nldcsc_elastic_rules/rules/linux/persistence_rc_local_service_already_running.toml,sha256=i1pGrl3JkqxnhkL41lrdjPz2x5pudpu5qoJfUEAjeJE,8472
|
|
839
|
+
nldcsc_elastic_rules/rules/linux/persistence_rc_script_creation.toml,sha256=MAuqJKh3at1GU5tA91fZolPsDy-kKvmYF5n52gAlDbc,11869
|
|
840
|
+
nldcsc_elastic_rules/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml,sha256=2P4w2YgkHhrDj90qAk1X-TwoutFJXaYAAAZ1r0e-UCM,8420
|
|
841
|
+
nldcsc_elastic_rules/rules/linux/persistence_setuid_setgid_capability_set.toml,sha256=60LflWUApCunIyMHDyc4QupipTJ8oVQfaDyxr6Tfr2o,10162
|
|
842
|
+
nldcsc_elastic_rules/rules/linux/persistence_shadow_file_modification.toml,sha256=WDPDxlGOe4RMdIkbMUm1nyRpPUr7FqnHu2nu5w0IMss,7645
|
|
843
|
+
nldcsc_elastic_rules/rules/linux/persistence_shared_object_creation.toml,sha256=xVjLTugkMXknQZIvhZ9pHCHBWlR7KaEke0c0QhBJHaE,12070
|
|
844
|
+
nldcsc_elastic_rules/rules/linux/persistence_shell_configuration_modification.toml,sha256=ABFKHMTmxPXf0B3_D3Kco59UBU7eDYg-s6sW7mkoKuw,10691
|
|
845
|
+
nldcsc_elastic_rules/rules/linux/persistence_simple_web_server_connection_accepted.toml,sha256=Y6NCotjjPViwDD1mf3pgI3hL9yxIpDl6tVk9KTifV7c,9047
|
|
846
|
+
nldcsc_elastic_rules/rules/linux/persistence_simple_web_server_creation.toml,sha256=2teNfvMYbNwKukvOQVsxQ-nIFo9tslF38bNtnoSqW4U,9244
|
|
847
|
+
nldcsc_elastic_rules/rules/linux/persistence_site_and_user_customize_file_creation.toml,sha256=nmEgELFxMkstOxrGkxIwGvza-N_GdPbXtqcrX9qsPj8,9243
|
|
848
|
+
nldcsc_elastic_rules/rules/linux/persistence_ssh_key_generation.toml,sha256=SOV5QSz_Wl-r1KYd6r98AFMMwfj4-VatQKtlPzPUDHE,6638
|
|
849
|
+
nldcsc_elastic_rules/rules/linux/persistence_ssh_netcon.toml,sha256=3avmeoDyjH0erwCeEBedeStMpxf4iCb809J1tRXpVOE,7564
|
|
850
|
+
nldcsc_elastic_rules/rules/linux/persistence_ssh_via_backdoored_system_user.toml,sha256=XZBiubtiLYnaSPP2OA0hANeyr2T_nm81T0bcWlEZUXc,8153
|
|
851
|
+
nldcsc_elastic_rules/rules/linux/persistence_suspicious_file_opened_through_editor.toml,sha256=UK8mOhj35CFWkBh3A4WwnJvsx4uASssiY1-rD6hr8fY,8212
|
|
852
|
+
nldcsc_elastic_rules/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml,sha256=bW-z9vQsqetzdn8bAj_M-_UpKBjXHdnsybaV7YIBw5s,7007
|
|
853
|
+
nldcsc_elastic_rules/rules/linux/persistence_systemd_generator_creation.toml,sha256=Xi5nTOSz8rU_EQsVvF5IvE3gev9CQa6jf53fx94196g,10013
|
|
854
|
+
nldcsc_elastic_rules/rules/linux/persistence_systemd_netcon.toml,sha256=9BekXG988DhlpqAI1adMAyCiq043_FO2zvBzsn9ul94,8874
|
|
855
|
+
nldcsc_elastic_rules/rules/linux/persistence_systemd_scheduled_timer_created.toml,sha256=PNKyUnK2Nq9ORlxnJWjhO3WhlfgwA0cEpOMd9BLvReM,12688
|
|
856
|
+
nldcsc_elastic_rules/rules/linux/persistence_systemd_service_creation.toml,sha256=3a_T6KJjrMNzlq5eoeQyB7UygfwA2ywmy4ajeN9Mn5Q,15048
|
|
857
|
+
nldcsc_elastic_rules/rules/linux/persistence_systemd_service_started.toml,sha256=jjhSWah6ZdpTrHpt_yFcttpO5Ps7KBE_QsVAfX7d9TU,13073
|
|
858
|
+
nldcsc_elastic_rules/rules/linux/persistence_systemd_shell_execution.toml,sha256=r76M4Fq8ztzs7mwD1O8XLWh5fvCAak3f9pxpayHEHVE,7967
|
|
859
|
+
nldcsc_elastic_rules/rules/linux/persistence_tainted_kernel_module_load.toml,sha256=NwUqjaYETn4MV08wEn5EAwxO6VvWJt6nKmV_9MlKDnQ,7826
|
|
860
|
+
nldcsc_elastic_rules/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml,sha256=gvGKoMfHcHgwDcIzhtAart5XeB56UPVsk7pmcGhTwh0,7787
|
|
861
|
+
nldcsc_elastic_rules/rules/linux/persistence_udev_rule_creation.toml,sha256=S99pRt6_tw6ucuhBc9wWMwcCBKcjOW5eSnOIvr9IIDI,9394
|
|
862
|
+
nldcsc_elastic_rules/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml,sha256=45zZ6OZoUu3LJ8OUPkBUOPNjoEtPF38lWFLXN34c0oM,8467
|
|
863
|
+
nldcsc_elastic_rules/rules/linux/persistence_unusual_exim4_child_process.toml,sha256=-Eg0CcpBERBs59m60QPPeeB0ySNcO1j_KCq5ez4bLmo,6053
|
|
864
|
+
nldcsc_elastic_rules/rules/linux/persistence_unusual_pam_grantor.toml,sha256=GQCAsQgapu1exlYXJ8mJybmykD4YtuR5BkfzudEBWcA,6979
|
|
865
|
+
nldcsc_elastic_rules/rules/linux/persistence_unusual_sshd_child_process.toml,sha256=Jve-_4aUxpbVYKH0WYClR9Ui0ZVYAl6Owg_RHvwx_l0,6646
|
|
866
|
+
nldcsc_elastic_rules/rules/linux/persistence_user_credential_modification_via_echo.toml,sha256=PL8mSTnDd8jSQKa7YKhp-hqReAbR9T8XC6PAXK9GdC0,7291
|
|
867
|
+
nldcsc_elastic_rules/rules/linux/persistence_user_or_group_creation_or_modification.toml,sha256=Rf-M7l-UGXogzPISciSWlrqL8arZ5KQNHNew9PWdqlc,8163
|
|
868
|
+
nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_child_spawned.toml,sha256=mR9q_SyFFr3KbQ_0763AX7d-geBxB70uMDRcRqIDs_Y,11927
|
|
869
|
+
nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_command_execution.toml,sha256=-oKvYsUxfRAjB6DnjuXEzch8oGbuUeoEcJNE19ac_00,11555
|
|
870
|
+
nldcsc_elastic_rules/rules/linux/persistence_web_server_sus_destination_port.toml,sha256=Nn58HN-bgiJRQ6pJLnbEJFxfM6_3gdkK-jgkEUmIghk,9874
|
|
871
|
+
nldcsc_elastic_rules/rules/linux/persistence_xdg_autostart_netcon.toml,sha256=FPbZm4OdB_WCpKaZuwauJhI73FP-B8S6392ysQ7aKew,11011
|
|
872
|
+
nldcsc_elastic_rules/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml,sha256=Q92YiJGlea4JOtttRC9F5i2OBW3_jH3sfq2GrJmSdaU,9882
|
|
873
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml,sha256=NHXMJj064rfeflQgC4fRoIlycp30-luwnoPV5wGtfaM,8875
|
|
874
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_container_util_misconfiguration.toml,sha256=aPyGXAc4VcexjAjyu08iJF_P36e2Zj3m9w2PVwa5dnQ,9429
|
|
875
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml,sha256=FU05-7sxClSNRjjqIP7i4cmcGCuuxebDjk_7xVdpXP4,7966
|
|
876
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml,sha256=osYV7v_M_L-iT5qtrZZajlgMAPp135Ov9jC8vq64kRA,8236
|
|
877
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml,sha256=2opC5PXn32m5IyKnUJa4ye4_vp7ltH4XPvoKjor-hkU,9064
|
|
878
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_dac_permissions.toml,sha256=6GndkeCOFcJ5Zi1lVu-GYa3GUFK62KTqe6ysyTqkhk8,8355
|
|
879
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml,sha256=UGY8pvEwNquAwC5IfEqCRGIUK7sPeOduBzwbZbc7RHQ,8067
|
|
880
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_docker_escape_via_nsenter.toml,sha256=QazLGbMolCj3rZTnAlXsuMGirBQcq121D6dAv1jr6Uw,5975
|
|
881
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_docker_mount_chroot_container_escape.toml,sha256=QZ0Ao8jj4kKt0_8xFH2giRZm1XvZ6dexrAS1N8j2FQE,9404
|
|
882
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_docker_release_file_creation.toml,sha256=FNk1aAqLLBuRwQJgYMrBAtjsyPgRHfhbkIQtNA-Kk0Q,5659
|
|
883
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_enlightenment_window_manager.toml,sha256=d73k_UWBaun1Gv2_Wtbnag_MYoTGkkWnSrfMKu6zr7k,7908
|
|
884
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml,sha256=2csNSCx_PwhzftUqTqS3PhoKt7xUKtjDntZQQuXfq40,8254
|
|
885
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml,sha256=_FyuOlOLKjdUVh7VAGx3q_fOS2szVF36FjboNjOsXuI,9162
|
|
886
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_kworker_uid_elevation.toml,sha256=dbfNl9YgrgjFX3KMMhIc18HkioA-iYiAQgkIx2kWlbk,7929
|
|
887
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml,sha256=h2s4YeywtShcZa5bBdRoOMVX7ofpV1cNJ2CN8WP6yQs,9510
|
|
888
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml,sha256=n3Ji4kg2eFjD-s6zX0lbAXf2V86GpcUrek7LjyILFRM,9505
|
|
889
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml,sha256=SFRMvaLV-R6AWjl0fwa31ThkDXo7rQcgszgy7jPn_PI,8055
|
|
890
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml,sha256=tBIY8qf8lkoGHPLEH1gcRVt4lqlOYy77-HqynTcJusY,9385
|
|
891
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml,sha256=xbszI392oxWvNotGfhF0JNxKyV9MFQvChyCdLSStoj0,8689
|
|
892
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_mount_launched_inside_container.toml,sha256=H3uhNITd-x_JeWXyxu5PtrPSwz53beMVBnAlqMpdfM0,7913
|
|
893
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_netcon_via_sudo_binary.toml,sha256=nat7j3y64i4JBOco1Hl_BZfKHL54dooKD8xfd8gUb9g,8554
|
|
894
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_overlayfs_local_privesc.toml,sha256=gJMFQ-itEpEN0CKtpPWoDDhEWWE1mBeWIMkbiWKSu98,8489
|
|
895
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_pkexec_envar_hijack.toml,sha256=YGDRcwskVSSLF5HsNCw3JJu_-ad6VliqEBm3F6IgKCY,8243
|
|
896
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml,sha256=nHc1pS4i9zFdfc2iJtT_P0qtPYQ_-q8QWJY3fF4xopk,6527
|
|
897
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml,sha256=7E9PhHC1SUCRg_i0ZbHVqInTeS8XZMj4lPcCwwUP80k,10571
|
|
898
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml,sha256=fh774Grx9LaLd8zIT3VpAmAFYbNtmSlEdyZojlLZz8k,9595
|
|
899
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml,sha256=RsmCoi7IYC17fkis_ILWIIzCLDxscRvgzgwjd-blBeY,8941
|
|
900
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml,sha256=o-5vUjT81OQe9zqi5yfFhXmwTRlGwC8_T3jFhy-DdGg,7829
|
|
901
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_shadow_file_read.toml,sha256=OrilUZwxKMV_ihs0oY8Q5e2NYZ-d3lZBdrlr278AR0U,8715
|
|
902
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml,sha256=ZRmKti1xAaSaTIPN6XIPaaA1qo1OgKpyjRcAH-n11cY,8248
|
|
903
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_sudo_hijacking.toml,sha256=YPBKJLvTlh6NslCn_bgAL3P6Sdm72tnaowogR3DUMd8,9166
|
|
904
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml,sha256=s_CaajfT8cd56U8mJx9wMi5oqtye5R3kb6cIfe0DhRY,8419
|
|
905
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml,sha256=pqwsN5-lqpAuATYPQNTsdfjm14mFnCHVSY6Z2lfUzw4,8101
|
|
906
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml,sha256=gLvlAlwvDkq2AOqtDYmYtvExIqXOhQefoXoPim8G6yg,8062
|
|
907
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml,sha256=yWOFmH37Te8LVwBSJcOBxUsOYxK-YJHRg-AQDNcjKHM,10004
|
|
908
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml,sha256=TGeYUmCRcU9MEXpKvhBWAXNC-iYhlH_ay34AHwd0Ifw,9456
|
|
909
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_uid_change_post_compilation.toml,sha256=TXHuU12p8MNeD2BG2e1BLPPm0y3OvrLrytLq135B3Ns,8586
|
|
910
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml,sha256=tuK4nke6X3CCisLVQLBK1IyWhtHJKftoSPCcYY6w51w,9541
|
|
911
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml,sha256=Z2niYB_JGme1AFXIzdUPc07l5yf1FfnX40KqNmLlr4Q,9068
|
|
912
|
+
nldcsc_elastic_rules/rules/linux/privilege_escalation_writable_docker_socket.toml,sha256=qIYLG5mr7BXUfHBSVZZiirHTWBSg46Y_IjUw2DAvq_k,8168
|
|
913
|
+
nldcsc_elastic_rules/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml,sha256=LN8dHmYMcoYkttyNBU4NqsUQfgPZLaENnkcHjVuFu6E,5965
|
|
914
|
+
nldcsc_elastic_rules/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml,sha256=FwBWFUs4uvbbolNkRh7315lxAxkFiUtltDDFUGY7Zv4,8457
|
|
915
|
+
nldcsc_elastic_rules/rules/macos/credential_access_credentials_keychains.toml,sha256=dy_0jIupjutCU81DgrEwQ7BEQ3A6r1zv2R41NMtbLOY,8142
|
|
916
|
+
nldcsc_elastic_rules/rules/macos/credential_access_dumping_hashes_bi_cmds.toml,sha256=yszECE3S0q-SEnQ7jK7eZOxce234xeQFm1V7U8HfduQ,7499
|
|
917
|
+
nldcsc_elastic_rules/rules/macos/credential_access_dumping_keychain_security.toml,sha256=s9_J0Ulfo1eTvKajhrw8iYXxsEpqsVAgnq56EOSXq5k,7610
|
|
918
|
+
nldcsc_elastic_rules/rules/macos/credential_access_high_volume_of_pbpaste.toml,sha256=96ARm-2gHb3h4_DS2IhjeCDBsWKSSxwfZJTpvPI9QyI,5728
|
|
919
|
+
nldcsc_elastic_rules/rules/macos/credential_access_kerberosdump_kcc.toml,sha256=csUAtIl0eaUHsb5v0bnmCIwJUac9V842a87CuYTEW5A,7701
|
|
920
|
+
nldcsc_elastic_rules/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml,sha256=3GRU5GxJvQlTF5-3OcNCGKY51GrW0luSG1Trd_lK0ss,8846
|
|
921
|
+
nldcsc_elastic_rules/rules/macos/credential_access_mitm_localhost_webproxy.toml,sha256=4W4EKKc1lBd2Q4xhc-YArHkVAStrIdhjeY1cBKFw7Xg,7970
|
|
922
|
+
nldcsc_elastic_rules/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml,sha256=IUfsrsa7cjvmf4RcRioiOiJWL-bbLz3tHrUFuZc7ZOw,7421
|
|
923
|
+
nldcsc_elastic_rules/rules/macos/credential_access_promt_for_pwd_via_osascript.toml,sha256=24ujN4g2y-j4ujcOCOMvKNA6qXLiHIqTfgsz292ij14,8725
|
|
924
|
+
nldcsc_elastic_rules/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml,sha256=6MTqMuSxZAVGtsXKlAfdfHKujiZV4oIYQ4-96Vr3SaI,8088
|
|
925
|
+
nldcsc_elastic_rules/rules/macos/credential_access_systemkey_dumping.toml,sha256=y4_EnCzwSRLhKf4t2S2xKeMoxdZcrAkUEJhMVrmAOx4,7689
|
|
926
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_apple_softupdates_modification.toml,sha256=7BbrSaTtue4yyvGZ8G4EUH6VdgONQLD4cCDe2wG60so,7804
|
|
927
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml,sha256=NEye5wuw3G1Z2X3UvcuQw0fN5Gc0P1fNQhoJAzlCKWQ,8412
|
|
928
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml,sha256=BaLYYIRiEgOZfoe13f7kiKNufFJByeQiSMjxot694sU,7590
|
|
929
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_install_root_certificate.toml,sha256=xvgo9kKY1acPOjih3Xe3a_Q2HDwhvqdbad1D6xHQXdw,8341
|
|
930
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_modify_environment_launchctl.toml,sha256=-ooz-u8KhxllRhOFDzkN4MM7_woESAiuL-AHNxK06f0,8058
|
|
931
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml,sha256=5jR9Ledo5S6kzg-2hGPk1TBkQ-vfsPP7MuzyhE9x-6M,8178
|
|
932
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml,sha256=4x6e7XXjcwvgc6xV2qDycn1Of5jLn7hkWaEUzHy-St4,8110
|
|
933
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_safari_config_change.toml,sha256=E8GKJGYyMh2KdsXAtSxL_k4yOl6rraMG-zUX2IOSDyU,8059
|
|
934
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml,sha256=UC-la95cobLkJ4S_mLNjm3rN3LSE4oFBpenoxUmJLjg,7493
|
|
935
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml,sha256=caADtaP2Gfxd4oLftwuXg_xdeSE-IhedU-EonWxvPmE,7399
|
|
936
|
+
nldcsc_elastic_rules/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml,sha256=lvCop87sKiSHIcqKy0Hffz5K2XRjeAfIYyX3xsdQZjc,8093
|
|
937
|
+
nldcsc_elastic_rules/rules/macos/discovery_users_domain_built_in_commands.toml,sha256=5pH_s8KtNB7wEed7JsnlTNjT0TjvfMxcEJKEbeXC-Xw,8598
|
|
938
|
+
nldcsc_elastic_rules/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml,sha256=5z1qCFn-N3jiAOEuwmAWt9vR39QcxCvQQ77pwMn92H4,8092
|
|
939
|
+
nldcsc_elastic_rules/rules/macos/execution_initial_access_suspicious_browser_childproc.toml,sha256=H5Sa4bbA9RiPp00UhMJhIos4U17ZNWuOxey9SrgxbxQ,8536
|
|
940
|
+
nldcsc_elastic_rules/rules/macos/execution_installer_package_spawned_network_event.toml,sha256=dQdEqV4MelN1Q4vGD6nSNmLV90kfrILlSNVNeciWs6g,9216
|
|
941
|
+
nldcsc_elastic_rules/rules/macos/execution_script_via_automator_workflows.toml,sha256=ZQrqBmfAik286RJJVM-sVLIGacMlT0tspDSVQikKLaU,7499
|
|
942
|
+
nldcsc_elastic_rules/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml,sha256=_ntRnJOzJoOtHdhu-DC11lhgdg2R6GStrmbnRxJmHpQ,8532
|
|
943
|
+
nldcsc_elastic_rules/rules/macos/execution_shell_execution_via_apple_scripting.toml,sha256=eDZnvM0iDA5PtV7vjSBZVSC2ol7oX2HbP5i2w2Mk-xw,7980
|
|
944
|
+
nldcsc_elastic_rules/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml,sha256=x9Ga8Ye3v6Rxv4jHjORhrVX2Y7PgWX8jxo7NzOwiJRM,9286
|
|
945
|
+
nldcsc_elastic_rules/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml,sha256=oWjyKi3m3yjXkqZu81LeUjYswlrxRy4xR5jPjk5kkkk,8134
|
|
946
|
+
nldcsc_elastic_rules/rules/macos/lateral_movement_mounting_smb_share.toml,sha256=c1-KZz_e9CoLb-TOTopEwi2QNcJjcGoA9EQp40zG8IM,7912
|
|
947
|
+
nldcsc_elastic_rules/rules/macos/lateral_movement_remote_ssh_login_enabled.toml,sha256=4OWW3vYZ9euMRei4PpmlDPLwaa70Jv3CW1gvDYU1EjA,7390
|
|
948
|
+
nldcsc_elastic_rules/rules/macos/lateral_movement_vpn_connection_attempt.toml,sha256=QrdrZX-oOJQCqGkoL8TPMT4QDh1E_sT378mqiH6UfZ0,7486
|
|
949
|
+
nldcsc_elastic_rules/rules/macos/persistence_account_creation_hide_at_logon.toml,sha256=aUEvaB3nST1X63QHwXadwzdlafmMkXHTD00eOCyTgDA,7679
|
|
950
|
+
nldcsc_elastic_rules/rules/macos/persistence_creation_change_launch_agents_file.toml,sha256=tJsHdrWZ1BCLDXXyBOUfrlNE87oDpPag57rw_MJoZ4Y,8161
|
|
951
|
+
nldcsc_elastic_rules/rules/macos/persistence_creation_hidden_login_item_osascript.toml,sha256=mzvVbrU6_sRuCiSgxNMkOy8D64UE3cypqUpsD6Qf5vY,7777
|
|
952
|
+
nldcsc_elastic_rules/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml,sha256=Ybhe4R6dtoc_iT5NzmVLxIVLsYx9Sm8KeacPdSnpQ7I,7953
|
|
953
|
+
nldcsc_elastic_rules/rules/macos/persistence_credential_access_authorization_plugin_creation.toml,sha256=u9ENOcfkgqZ71KP_1nSeXrfHZ4sBw4D_JvLEIcxBig0,8207
|
|
954
|
+
nldcsc_elastic_rules/rules/macos/persistence_crontab_creation.toml,sha256=pF6GGft3QuuGPWZXkmqZO0DkJOnhDrkjbh_aoEnfvgU,7544
|
|
955
|
+
nldcsc_elastic_rules/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml,sha256=bDwr9sSh9Yxt118lv3dakCMCrVW5csKbEg-ho1sHinw,8219
|
|
956
|
+
nldcsc_elastic_rules/rules/macos/persistence_directory_services_plugins_modification.toml,sha256=y9g_Zo7ie89xK0rH6kVuTYm7doG1az2o7nlcgrbT92U,7737
|
|
957
|
+
nldcsc_elastic_rules/rules/macos/persistence_docker_shortcuts_plist_modification.toml,sha256=DjdGXoAp99NDQmF86DzSLjo-4s21n_6DnW31cNmhiAM,7717
|
|
958
|
+
nldcsc_elastic_rules/rules/macos/persistence_emond_rules_file_creation.toml,sha256=ZuG7uE-jTOKqL1v_CCZfTybfBnBbaJJNiC8eroiKaq8,7657
|
|
959
|
+
nldcsc_elastic_rules/rules/macos/persistence_emond_rules_process_execution.toml,sha256=NlB6u3Svek_V2PuO9k-X8YQ7E5ilz_hf4BQHEDnSMzU,7834
|
|
960
|
+
nldcsc_elastic_rules/rules/macos/persistence_enable_root_account.toml,sha256=u-9eN4tqkC6YpEfiD4cft_cet1gh3YGwWolpSV_EufE,6839
|
|
961
|
+
nldcsc_elastic_rules/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml,sha256=aBT2VCu8m4lfdrrjrSm5z395_hHjn-ntEzxfizG9qOw,8168
|
|
962
|
+
nldcsc_elastic_rules/rules/macos/persistence_finder_sync_plugin_pluginkit.toml,sha256=1WJ4TW3ALI-AcKMG-VKOaVDzgDTETbRyDc_QoMah4F0,7829
|
|
963
|
+
nldcsc_elastic_rules/rules/macos/persistence_folder_action_scripts_runtime.toml,sha256=LXmcostzqhfR506bzj8xUpVS_v__TEmoBg3IE9FUSus,8097
|
|
964
|
+
nldcsc_elastic_rules/rules/macos/persistence_login_logout_hooks_defaults.toml,sha256=hi6M6ALwTRal3enYqAo0VNMls6BuMlSLgC4ek6U43Mg,7240
|
|
965
|
+
nldcsc_elastic_rules/rules/macos/persistence_loginwindow_plist_modification.toml,sha256=2LLoy9k4GJ5d-h-RsivGqKxcFaOrjKNw4DbGrmaIP78,4210
|
|
966
|
+
nldcsc_elastic_rules/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml,sha256=EuOo_KJ_BadsO4mpfnWiharCGoEnmsfZDmp0gNUWvew,8273
|
|
967
|
+
nldcsc_elastic_rules/rules/macos/persistence_periodic_tasks_file_mdofiy.toml,sha256=acbzspvAYZ-pRmwWM0xWTnAJS69fl5tsddhGpgDALuU,7859
|
|
968
|
+
nldcsc_elastic_rules/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml,sha256=gPR2OV-QlPwZvEiqGP8HY80yr4nfBg8ynKGQ9rlU8Pc,4217
|
|
969
|
+
nldcsc_elastic_rules/rules/macos/persistence_screensaver_plist_file_modification.toml,sha256=DvY6wLcqphqFSUQR3cDXeiHISWLZ64i4C_-xeg9zHVc,4766
|
|
970
|
+
nldcsc_elastic_rules/rules/macos/persistence_suspicious_calendar_modification.toml,sha256=ZnYLMS2ZhEqTX1kGBRFsttUsBXFJ1nVc6p4mpo8DCmk,7595
|
|
971
|
+
nldcsc_elastic_rules/rules/macos/persistence_via_atom_init_file_modification.toml,sha256=lWBfxcgfygMH_KWbEJ7YvXeuey4a9xXdwAe5-pdrUBg,7542
|
|
972
|
+
nldcsc_elastic_rules/rules/macos/privilege_escalation_applescript_with_admin_privs.toml,sha256=x9UF5Dz80VMqJNFZMd6uImYQ2yZ0V-Sw-9xu37shbD8,7512
|
|
973
|
+
nldcsc_elastic_rules/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml,sha256=At9WFkoUsAvzqKQ0pbL1siXAxgK7aiimFE5ycUzCEK8,8508
|
|
974
|
+
nldcsc_elastic_rules/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml,sha256=-99EFGyt0XZ_iUpbaBmg0jC6x9-tVTKFGsuNlLu3d8A,8647
|
|
975
|
+
nldcsc_elastic_rules/rules/macos/privilege_escalation_local_user_added_to_admin.toml,sha256=xmzuHaNOjJ1hSF13JB1fVTL4aWh1GYomjLYJ-0Fde04,8057
|
|
976
|
+
nldcsc_elastic_rules/rules/macos/privilege_escalation_root_crontab_filemod.toml,sha256=Es9pov7nRqsJ5ZsSFFYuDed5FewpCWYNH5Xv2HDsXC8,7371
|
|
977
|
+
nldcsc_elastic_rules/rules/macos/privilege_escalation_user_added_to_admin_group.toml,sha256=_1K7GHIOd270Bo-f5HdAZANmCBJsE8SGS5l21I5CpJE,4385
|
|
978
|
+
nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml,sha256=-use4HHUNupNGD0esvj-wI8f-CVcf469Cf9Vc1F_gnA,9232
|
|
979
|
+
nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml,sha256=fRtqHKR5SWV_5GrU2ro0DVJzYTiqSLtgJJ10wPa5lz4,9922
|
|
980
|
+
nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml,sha256=7EXtTBvD0HlyutDXGwsbp749AnB8qoApE8vxe-UlsJs,10347
|
|
981
|
+
nldcsc_elastic_rules/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml,sha256=bwZyiyg4hyoLxGGZ01xwxND4hn86g26BQYUqeLa9hU8,9945
|
|
982
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml,sha256=IdzOCH49v7_Jj34c07yAgjNzX2Npigp4Z-c7O4EnIUg,9283
|
|
983
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml,sha256=lQT0erutWT4ZtBF7IY4HbDsI0-JSUUIb0ExdTAQqTiQ,10338
|
|
984
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml,sha256=zY-mkRXD6B_sgIOrmPACyTzqmhoCyirwgJpbvBVDnrw,9185
|
|
985
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml,sha256=YUOagZUeBgKt1vW9ykrI1N2dUl53q6poPrJdBO2C8MI,9889
|
|
986
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml,sha256=CNkfeMB6mhBSI-bVnFJLf787zgJFtuRCAFNHFSmFAa4,10052
|
|
987
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_suspicious_login_activity.toml,sha256=_mwL1ga1MkQ_VDwKLaMZF0Tryd7oREvTPrhnE5wqRPs,10287
|
|
988
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml,sha256=Z75iuvO3fmFzQ4mjy4wOUkEFG8knS57hnVu4sMMShyk,8750
|
|
989
|
+
nldcsc_elastic_rules/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml,sha256=QfVRrRtoNltXvP0eUQkAU2piwpW9yQ5ZzPXfZtyz_ac,8938
|
|
990
|
+
nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_information_discovery.toml,sha256=15sScVLrjRxSphNhUDsS8OSYjmwwRYAnAR-179RRMRc,9860
|
|
991
|
+
nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml,sha256=cv_IzWQRv0tTAfSa9ck7MtuFjo7LhaFxdIb8teZ2Sm4,10240
|
|
992
|
+
nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml,sha256=G7-2crZlKQNlwrB4baRsQki8WsRbod0JuFOOpGLgcIo,9612
|
|
993
|
+
nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_process_discovery.toml,sha256=fAlhrhI979xigmZ4M7q-XBX6m0DeOWz71k7tF-HiM8o,10006
|
|
994
|
+
nldcsc_elastic_rules/rules/ml/discovery_ml_linux_system_user_discovery.toml,sha256=m4yiyPLj0-0hxAbY0ooW6TPrpdTHF7dMsvHqd6ZTaeE,9625
|
|
995
|
+
nldcsc_elastic_rules/rules/ml/execution_ml_windows_anomalous_script.toml,sha256=g5cVx9IRXTL5ySJV3KWgJpwmt6Y8hVS7-anfb2CWpss,9036
|
|
996
|
+
nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml,sha256=GywIgSgOnoVPdXlYeWNImbCTHqF0SfALVNT4qQzsRi4,8436
|
|
997
|
+
nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml,sha256=zCSKAbxkQ5_Jm-WUyifV7BfSUGiNU5QZmFV8_rSnKQo,10420
|
|
998
|
+
nldcsc_elastic_rules/rules/ml/initial_access_ml_auth_rare_user_logon.toml,sha256=kG69KSKfe7Pd7aVaUIU14suP5L4TaYUYV78SuH8YHio,8749
|
|
999
|
+
nldcsc_elastic_rules/rules/ml/initial_access_ml_linux_anomalous_user_name.toml,sha256=iNufQcmdGizV-2smL--et7zPuAmJ2jab-UWQt-JcSY4,7456
|
|
1000
|
+
nldcsc_elastic_rules/rules/ml/initial_access_ml_windows_anomalous_user_name.toml,sha256=RZFc5oqap1Gapd74KWg0ygdFvchJnARdXpOVYZ_61Rg,7152
|
|
1001
|
+
nldcsc_elastic_rules/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml,sha256=9ucTP7Q6X6kTiuXWEa9nueqW0r_EdFNOAQ7ZG9d1FJs,5685
|
|
1002
|
+
nldcsc_elastic_rules/rules/ml/ml_high_count_events_for_a_host_name.toml,sha256=x-lS-NExEL8gOxp5mun9uz1tUmLir3kG10zczlKQqnA,7325
|
|
1003
|
+
nldcsc_elastic_rules/rules/ml/ml_high_count_network_denies.toml,sha256=wMjhrjukKhbLGc2FnyeegsONlnDVM8ENMjXzMAcvEko,9233
|
|
1004
|
+
nldcsc_elastic_rules/rules/ml/ml_high_count_network_events.toml,sha256=T8DWawy6a4jfxxoEgDgZrrnxTMtyG7_MtAdGOLBrAyg,9234
|
|
1005
|
+
nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_activity.toml,sha256=f9ssepHJ6ynY5epi85V_4f1Sk3jwZaHo5BlKiYrVWoQ,6859
|
|
1006
|
+
nldcsc_elastic_rules/rules/ml/ml_linux_anomalous_network_port_activity.toml,sha256=zqr7MfO7mI5YWnRiNxChJOXyyRaT_hDqg-3dTjgPFWw,9453
|
|
1007
|
+
nldcsc_elastic_rules/rules/ml/ml_low_count_events_for_a_host_name.toml,sha256=70zaSCAcALMh6TyvqO8H5ngh_0pPfXcAjae5MUv52D8,7114
|
|
1008
|
+
nldcsc_elastic_rules/rules/ml/ml_packetbeat_rare_server_domain.toml,sha256=r-RVZZC-D4fBn_5iMlPmVCeALt21fZBaBq04Lzbisx0,9760
|
|
1009
|
+
nldcsc_elastic_rules/rules/ml/ml_rare_destination_country.toml,sha256=SY0Vb9x6WuovgSXt35RMbdLRVcEuGrcbfhhU4M5W49s,9747
|
|
1010
|
+
nldcsc_elastic_rules/rules/ml/ml_spike_in_traffic_to_a_country.toml,sha256=jzaTqY4fh5v0UDcJA9jiuw0tmmOyrVA8WhU76K4W2_Y,8925
|
|
1011
|
+
nldcsc_elastic_rules/rules/ml/ml_windows_anomalous_network_activity.toml,sha256=Olu_4u033xDRSOeIhIDAsuNkDc69BPY2IZlqQMjH_8o,6565
|
|
1012
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml,sha256=KF2u9Gr51vPCHGCaTMWYMa-7JDOUB-mrkXM7h4X8P70,9351
|
|
1013
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_rare_process_by_host_linux.toml,sha256=yCKzM-DKLvxs6Oz2RcT2KfC1cgVykUyFSI17oc8pTRw,9330
|
|
1014
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_rare_process_by_host_windows.toml,sha256=eALjJe_xz11RYe3FmHDs1tpRxmxx0dL0qytSfjGrq-U,11662
|
|
1015
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_path_activity.toml,sha256=U-HcPYVf3FQ_C2P_fl0box4wWYCBN_Ko_rktUm1A2Fw,9777
|
|
1016
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml,sha256=kKVbzWAqQabtIOj2JNIsdaPHxppj2Qt2DPECCuFfO38,11979
|
|
1017
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_process_creation.toml,sha256=r6Cp63xAybl3vRdAOcVCd-50Kusk97eacuGvtIqe_0A,12114
|
|
1018
|
+
nldcsc_elastic_rules/rules/ml/persistence_ml_windows_anomalous_service.toml,sha256=Zm75mdZAuWAZcTVGqvn7lT0aJ0OKiO66Xd_J11XqB9Q,9053
|
|
1019
|
+
nldcsc_elastic_rules/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml,sha256=DRQsxghIERBj0WZNYs7UjNBJzEBY__IkiSlPSXL--e4,9895
|
|
1020
|
+
nldcsc_elastic_rules/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml,sha256=cZuL-OllNqDAvP4pSuoxk9c6jyq2HyGYTCBmPPmuw9o,8746
|
|
1021
|
+
nldcsc_elastic_rules/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml,sha256=TgTWEnq81oCS-Ah9l8Gk5OWwKEknQB3zvUklyNr4ri8,9873
|
|
1022
|
+
nldcsc_elastic_rules/rules/network/command_and_control_accepted_default_telnet_port_connection.toml,sha256=PMnP2FmLhEADgGFCBm1gIBbBDKgX65otxQA8T8FbRUo,6683
|
|
1023
|
+
nldcsc_elastic_rules/rules/network/command_and_control_cobalt_strike_beacon.toml,sha256=js9zdKz06loux-ETkv_fEqJOiukKbLVN-4vFNPptdFs,6302
|
|
1024
|
+
nldcsc_elastic_rules/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml,sha256=ltAuXm5_5K91v7VpY8rL8vzjOwxVPGFHJCW0nBpDomc,6602
|
|
1025
|
+
nldcsc_elastic_rules/rules/network/command_and_control_download_rar_powershell_from_internet.toml,sha256=iSPMH0nAeD_9DFCyXYtN0eS0ZYLOyZADNC9NT187kes,6858
|
|
1026
|
+
nldcsc_elastic_rules/rules/network/command_and_control_fin7_c2_behavior.toml,sha256=dVqA6lrnNeIg_jkbG0AN8c_yfefcP-olPdUb0ZXwY0A,2444
|
|
1027
|
+
nldcsc_elastic_rules/rules/network/command_and_control_halfbaked_beacon.toml,sha256=H7SdShpgvXG1C21Dq_uFOBH7FHDanRrjBMvDcvGtAdw,6069
|
|
1028
|
+
nldcsc_elastic_rules/rules/network/command_and_control_nat_traversal_port_activity.toml,sha256=aabur90wGqoOXRJsh10uYYsL17pa654DJZVXYvcSSC8,6023
|
|
1029
|
+
nldcsc_elastic_rules/rules/network/command_and_control_port_26_activity.toml,sha256=S2fq_zcbn3GWLbIgKEEplEtnLNJcowxPWX86aThxLEI,5614
|
|
1030
|
+
nldcsc_elastic_rules/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml,sha256=gAcufp5myizgphfNxTfJG-wEzddPzNWoNZcplZVtlSI,7327
|
|
1031
|
+
nldcsc_elastic_rules/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml,sha256=AuG5v-eeQnjLC0fbkLSuU4JHqyzrXICKa2IjIp5BdIk,6885
|
|
1032
|
+
nldcsc_elastic_rules/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml,sha256=HRuMy4JMi46yi-SaSYxIYpKBF404amez5ZWeJLt6WJM,6565
|
|
1033
|
+
nldcsc_elastic_rules/rules/network/discovery_potential_network_sweep_detected.toml,sha256=5tQIN2thiNsLQTRjDdHRAAk5GFy7wjAUJ8Ca-MJnID8,6605
|
|
1034
|
+
nldcsc_elastic_rules/rules/network/discovery_potential_port_scan_detected.toml,sha256=gpRNpr2f8lTKAPr8feg7iIOw3AtpPwOgXRZMc3Ieek8,6801
|
|
1035
|
+
nldcsc_elastic_rules/rules/network/discovery_potential_syn_port_scan_detected.toml,sha256=9JcJqRiehUpdeEirZmBTVqPT4FSEbWUxuTICvw0vmAI,6617
|
|
1036
|
+
nldcsc_elastic_rules/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml,sha256=Qai4OAj8Rr6eN-_U2iJB11FpSg9LuTyZACc9vYKjpAs,5890
|
|
1037
|
+
nldcsc_elastic_rules/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml,sha256=7Lko0AyJx0dSe0f6bXpLnjlZi309glFt4dSJRDKlZ2k,6152
|
|
1038
|
+
nldcsc_elastic_rules/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml,sha256=cAPxvSf0gXy2-AMiqKCs-QHKwvsiU36qwg808WUe9MU,6574
|
|
1039
|
+
nldcsc_elastic_rules/rules/network/initial_access_unsecure_elasticsearch_node.toml,sha256=aI075Ejg71KLPQNxt-rlYl-XMdQws2WOUNDVrtfMSVk,6189
|
|
1040
|
+
nldcsc_elastic_rules/rules/network/lateral_movement_dns_server_overflow.toml,sha256=yuOXwndVOVePtpI2b0Rsmx-oIXgaQhJmkpFKSavZ5No,5181
|
|
1041
|
+
nldcsc_elastic_rules/rules/promotions/credential_access_endgame_cred_dumping_detected.toml,sha256=z6nBuhaCnYaL-UJtn66PpMIIy0PE8gdaN-Fo6371PlM,5472
|
|
1042
|
+
nldcsc_elastic_rules/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml,sha256=fTMgE5OaSeG1ttIY3vNhZcTX9mqmUh0U1z3n9ZliTZ0,5336
|
|
1043
|
+
nldcsc_elastic_rules/rules/promotions/crowdstrike_external_alerts.toml,sha256=Fhq7sied6-0CVpFcYL5zGr-X-wpllOFfwJIwCZXdLAY,4625
|
|
1044
|
+
nldcsc_elastic_rules/rules/promotions/elastic_security_external_alerts.toml,sha256=lBiECEOwduNwMfnsVOWDea5YUNq4Ptj6_BQus8kn1ig,5417
|
|
1045
|
+
nldcsc_elastic_rules/rules/promotions/endgame_adversary_behavior_detected.toml,sha256=kHUD1yWpJ9M5XWnjJTM-obM9xAP4vrXi5xTrv16EHJU,4943
|
|
1046
|
+
nldcsc_elastic_rules/rules/promotions/endgame_malware_detected.toml,sha256=qxk6GJYxP4z3A6di71nq5JjKnTzGddjsGIORg52MD-w,4957
|
|
1047
|
+
nldcsc_elastic_rules/rules/promotions/endgame_malware_prevented.toml,sha256=yxtTGq6NKFsA0ZmIr5UcToQ0GGv_jQ4hDuX8sKDQlNg,5248
|
|
1048
|
+
nldcsc_elastic_rules/rules/promotions/endgame_ransomware_detected.toml,sha256=jzHzaCMGEFRZHaY-vx-qjEvxWP0HTEu-W3JbUPJV1tk,5038
|
|
1049
|
+
nldcsc_elastic_rules/rules/promotions/endgame_ransomware_prevented.toml,sha256=NbkC3mYaZo-9BNdCHkIIDou6qtaGjERlIsRVqx1UgHQ,5205
|
|
1050
|
+
nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_detected.toml,sha256=qf7eZQG0C_M-JudxEg58LKQg8UYOfVj7QJH7LpZNljY,5219
|
|
1051
|
+
nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_prevented.toml,sha256=_C-Ljdho36X-6MIv67-Uj5We3noqyc_KmlOUdY-OutE,5785
|
|
1052
|
+
nldcsc_elastic_rules/rules/promotions/external_alerts.toml,sha256=a-7lcp3HNwR-9slkINZVc3zvY5vcdi4h2f3gUWulFok,5437
|
|
1053
|
+
nldcsc_elastic_rules/rules/promotions/google_secops_external_alerts.toml,sha256=N-RqHMdp-ShOWRbdjRWAlgpRul7D3HwAMBbTw2_NCtE,5408
|
|
1054
|
+
nldcsc_elastic_rules/rules/promotions/microsoft_sentinel_external_alerts.toml,sha256=579FABDjrD2Bx-HtjVbt9Xx_FbGxLZ6V8lwExUnbUjE,5192
|
|
1055
|
+
nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml,sha256=OsC42xvAWZ73ucgomaH2F3Hz-qH2WgRXmhFvZ4UPFkg,5352
|
|
1056
|
+
nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml,sha256=L9F0p1bAIyFqqhvhAh6SrVwXO6sStpEj0RQDpDGyOl0,5404
|
|
1057
|
+
nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml,sha256=I5eyZ4b_XcETD2QUvwQOvI0KxW3Nw2jd_moeE3TZ8vU,5323
|
|
1058
|
+
nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml,sha256=S6Gy7Wzvm9qYZQZa3m-es_tLUjEzCOFP8e_e56774kA,5574
|
|
1059
|
+
nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml,sha256=e6RvjlBLkLA_CSeRnPkMUd7d6nWs6gEVIP3kckyXNBo,5922
|
|
1060
|
+
nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml,sha256=g2LXoq92JyjLDT6xuq3EVmdnmOwezNba2mdaLGQTArM,5447
|
|
1061
|
+
nldcsc_elastic_rules/rules/promotions/sentinelone_alert_external_alerts.toml,sha256=ub8zDEBUmVyUF-DwD2Z0WH4hNjZ4-03lLfPSnzwIJzc,5420
|
|
1062
|
+
nldcsc_elastic_rules/rules/promotions/sentinelone_threat_external_alerts.toml,sha256=ceyGbQk6Pny24PcURQfR5l-LPMP7CYIP5B5-rcw5vFI,5345
|
|
1063
|
+
nldcsc_elastic_rules/rules/promotions/splunk_external_alerts.toml,sha256=FTrly6HfH8b2f0Ev3pzEr94aADkPL2aogz9B13BQj-U,5217
|
|
1064
|
+
nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_address.toml,sha256=sABfe4Vd_YB_dN7k0TwfcEFz7ForztJQfsK24dBdXPU,9398
|
|
1065
|
+
nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_email.toml,sha256=cuh4R_J-fUder7rRHeCDAckV5mC3Tjcw52o0WyyWAko,8113
|
|
1066
|
+
nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_hash.toml,sha256=FSffKHLWay2Jyy5_EVHjg33cbS4iVct4BPH9otI20co,10081
|
|
1067
|
+
nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_registry.toml,sha256=-8NPSRm082kvQpB-gFdnthoCa_1-5eODRRSlnZbfyCY,8355
|
|
1068
|
+
nldcsc_elastic_rules/rules/threat_intel/threat_intel_indicator_match_url.toml,sha256=JOmYkXME8BgYPNjCLRJA1mCi-gYEuu9yAemfKHyXWBU,9291
|
|
1069
|
+
nldcsc_elastic_rules/rules/threat_intel/threat_intel_rapid7_threat_command.toml,sha256=CG1NG4QEb28hBxQIeBqdugJO2bQWs0Xd14mg4uLF81s,4454
|
|
1070
|
+
nldcsc_elastic_rules/rules/windows/collection_email_outlook_mailbox_via_com.toml,sha256=s9xCQ9ZlD9aTL2N7NNsFR3ZNWbnYHD1Payf6CnMq1WE,6964
|
|
1071
|
+
nldcsc_elastic_rules/rules/windows/collection_email_powershell_exchange_mailbox.toml,sha256=PYNr5RnEgZPOirZq0paV0yAaQ9LxFrlxbiGcZNv4Afc,6659
|
|
1072
|
+
nldcsc_elastic_rules/rules/windows/collection_mailbox_export_winlog.toml,sha256=pgQ_Q03DInbNnWMPy7p4B_LsclnrN5p2_estBoQB9vw,5813
|
|
1073
|
+
nldcsc_elastic_rules/rules/windows/collection_posh_audio_capture.toml,sha256=INGs6a2kcT3MDO6iFZ39a2BAflVrgUpSEDOZ4S5dprM,5620
|
|
1074
|
+
nldcsc_elastic_rules/rules/windows/collection_posh_clipboard_capture.toml,sha256=Q6fDMm_uZANuIFqegWCorifTudI2c8ZI9kASdaM3_Uo,6515
|
|
1075
|
+
nldcsc_elastic_rules/rules/windows/collection_posh_keylogger.toml,sha256=TGXdsMUhdHo78u1QGa7OF-4WoJ92G4S3vCTX8M41gso,6072
|
|
1076
|
+
nldcsc_elastic_rules/rules/windows/collection_posh_mailbox.toml,sha256=EwswW38VD4R2IyHa5TL1gMzyFERZRf-wUDHvs6tMI4E,6498
|
|
1077
|
+
nldcsc_elastic_rules/rules/windows/collection_posh_screen_grabber.toml,sha256=uInDRfnVNNVj5jxw8Ne5HqrGiSutKd86X2WFQppTzOY,5151
|
|
1078
|
+
nldcsc_elastic_rules/rules/windows/collection_posh_webcam_video_capture.toml,sha256=DaV0E_nxWBqIlNaWN-kZMYIknkApg_XtHIv4No2_m_w,6453
|
|
1079
|
+
nldcsc_elastic_rules/rules/windows/collection_winrar_encryption.toml,sha256=jrytpercQnyWQkufhRT-L3zm4dlgVgd-7liJXmO583k,5364
|
|
1080
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_certreq_postdata.toml,sha256=Zy4h-3zDaUJOctE9E72kt8Dtc0popzZDZSC47Sbw1_c,7957
|
|
1081
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_common_llm_endpoint.toml,sha256=BCmSt8ytB0-2eBiE6naRjv4dMkS9qp5y0oFLc8tGNZ0,5960
|
|
1082
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_common_webservices.toml,sha256=8VJr0CC0L4mgpQyWgNHw30K5fBsnssl1SaZX1B2X7iY,16056
|
|
1083
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_dns_susp_tld.toml,sha256=7YsiR5XjwtQ5X7HZrm6hcIAcmfYJbCdgtEW1St-to5k,4779
|
|
1084
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_dns_tunneling_nslookup.toml,sha256=OGBh4zDgseRjdRBBbAqE8Lhlmtu0QErRfeiFZqTMVVA,4816
|
|
1085
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_encrypted_channel_freesslcert.toml,sha256=tu4oPRs2LaxkDndmPIJyqyBZpt2al03ncSZF0dn5xUU,6285
|
|
1086
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_headless_browser.toml,sha256=Xle3lp5n4Sm_2CBxfAKCMXOWUAlmrLuXbvLt3vZuD7Y,4439
|
|
1087
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_iexplore_via_com.toml,sha256=t352l1EUQOsmSYIHeCtV64-eIl4HRLBt7ezddO7CSK4,7030
|
|
1088
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_ingress_transfer_bits.toml,sha256=OhAz9FbffgaQUWfWUn0mUeQklfG-tX5q9YOI0hqYcrY,8990
|
|
1089
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml,sha256=9nz6Ba8L2sWDMK46ItvpavSZDt3EStq6kpyogzR8z-o,11616
|
|
1090
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_outlook_home_page.toml,sha256=yKnNDNQ90uDcZE1G1v7L9m-hMTrZinyGozWx8uRnqpU,6067
|
|
1091
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_port_forwarding_added_registry.toml,sha256=0k_71fTnRdsyJ7IR1f5F3pt5dPRRfn2v9KUlthVtttQ,5431
|
|
1092
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_rdp_tunnel_plink.toml,sha256=lbCU9ahoeoazokJTEDOEPmtkttOixNTI1h6N7-ayG4A,5365
|
|
1093
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_remcos_rat_iocs.toml,sha256=_RlEXNyWPi7igTaZA9kR_odJEh2TvpWsOamGCHUxqpY,4244
|
|
1094
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml,sha256=_-Qd-2zTjwiXp6FyvNVAbGkYmDG248FoxvpeQ2SDR2s,9002
|
|
1095
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml,sha256=gVPjHGhhUnTqHuXSgNs0XyctOFNnA8_zPCBr2DIitiE,8909
|
|
1096
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_powershell.toml,sha256=qgioQovJ7Ux6w6MgWFHDCcnAs7UT4eUe02ovoK1Js0A,9848
|
|
1097
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_remote_file_copy_scripts.toml,sha256=gwf1K1s9FvKbq-IpvKw5nTrwHbVh2U3cXqZeD50_2fw,7100
|
|
1098
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_rmm_netsupport_susp_path.toml,sha256=7v8D76L1T8xI4vEJsvG2DCCCm9pxBcwIOmHKqrgklSE,4324
|
|
1099
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_screenconnect_childproc.toml,sha256=b9UAQBVkN26ez_CK8fLwsPcuMQFuIp2MpWvIFPyhi1w,7373
|
|
1100
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_sunburst_c2_activity_detected.toml,sha256=DwEBgkB40-diO5sA_GvVqhJrx0BqM9BFl5XTIN2JOTE,8259
|
|
1101
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_teamviewer_remote_file_copy.toml,sha256=SyA8UQTlYDc29-aKWNybjer0HmHNY3oGSmL7-0Y1LY0,7389
|
|
1102
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_tool_transfer_via_curl.toml,sha256=2gFvlwnDOqHLUKcznk1nPxcSXXtG1EcgoAfGNWnDtJs,5277
|
|
1103
|
+
nldcsc_elastic_rules/rules/windows/command_and_control_tunnel_vscode.toml,sha256=BCj_FXkhQrHSHX2c-7dGlz9bdJFlk4LMuYZjlRI9gKA,6156
|
|
1104
|
+
nldcsc_elastic_rules/rules/windows/credential_access_adidns_wildcard.toml,sha256=hEwtQhdNCALDaZQbdp1d5P30gi_Z7jl2MqxeW2IWlLE,6835
|
|
1105
|
+
nldcsc_elastic_rules/rules/windows/credential_access_adidns_wpad_record.toml,sha256=Psrafl7T578EPeVDndK5ZF4K-b_kVpfdrsuQOuSol8I,6377
|
|
1106
|
+
nldcsc_elastic_rules/rules/windows/credential_access_browsers_unusual_parent.toml,sha256=7C-hUfZpvayUVb_Tpl60Bv_ZQyAFEK13wAxiJpwjb-E,7185
|
|
1107
|
+
nldcsc_elastic_rules/rules/windows/credential_access_bruteforce_admin_account.toml,sha256=5hfNidxGbPIhdRlor_-ygDQVQp08lQ3qkgvrCGCU4nY,6895
|
|
1108
|
+
nldcsc_elastic_rules/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml,sha256=wv0ROnpCvj_WJLV_BG4-KVOJsLR30rUETeW1lXw7nsk,7544
|
|
1109
|
+
nldcsc_elastic_rules/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml,sha256=UHsxncFwhz0vdy8qYv-618Mgz5xOt3VAEof2i6KD870,8269
|
|
1110
|
+
nldcsc_elastic_rules/rules/windows/credential_access_cmdline_dump_tool.toml,sha256=V4A3ymiX_GxF0UIbMJeD5v07CUrbRhqzqtghhZJSVMg,6591
|
|
1111
|
+
nldcsc_elastic_rules/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml,sha256=J-76Kxtd9y6GmCwk4o6uVfd6_UqQVLjYPX3aH7r3X78,8865
|
|
1112
|
+
nldcsc_elastic_rules/rules/windows/credential_access_credential_dumping_msbuild.toml,sha256=XaAN-OkaK4N53OT3Fy3o3Bf0XZmKLD9cGBQSLAaYQ2U,8364
|
|
1113
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dcsync_newterm_subjectuser.toml,sha256=R5PFPMjRz8n-Qeq-5K6wiqwSV_n2IIewpYzMFNkFFa4,8317
|
|
1114
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dcsync_replication_rights.toml,sha256=Y8O_ULH-3_kTmGVZFCYOhChNR0l94g_C32O-qKpoGcU,8734
|
|
1115
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dcsync_user_backdoor.toml,sha256=DGocam5Y7BzFWzl2kP3iU2-eRBerTqFxvgAQsfJoQ0A,6774
|
|
1116
|
+
nldcsc_elastic_rules/rules/windows/credential_access_disable_kerberos_preauth.toml,sha256=SEyjLzIl_kyxWHvWkpgVDIiOjkAUyD-qJAuyMha9wjU,5937
|
|
1117
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dnsnode_creation.toml,sha256=IaJp5Nnh2xeFLs1gTS7O4tvdrqe8_QJ_WKwzHsMXcPo,6907
|
|
1118
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dollar_account_relay.toml,sha256=QIN4-q7Wiyj0iFB-9_9pdlRSJgPeeI_STwvIJ6SUVkE,6666
|
|
1119
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dollar_account_relay_kerberos.toml,sha256=OgX_x46jY1RtAq5xIIcRJYM321rjXBEoiI_aR2x1vgs,8113
|
|
1120
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dollar_account_relay_ntlm.toml,sha256=YTp6bmbHnwUjHDg1rjJA8r8Mx86doFvhPiZSZnNNKQs,7878
|
|
1121
|
+
nldcsc_elastic_rules/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml,sha256=b3nG19-5mHCS-oDPbnZcGjuTis_yk7WYlYnCCtpF-FA,2561
|
|
1122
|
+
nldcsc_elastic_rules/rules/windows/credential_access_dump_registry_hives.toml,sha256=Y5kiPg57DTvTu3EVViOXhWeMFNdRoWdNL4ueURwPLdk,4988
|
|
1123
|
+
nldcsc_elastic_rules/rules/windows/credential_access_generic_localdumps.toml,sha256=R4k0uIqw1AlJkr7Wck6cSRkEtpRg8UTFU3Mf-1FXfD0,7218
|
|
1124
|
+
nldcsc_elastic_rules/rules/windows/credential_access_iis_connectionstrings_dumping.toml,sha256=vbeqC7wKyFDXVDcRx5YAnHXNn2MqRICmP3lLQ8UpbCc,6440
|
|
1125
|
+
nldcsc_elastic_rules/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml,sha256=NvhEAVoxQh3SNttFQZ7hTjpPMAZkhTH9yuuiaYRQaZ8,6297
|
|
1126
|
+
nldcsc_elastic_rules/rules/windows/credential_access_kerberoasting_unusual_process.toml,sha256=ARYIjrYa72RLBMbdxPa-abGCVCCP-r2mRY8RLhqul0U,9896
|
|
1127
|
+
nldcsc_elastic_rules/rules/windows/credential_access_kerberos_coerce.toml,sha256=90kwSIspPMV6UvS6AGT4fuENEdvpNWBLaZFHe38Tb3s,6265
|
|
1128
|
+
nldcsc_elastic_rules/rules/windows/credential_access_kerberos_coerce_dns.toml,sha256=28IBnrK6YYcgqps5Xi-gvJVEq4tXETBR4kggLd8sKO8,5350
|
|
1129
|
+
nldcsc_elastic_rules/rules/windows/credential_access_kirbi_file.toml,sha256=4d665QXNA3DC8ryn5zhoMopAXTN57hUS8jpR6m_ZteI,6030
|
|
1130
|
+
nldcsc_elastic_rules/rules/windows/credential_access_ldap_attributes.toml,sha256=AjLuZvPdc5XuS7T5st-_bZhQgG85hrfCMYgl9Uimhjg,7640
|
|
1131
|
+
nldcsc_elastic_rules/rules/windows/credential_access_lsass_handle_via_malseclogon.toml,sha256=y2u6YHfS59eNAZkWCilTMdE_WWRXXTihWD5-BQ6SDXI,6509
|
|
1132
|
+
nldcsc_elastic_rules/rules/windows/credential_access_lsass_loaded_susp_dll.toml,sha256=SYjWvNTTdhUJct2yGYvnrhEDp6-9mnw0T7DAU3XzPhc,9022
|
|
1133
|
+
nldcsc_elastic_rules/rules/windows/credential_access_lsass_memdump_file_created.toml,sha256=3omrNBBl3sohCpClavAJpJCx7KKKuRmIYhWtATKSAic,8374
|
|
1134
|
+
nldcsc_elastic_rules/rules/windows/credential_access_lsass_memdump_handle_access.toml,sha256=b9ipFixG4ShNHa6v3FjCSprtXVK5OY4b7s2_6VFVg1Q,9945
|
|
1135
|
+
nldcsc_elastic_rules/rules/windows/credential_access_lsass_openprocess_api.toml,sha256=0iIU6GWOX4D6Eed-dU4ybjnPRqssDxCEtDwd2_d0uew,12420
|
|
1136
|
+
nldcsc_elastic_rules/rules/windows/credential_access_machine_account_smb_relay.toml,sha256=EUon_TtKYRn9j-abTeNCecuux7so-0Vd3-johCqNT4U,6056
|
|
1137
|
+
nldcsc_elastic_rules/rules/windows/credential_access_mimikatz_memssp_default_logs.toml,sha256=M-jZlbzEco-xvYBnbnzXtP8MgUzmIUEptAgkQKzUUQ0,5385
|
|
1138
|
+
nldcsc_elastic_rules/rules/windows/credential_access_mimikatz_powershell_module.toml,sha256=aXXZoX8_K_0P2LgRwVbUXKNvlzeJY2iW1MPCoQc25OQ,6386
|
|
1139
|
+
nldcsc_elastic_rules/rules/windows/credential_access_mod_wdigest_security_provider.toml,sha256=ca1dRqjNeYr48QQ0crUmuxHoUIxj0ieCSDTkinJB5ck,6146
|
|
1140
|
+
nldcsc_elastic_rules/rules/windows/credential_access_moving_registry_hive_via_smb.toml,sha256=6g-paoOwJJ8qc1AhkoQcFRDpWNom4D6vPnSjxZFy91U,5007
|
|
1141
|
+
nldcsc_elastic_rules/rules/windows/credential_access_persistence_network_logon_provider_modification.toml,sha256=u93XW9yQrJ99_QYbYYi3tj8zgixITmddC9WE3q-Dwp0,8920
|
|
1142
|
+
nldcsc_elastic_rules/rules/windows/credential_access_posh_invoke_ninjacopy.toml,sha256=05Ed-pHJ4Aai5nm5jvHNmzvb6nfj89YmgWgWoWcXkI0,5556
|
|
1143
|
+
nldcsc_elastic_rules/rules/windows/credential_access_posh_kerb_ticket_dump.toml,sha256=bnvTbiq3hfApA01kiAHV_maz0-8D66zNKZM2wiKECmQ,6250
|
|
1144
|
+
nldcsc_elastic_rules/rules/windows/credential_access_posh_minidump.toml,sha256=b2NUMYZEUs8h1BB9eWfOUzsI4D7J0zq6apD3BIbpe8o,5462
|
|
1145
|
+
nldcsc_elastic_rules/rules/windows/credential_access_posh_relay_tools.toml,sha256=y9DXfzHhFsuSC-LPy_KoaSwTRQ0Ent8PfRkWaaz2amc,7721
|
|
1146
|
+
nldcsc_elastic_rules/rules/windows/credential_access_posh_request_ticket.toml,sha256=_Bkl3F0MjLYjXR9JnaLJjuKcN7XZPr-ub7ml5kRiv_A,5750
|
|
1147
|
+
nldcsc_elastic_rules/rules/windows/credential_access_posh_veeam_sql.toml,sha256=Qht0Xqy8JelaTYLJUhXEviycG4lfN97T28arm0W0G_E,6754
|
|
1148
|
+
nldcsc_elastic_rules/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml,sha256=hyX6TzSZeEYIpncq_WyREZJRs4QpwHNtusKXHyukrX0,6135
|
|
1149
|
+
nldcsc_elastic_rules/rules/windows/credential_access_rare_webdav_destination.toml,sha256=E1UEiQ5Q1gMSm3f_0p51meE4oiJAdlX1-qz9-7GN2to,3769
|
|
1150
|
+
nldcsc_elastic_rules/rules/windows/credential_access_regback_sam_security_hives.toml,sha256=IlgMYu2u6WUR_u-vjongz-rl9BhVwO82OhWHzp3xnGg,4266
|
|
1151
|
+
nldcsc_elastic_rules/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml,sha256=5XU3oqye076_WHBRMjIg9ao7S0yH3AYzrojE6DC9kVU,6881
|
|
1152
|
+
nldcsc_elastic_rules/rules/windows/credential_access_remote_sam_secretsdump.toml,sha256=pHo0i42ZPV-a7iMVjbFkbPDc50IOkdK47QiKJuhqIt4,5186
|
|
1153
|
+
nldcsc_elastic_rules/rules/windows/credential_access_saved_creds_vault_winlog.toml,sha256=b9jBSv-NxFU_eOADIOEk122YzKGZC-cQ34C3tqAK1zs,6488
|
|
1154
|
+
nldcsc_elastic_rules/rules/windows/credential_access_saved_creds_vaultcmd.toml,sha256=qiCKAB-WqljHW2Yq2f-m-JS_IfOJEov1Apeu2Ub5LA4,6466
|
|
1155
|
+
nldcsc_elastic_rules/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml,sha256=awvULFnldvqpEvnhKkPPpXsaCPLi1teJt5vc5zZCBv0,5553
|
|
1156
|
+
nldcsc_elastic_rules/rules/windows/credential_access_shadow_credentials.toml,sha256=sLuZNULJ-9W9l-WxGTr1A-jmCZTL4t9xsin5ol6bbf0,5637
|
|
1157
|
+
nldcsc_elastic_rules/rules/windows/credential_access_spn_attribute_modified.toml,sha256=-g7sIK_U5GcWID2FHKwNK-mEgz_7XUuBBtjO_ErMnkA,6335
|
|
1158
|
+
nldcsc_elastic_rules/rules/windows/credential_access_suspicious_comsvcs_imageload.toml,sha256=x8msdkYxBiyylg3B2FjIkQSSEwHUBr_E6VBQejdDlK4,8780
|
|
1159
|
+
nldcsc_elastic_rules/rules/windows/credential_access_suspicious_lsass_access_generic.toml,sha256=ntFCpKvstDWB6mlgJYyQGypLYD8ziS6XuaxKII5icuA,7769
|
|
1160
|
+
nldcsc_elastic_rules/rules/windows/credential_access_suspicious_lsass_access_memdump.toml,sha256=0pLJTbYCEuUic8_6ekSYzYrHcsZlfTFxPLO4Cxwh31Y,7198
|
|
1161
|
+
nldcsc_elastic_rules/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml,sha256=k3fd4BbEys9x8L1k1bfa629F8WY7FZKEfGDhVg0uywI,6220
|
|
1162
|
+
nldcsc_elastic_rules/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml,sha256=UrHYXOWwwhKNDFEPDL9ntiBFu6q9mk1NRiLjdLsZzIo,5854
|
|
1163
|
+
nldcsc_elastic_rules/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml,sha256=7O5szd_F1Mv9bf9z38Z_pIVsb5nHApLCH-MjlDiTEFE,6511
|
|
1164
|
+
nldcsc_elastic_rules/rules/windows/credential_access_veeam_backup_dll_imageload.toml,sha256=rnBBOHAV94UzhXLHfBaCqB07Or_ZhYOG6K5rLCs6mUs,6068
|
|
1165
|
+
nldcsc_elastic_rules/rules/windows/credential_access_veeam_commands.toml,sha256=zog-6c3oBy8CG8ft2XqPE5y4vAzqcHNJV3yOsdyg_N0,6736
|
|
1166
|
+
nldcsc_elastic_rules/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml,sha256=FkqWC77TLzL7inQOHxhTfn2uGp3MSI08W_xfcJjnteI,5975
|
|
1167
|
+
nldcsc_elastic_rules/rules/windows/credential_access_wbadmin_ntds.toml,sha256=FBuAX4oudIp72WMVkmL8ViikRNe1WZlxWIkHX0TjwFg,6355
|
|
1168
|
+
nldcsc_elastic_rules/rules/windows/credential_access_web_config_file_access.toml,sha256=qH6zzqcbC7Jqu7R5lGWHf_tSQ02lhFttjimhmjUtY24,5303
|
|
1169
|
+
nldcsc_elastic_rules/rules/windows/credential_access_wireless_creds_dumping.toml,sha256=TEb8V69y8mr4eR9g_UfA9NGqp2jSn0KmKRdHRxVumIQ,6574
|
|
1170
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml,sha256=u3vYqWy_LeTz9l-WAclUU8eqGTje6wEKwMqe69o2cbs,7890
|
|
1171
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml,sha256=x3a0x1oivXGDzofn51nrS6EcNygJC8s6_0ryYC6YIPk,8062
|
|
1172
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_amsi_bypass_powershell.toml,sha256=xxwTp0iXJYb4-BReMObdLzbS4ZHFC0A_HFRDZXC9PYg,7815
|
|
1173
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_amsienable_key_mod.toml,sha256=K2jvBK4cp6bR081jPeAMfEV0A3fiAtk4R5havHh728o,5805
|
|
1174
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml,sha256=DA9IOBA2pjH4QW5_789bemlloh1QM8eG-MF9WTx51II,5013
|
|
1175
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_clearing_windows_console_history.toml,sha256=z3FGohfCqRBVM6ulAfoMTCEZM5LrjCFNb0xRKQT9ul8,5589
|
|
1176
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_clearing_windows_event_logs.toml,sha256=K3zmE8R-oVhwdEA3gJH2IOMb-YzaFHaP2fEyOpY3l7g,5284
|
|
1177
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_clearing_windows_security_logs.toml,sha256=bmjZKhPRJu021FYDkBW8r5HopYEMJo03Nllctx7W-8E,3852
|
|
1178
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml,sha256=E6yGrwHEtAE32UvaIYgqatCCKiYjuoZOLW5o_usdwF4,7010
|
|
1179
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml,sha256=eQuF1xs8mhwsFwZKBR-7khOBCC0mtSryRzgF2A8KQlo,7230
|
|
1180
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml,sha256=xBd3vc1ztrBUYumyX1p-iYswwq4lhf9ejCZhpfyyAcs,12147
|
|
1181
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_create_mod_root_certificate.toml,sha256=A-Qrg2LeLMC2xaf_j7WfTxaO3wmV6pUwKYQybYNkX1I,9333
|
|
1182
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_cve_2020_0601.toml,sha256=PhNsWUFZvST0yrKdgae9B09u2Uow8cwRmEiOM6AKf48,5272
|
|
1183
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_defender_disabled_via_registry.toml,sha256=cRS4u81ERR0Qf1Z8t-Rxq5croAiNTLeneENZAPmPkd0,5500
|
|
1184
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml,sha256=rGXktZPA701sYPZoESTDH3cSkbaQevlZcFBfy8cJ1RU,6886
|
|
1185
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml,sha256=4xM9w0P-l4_qlRvYufVxyTzTIepx-SGWP0aGaH5TNXE,4800
|
|
1186
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_disable_nla.toml,sha256=v-xFfjkDc1xwsaQqC_xW80RG1xVviqpbxvUjXXlMycU,6623
|
|
1187
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml,sha256=HXO3XMpiNT1ePW_QCT89WqEWbGoOT9XT4u_RN8GhsbI,5705
|
|
1188
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml,sha256=nnIPAdDt1uZ-Eingp__Hw5LNU5-iWTBEXG_kprBU9eE,4076
|
|
1189
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml,sha256=KSKGAvXV_IUuLTTNjst4l_HcwUusChuX9VK8HKc0MzA,5768
|
|
1190
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_disabling_windows_logs.toml,sha256=t9_pSezRRKhzmDn7CyHciTK0VpcRsxf-UgW67g9nnas,5476
|
|
1191
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_dns_over_https_enabled.toml,sha256=wGZX8Llv007yjG6kPcBSlPy1GeNg2rdrQ3tmBZHYKFo,6132
|
|
1192
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml,sha256=RdT0EEZz9pfKiHeTd1FyuacDx5bJLRqQhjKNCQR1Lmg,6856
|
|
1193
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml,sha256=CodI7AAKgpFekckkN9iO_OMXhDejydW-9AMsdPf-fGA,4571
|
|
1194
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml,sha256=t1xgcWVPq3ncUGKRIcjPVNBa5WTMDD2aRTcAHxeABm0,4565
|
|
1195
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml,sha256=2l_WShG--om0N0VaxxSQrlqoC5LPM4BjoWM6Gavf2X4,6348
|
|
1196
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml,sha256=ZIdvbws-gs4jKlwN3zl74b2x6mVb8BldxsLYe7Ee12s,7693
|
|
1197
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml,sha256=3Ngj5XsZKyHcVbPvE6_xVgGYMsqYKM6McYLO6-p07Xs,6983
|
|
1198
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml,sha256=LNWCVIUvGEJMEXWPvInM2kHVghp4Y8kZBPIQgjg0RNU,6827
|
|
1199
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml,sha256=PJce7quaYNsjLKYTgxSZlXAd-40GhOyQ-LV80FX_mLY,6154
|
|
1200
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml,sha256=_US4K5CSmZR-JJLgx8Bhkef5RoB8lJbobrcyHB5svH4,7280
|
|
1201
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml,sha256=OeI7F0xfTvBAdAP-bW08wiI3MRUb-SplEtBPGKnt2GE,6464
|
|
1202
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml,sha256=5B1JjBE9wFtFEOJ8aqWkjuQnZeJiDW8igVmBw9NoPnc,8451
|
|
1203
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_execution_windefend_unusual_path.toml,sha256=7A1eKlt0yexoQdQDj9vl6N1GgbZg6MJpxYV7vxO7vjw,7239
|
|
1204
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_file_creation_mult_extension.toml,sha256=ovHbPm93Ci6NJQl-xjhxnESYYJENcZ8D2SH5vG3zi4k,7052
|
|
1205
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_from_unusual_directory.toml,sha256=iJ8aeBTG6KIVk9zBngltnbgUt_jj7wzPTGvlHru_Ms0,10332
|
|
1206
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_hide_encoded_executable_registry.toml,sha256=nYwB3P9213mZ2ZX3uuRsOElpoqwV7PCZ-LDaKnrn0dk,5656
|
|
1207
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_iis_httplogging_disabled.toml,sha256=O1vxQ28uaS3W3CW6AdPDw75JEfDpfDI74IEpVhbMoSs,4793
|
|
1208
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_indirect_exec_conhost.toml,sha256=pWyQchmmo9_5u9HwR3uUAP-wtPDpr8BcAlnfuhGKZsU,3897
|
|
1209
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_indirect_exec_forfiles.toml,sha256=3U4E1exv_wbWb6NaOBDx6dIJ0KguYzMz-ntPfu_5prU,3648
|
|
1210
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_indirect_exec_openssh.toml,sha256=haa5vuGskEXiwessb56I9lsW_C1AtUbsccOWy8kLEqo,3916
|
|
1211
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_injection_msbuild.toml,sha256=KaHJf_LGEb6ZhTxMQpA3P82Rt0-c94p1H-jNYW8IrE8,6360
|
|
1212
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_installutil_beacon.toml,sha256=UZvc5Hk7lr2Wrm5fhba5VYgK_joULfdSTfmn9HVmSaE,5902
|
|
1213
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml,sha256=7V6HIeM2Cx0z7CEPgT2FmI654kLyd3azSrR8pvwGeV4,5953
|
|
1214
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml,sha256=1L_MbC6n0qgRHwjfwdwjuZlKVBXsDiVaOtOHH2Q7_J4,5166
|
|
1215
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml,sha256=frvBRYQ_LC8iXipJ5Im8JtumujieS752GS9OksOrccs,7249
|
|
1216
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_as_svchost.toml,sha256=WOx6mmJvHfpP8ZzimjNw2neBSX9NDxLASHjZXwsMxpM,5263
|
|
1217
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_business_apps_installer.toml,sha256=j2KEB7Ay3jaTi0syxEyogu87ktxgzIYNF2hU2hC98dg,11678
|
|
1218
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_communication_apps.toml,sha256=LaHGL1NKjdABiXJFIj2dgmWbxGMwjiMBcZ2HA76ofLg,8401
|
|
1219
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_renamed_autoit.toml,sha256=LjiVW8uEXoIiU-PXNuCWdF08-ZXNvyv3uQuVJjhFMnY,7161
|
|
1220
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml,sha256=vRLrjK1aXPUw8ZhAk7kfskespF3BTIjtV-vThBaDotc,7393
|
|
1221
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_trusted_directory.toml,sha256=1Q-jG824A9nurKiMKICshop-TiN_AI1gdNoqjGXB720,7313
|
|
1222
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_masquerading_werfault.toml,sha256=p9WyCbWVJOHFEYYH2K9Xn1yBvO5AyZaCcQyvGA0Y75k,7549
|
|
1223
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_microsoft_defender_tampering.toml,sha256=ePc89p9GUgP5QvxIjnn3nj_Of5pYO7YPBM7RVpRPt7o,8313
|
|
1224
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml,sha256=TTVe5n_Ahqhq7Fr9aKoqKmfSQlup_t2BDrlAj3EFjXU,7894
|
|
1225
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_modify_ownership_os_files.toml,sha256=twcv5fW5Wg42EnTijcperhi2mXmUKD2iHy1Txc7WHic,4536
|
|
1226
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml,sha256=LFL2InKm4d-a-2Q00eIepI9DXVnf81RVyU6C2QtO6DA,6350
|
|
1227
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_msbuild_making_network_connections.toml,sha256=unw-Ac5qJQZKub2gJN7H-GC_q8FgN-Xk7UIXUW2sW_c,8188
|
|
1228
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_mshta_beacon.toml,sha256=M19dA1Mxm5RwTOm5OKJWIMX8qTHtFiLWZpQ8UKD_fso,5825
|
|
1229
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_mshta_susp_child.toml,sha256=CLe2eoeiXOT1GiByBeldnJIkCF2ybCFVS5wnC54uZOk,6001
|
|
1230
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml,sha256=y2sxL9lzaJymFGgvjwamjtvIKh922KFcWnW7VevmHdc,7765
|
|
1231
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_msiexec_remote_payload.toml,sha256=K_cCt9udSMsKEv0Z1scpBmhfoClo2pQkXj8AfC0Pl9w,6669
|
|
1232
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_msxsl_network.toml,sha256=yND0U96mXWuJbyt7ImTTdNz2TzZab5zn3sfE4nObRlM,6022
|
|
1233
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_network_connection_from_windows_binary.toml,sha256=cZfD0nzNcy7_fsaf9GEH6sQnWAV-Xk4tZTCj6FCR4UQ,9690
|
|
1234
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_ntlm_downgrade.toml,sha256=I0QMtsmH62BbBHhNYnVs6rkS0O1vr89yzE2sQ4Vm05M,5015
|
|
1235
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_obf_args_unicode_modified_letters.toml,sha256=oE7_1oyfB-tvtWyzYX42HjVeSqsgSnf8jOp9DeMKzKY,5455
|
|
1236
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_parent_process_pid_spoofing.toml,sha256=VJZ41spg5FzT2ZBz5ceq0eW2djHavJ6FJU1W4sjEPvk,8300
|
|
1237
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml,sha256=T6jdu2QEyVTTxJU6fL-oBuf0mncTsDVhlMVwowpaW4g,7362
|
|
1238
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_assembly_load.toml,sha256=u2gmiyxXfvrPRVgyEVW8kP4Z9RbZrSpJm2x6v8PYcfE,9935
|
|
1239
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_compressed.toml,sha256=XOWQ8kHTh2dO3XxH0jkIMiN2psYQNLk1tVuFnZrQwpA,8838
|
|
1240
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_defender_tampering.toml,sha256=H7mJPSpYXBsCUHCh4LeBwYpJIH63u74Rg92viCwK0u4,7756
|
|
1241
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_encryption.toml,sha256=MQ9N2-3oBvRn_4oDb_nuzsE3AikOwuNotuXnCZOOou8,4808
|
|
1242
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation.toml,sha256=3GMIlxL6uLxopELtFNemyD_wXa9A0lRdgQA_mnMZRi0,7210
|
|
1243
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick.toml,sha256=5up_YdsYqQDy1hogwGVVPFl53F6ozoSFyhaPqSJGCyQ,8516
|
|
1244
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml,sha256=ozd5RUQy64yPC3TLhahFE5BzeoBAlIjXAgfTUziGIHY,7755
|
|
1245
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml,sha256=M4X_HRO_da0PMznobkaAeig3ufXUAKrKzqmFLsjrBXM,7579
|
|
1246
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml,sha256=ao5ZlxvVFQ6BCRLNqOoZrDE_u63vlj2RPaY8U3aSUzI,7585
|
|
1247
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml,sha256=uSIV23uVHCG8w4dOBqJKOLp7NG8Oack8W4ZNRPAO1wQ,8724
|
|
1248
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml,sha256=TkWuTs6I2PEj4T2dVplw5G0LD4c0Gd2PHB4XIcKHF2k,7872
|
|
1249
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml,sha256=L4-0_uAAzaWJslVY-ZiM21mdB5MH_it04Ow4cCWkvZ8,8270
|
|
1250
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml,sha256=7VBif_aCoodwGDl25wObmsEl1PdLZ5Ip9UXZtZ1iCwQ,7630
|
|
1251
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml,sha256=lVazgVc9FTHDtlTo-MnmOa3wINYh7CJu9Gb3Ks83xa8,7691
|
|
1252
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml,sha256=y4VL4u2-rs0xBrCl4MF7nOnd6obq_JrZcniCLKwl6Ac,7818
|
|
1253
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_string_format.toml,sha256=lByx_whxoaBNgYOtYzNTqYWyrWlMVZt5h0Qj4QNlA7o,8493
|
|
1254
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml,sha256=73kD8DvxAAt1yM6DfNmLfI9zeB6uFDXzs4ymgkOzj1s,7852
|
|
1255
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_posh_process_injection.toml,sha256=8_uM7jgoKG-Va_IXEEYJziDf-YjDdKRnVOWi_x0yPUI,6831
|
|
1256
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml,sha256=am79dz3gAQf4ByzAl7vlv9jEnROtTepQl17hraYTH5k,5851
|
|
1257
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml,sha256=OjV5NTzP8zJbDst8ZBtqAogYc7q-iKrm5DBgX59SW-c,8423
|
|
1258
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_proxy_execution_via_msdt.toml,sha256=1Iz_8gB8Nc9vXF38AZDEUcuAM296PwoYAzGAI39HCf8,6930
|
|
1259
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml,sha256=NzVhm5SYxa7qO2i97Q3BQErCIgGEKOqkP2US0846A3Q,6868
|
|
1260
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_regmod_remotemonologue.toml,sha256=da2Ije8evHBR9OUhUeSWBRlGVSlLT5yfWi0E3VDAY1I,5372
|
|
1261
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_right_to_left_override.toml,sha256=AQsFNVVW-R8EjotOa_V3p78hQLHO5bOWkJpvm44615k,6553
|
|
1262
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_root_dir_ads_creation.toml,sha256=e7Jvr7aImnA1iEZfenqMK6ROkm6GCPWz0FfX6erKHDI,6122
|
|
1263
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_run_virt_windowssandbox.toml,sha256=uRXXqt_phf_qZq9Xrs29e1dZ6vbjAI9GIdSLRGkJzDo,6489
|
|
1264
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_rundll32_no_arguments.toml,sha256=eAgWv0d8l-9DMRS3IM2WA9JFkT15aRmfRYJsvX381ig,7646
|
|
1265
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_sc_sdset.toml,sha256=9A9RSf_-68PQPDqRl7DY5pNhMNC2iE8u20dtuRzavsk,6841
|
|
1266
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_sccm_scnotification_dll.toml,sha256=uvnhItoYwlIdevC52yczeQzZrW-Xy-d_QiQR1Lv4CNU,5183
|
|
1267
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml,sha256=Gs7gHCniulkjkXATKqPNiPfueBIpKhplY-8fu9XCMZA,6377
|
|
1268
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_script_via_html_app.toml,sha256=HPUn1ahYN8LH1fLcNZn3HUuZIFI6sPcUY-YaT092Bwk,7584
|
|
1269
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_sdelete_like_filename_rename.toml,sha256=aCL1Yx5TElh_k-BfNqccxZZvhMn7e40dRWSVay-rAnU,4831
|
|
1270
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_sip_provider_mod.toml,sha256=4d1kKEoMNLU3Y7RHiuqumwbcELh5pN8TWKQMIRKFUf8,6571
|
|
1271
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml,sha256=S5IzTxyOpDOTQkAVvodIcDI_KDAY6fonh2JFbmowuP8,7272
|
|
1272
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_certutil_commands.toml,sha256=mTaNP1zEBHLEsUECHLUgBDrd498WcUa6-GpkLguR1KM,7534
|
|
1273
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml,sha256=H2rR2RNnhxWJHikCUDXNEW4wJX86itLKPk-jGAM_gcc,7339
|
|
1274
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml,sha256=0KtPjjJmzi6_tvXvEEBn_rginTEE48B6pefrMm80inE,6050
|
|
1275
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml,sha256=HdOwBb3aEKj1lUtcaLZBd9si-1rg9mO2PiPpvI12aoM,8928
|
|
1276
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml,sha256=8BAvgVkbqxlFPZ7ub1kD_4xvrKWO2APFhjQ0vtsqDlM,5035
|
|
1277
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_scrobj_load.toml,sha256=m9gOiWWP1O0nBOpIM2n7xf5SNEb1Geow5key6tMF_i8,6214
|
|
1278
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_short_program_name.toml,sha256=vYaoHhlvwtWNGv2eGxMW88bVEKyS1EX78xKwgobY5gs,6584
|
|
1279
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_wmi_script.toml,sha256=EqJoH6VQvaPWIiiNm0GYZCw87GKHDqvwH-I6h6z4Bb4,6330
|
|
1280
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_suspicious_zoom_child_process.toml,sha256=t9aVHa3nPGnq5zriFYfR3M3880CVIF1rRXP2FDp8csg,7337
|
|
1281
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml,sha256=G3pBiBPH7pliXYPPNRJtf8VW5B7hu9on8ECOoJ_2pWI,7204
|
|
1282
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_timestomp_sysmon.toml,sha256=bF366aHuM0yup14J725Z0QUQREhjNxCCSCbVCorljjI,6380
|
|
1283
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml,sha256=qna-gjd9dkAw86cjHGm3liOy00gLpKQED0zKKboqFrI,10175
|
|
1284
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_untrusted_driver_loaded.toml,sha256=lzlcToq_Ifgyo74fDO2XcnSPjgrGifJ3DOchv2uDoSQ,7390
|
|
1285
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_ads_file_creation.toml,sha256=UJqTbuFsVBFaX6qK1R8go1R54W9O5mP-qp28ETdPkgk,9920
|
|
1286
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_dir_ads.toml,sha256=d9_AVjW57h62EmShdJZ68r-qA1W_VVSbVzAPTih3kjs,5742
|
|
1287
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml,sha256=KnrlZkb9QbggGSgq6-feTNXxSjOGqz0v_r33RDmL7So,6006
|
|
1288
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml,sha256=2aTFUA1a1LmP7at2lA_skHiidlWtLMy-aro6lwfP4Mg,5452
|
|
1289
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_process_network_connection.toml,sha256=yX6Ophmpkpzel5lGktE9SRn7vBL0cBAYTCWGa9gBwvk,4647
|
|
1290
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_unusual_system_vp_child_program.toml,sha256=D0gyOcS64wZ9qOBS-YX4dJIQ3-WNmNcSr5IXa_vqr9M,5979
|
|
1291
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_via_filter_manager.toml,sha256=YIAWTd_tXAFXDg9gA29QKnqpsJNVMD25BZAZFLsanLI,7807
|
|
1292
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml,sha256=gNMVWqo-oD_fMzMxlWivneh2Mn2GznaC0fpQk8RI-uY,4207
|
|
1293
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_windows_filtering_platform.toml,sha256=vp6IPNfz6MMHHg3tOtK3STacneRVfNraPdC1YUb44uo,10801
|
|
1294
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_workfolders_control_execution.toml,sha256=RrNWQAHunYKEN9cgxqPAQOCXT3gd-JPV13a7VDupiqk,4870
|
|
1295
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_bash_exec.toml,sha256=puYptvYAfibK6l9D9JFCiZLqdyEdcmZqiWNaDhU5cDY,7079
|
|
1296
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_child_process.toml,sha256=oYFiLyUA-Tidjg_kykjJurLs4OFAQK0PjoqRJrvlP30,6694
|
|
1297
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_enabled_via_dism.toml,sha256=UesneOswq1R7iocJo8vg9QLaxl88WgiTXKvj3KlLFjE,4790
|
|
1298
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_filesystem.toml,sha256=paHIABZd3o1aKb-ZLDYOxPxYVMT6ogdThiiYNJeiqPw,5641
|
|
1299
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_kalilinux.toml,sha256=7294lxGdAu9mtl33cvpYWPkgVkUPdqPuxw05IehmkFA,6609
|
|
1300
|
+
nldcsc_elastic_rules/rules/windows/defense_evasion_wsl_registry_modification.toml,sha256=HOBOA2c-daK49hs6kOSFeCwiXuk-MF1yJrVGCJ7f0Ww,4979
|
|
1301
|
+
nldcsc_elastic_rules/rules/windows/discovery_active_directory_webservice.toml,sha256=eZHSHkw703rfmtDtdjCXfgOIFji3anbPm-RXPvAhHj4,6129
|
|
1302
|
+
nldcsc_elastic_rules/rules/windows/discovery_ad_explorer_execution.toml,sha256=Sjm0lrn1mK6Fu3ec9yq-WKFNiJGkqbVLYhfSRXn46U8,4843
|
|
1303
|
+
nldcsc_elastic_rules/rules/windows/discovery_adfind_command_activity.toml,sha256=3Ll9ppcq4JywqUcNANuQioo2hkvdqCTOsn5ML_W-jhU,6873
|
|
1304
|
+
nldcsc_elastic_rules/rules/windows/discovery_admin_recon.toml,sha256=Pakn_fc5BIi0YEv8JZ0ZoMlSIep30_ztxJpOrHLrBQE,5295
|
|
1305
|
+
nldcsc_elastic_rules/rules/windows/discovery_command_system_account.toml,sha256=CfHAemH9rU1mPUtJ4-Kyl9SJ11qU_byhbGl00ds6Atc,6307
|
|
1306
|
+
nldcsc_elastic_rules/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml,sha256=mGjX076dCRw3OzcpnABV4DHAxjCwNbL-QV5CPGworTc,4698
|
|
1307
|
+
nldcsc_elastic_rules/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml,sha256=8RgkXdZSD_9dBZKXzdFacySiYG0nmAanTQa-LfSDTaM,5041
|
|
1308
|
+
nldcsc_elastic_rules/rules/windows/discovery_group_policy_object_discovery.toml,sha256=6ULB5GD46JX88TLugEYL1zf5ajAR9M4xaZtsyDPrBpE,5131
|
|
1309
|
+
nldcsc_elastic_rules/rules/windows/discovery_high_number_ad_properties.toml,sha256=FVs-8mEVY1HT3nvjso4b27W8hB5__lHXbERWlVFeNfE,5822
|
|
1310
|
+
nldcsc_elastic_rules/rules/windows/discovery_host_public_ip_address_lookup.toml,sha256=OmyinbFOqLlMLwKsOVW_AVR4FFJFs26vEW4QX7piOxA,5677
|
|
1311
|
+
nldcsc_elastic_rules/rules/windows/discovery_peripheral_device.toml,sha256=e0pasFK70AAHYXvfhJuoWi6oM9orXQZljUEO4BIWXSc,4309
|
|
1312
|
+
nldcsc_elastic_rules/rules/windows/discovery_posh_invoke_sharefinder.toml,sha256=efMdgLb3FQiClKOXR9w7VbeqVF0Aqrf-7wst_AOaBjc,5870
|
|
1313
|
+
nldcsc_elastic_rules/rules/windows/discovery_posh_suspicious_api_functions.toml,sha256=x1ZMdayjsLuR9gWqMSANTBDEt4fzgPNuA99p3JXb6F4,7638
|
|
1314
|
+
nldcsc_elastic_rules/rules/windows/discovery_privileged_localgroup_membership.toml,sha256=qCDINzI1hZJzJQufk4BnwDx_MzAkpNV-xL2aDqD62iU,10610
|
|
1315
|
+
nldcsc_elastic_rules/rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml,sha256=LbOMIoIGOTu7QBSmRYPk6XRAdVnUV4VxmxRP8q-z9tc,5734
|
|
1316
|
+
nldcsc_elastic_rules/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml,sha256=vBV-AqxwuWPgK_MiGVvK3VhkZ2e9idD0u-HLo4KQBXg,5342
|
|
1317
|
+
nldcsc_elastic_rules/rules/windows/discovery_whoami_command_activity.toml,sha256=ZiSmLfsT28O-EhmiIgkZ-uOD_ZPUG38FJ77drJqWT9Q,5471
|
|
1318
|
+
nldcsc_elastic_rules/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml,sha256=UNKozCBeuEku94tos5JqwAax1e89TMktriajD9ro6mM,7436
|
|
1319
|
+
nldcsc_elastic_rules/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml,sha256=soMDgJ9mny9YGN19iItkxZnBQbUBqISETaZwoGhXoww,7032
|
|
1320
|
+
nldcsc_elastic_rules/rules/windows/execution_com_object_xwizard.toml,sha256=g8_UOIiMfV5CVzvy2HyVfA-qTO344rF_DHwrtXDyND8,6688
|
|
1321
|
+
nldcsc_elastic_rules/rules/windows/execution_command_prompt_connecting_to_the_internet.toml,sha256=c3eR5aFK2UAVbBrmG9flqpf1Tm6ScGkP-zQrVhknBEM,8172
|
|
1322
|
+
nldcsc_elastic_rules/rules/windows/execution_command_shell_started_by_svchost.toml,sha256=4MGARmc7EvH5liSlU93y5VKlW2SWocE2WoDMb7QIcE4,8534
|
|
1323
|
+
nldcsc_elastic_rules/rules/windows/execution_command_shell_started_by_unusual_process.toml,sha256=R3m3cNawp8y9rAXja6gnwRhpuGAWYrbQPAC_2iRtS0A,7122
|
|
1324
|
+
nldcsc_elastic_rules/rules/windows/execution_command_shell_via_rundll32.toml,sha256=l_J8i2Zg32z6fwJedx49b5WJd-ZEeRGka-_uh1l4Ybk,6608
|
|
1325
|
+
nldcsc_elastic_rules/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml,sha256=IPytLKsHkI2yqR_MdqWdnTwqW1dF5JLqBsaP8p1oF20,9032
|
|
1326
|
+
nldcsc_elastic_rules/rules/windows/execution_downloaded_shortcut_files.toml,sha256=kBrvs0VjryyCZ5EkNxDzlDnL1ANsCG-xFRWtKNXcz8g,5577
|
|
1327
|
+
nldcsc_elastic_rules/rules/windows/execution_downloaded_url_file.toml,sha256=oPpSCfeIGyAd5oGnVnCP2qOdlmVhGa-cIKKJ0vJEnjo,5484
|
|
1328
|
+
nldcsc_elastic_rules/rules/windows/execution_enumeration_via_wmiprvse.toml,sha256=2GT1vfvc8R5Q0iRA1irPtiOZprOebiGRBdFzvbddOrA,7381
|
|
1329
|
+
nldcsc_elastic_rules/rules/windows/execution_from_unusual_path_cmdline.toml,sha256=8BxUTbOdIJpUtADoXEQntY3wjkp6QciTHGhBBmkO-KA,12174
|
|
1330
|
+
nldcsc_elastic_rules/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml,sha256=u8SPJyERVtvQ5RPoT3K4ESvMDEW8inuBj5SFunM4dqw,8778
|
|
1331
|
+
nldcsc_elastic_rules/rules/windows/execution_initial_access_foxmail_exploit.toml,sha256=slLJWsy3407bImrRqjWyaw9pVkj3nTY6OfDO5HSpL4w,6394
|
|
1332
|
+
nldcsc_elastic_rules/rules/windows/execution_initial_access_via_msc_file.toml,sha256=5oemDsqMX0qqarn2HuZSRbUGeIHekt9WmtYas8uP5Xc,5332
|
|
1333
|
+
nldcsc_elastic_rules/rules/windows/execution_initial_access_wps_dll_exploit.toml,sha256=AFWn1tkQOm9VE7XZygQ42adpIqeGo3htbQnw5UiWIok,6432
|
|
1334
|
+
nldcsc_elastic_rules/rules/windows/execution_mofcomp.toml,sha256=_at_pdfpImMrb1p1IN3mxlS7r7yi_dcscBOkTFwatk0,5921
|
|
1335
|
+
nldcsc_elastic_rules/rules/windows/execution_ms_office_written_file.toml,sha256=fMnUyxhLwpy1-qrf5ynsdWZwKY7V2YL2z3qr7y3-nY8,6419
|
|
1336
|
+
nldcsc_elastic_rules/rules/windows/execution_nodejs_susp_patterns.toml,sha256=uP8ICm99MNfB-aM5NRoqrT1lOpdNxP0GUbv2dSqoOB4,6096
|
|
1337
|
+
nldcsc_elastic_rules/rules/windows/execution_pdf_written_file.toml,sha256=098rzQC6ck864jO0ey8E4KkE0H6tzXNJ7PfwNgMp-xo,6087
|
|
1338
|
+
nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_authors.toml,sha256=nF3f5ZfGXOx_SDqVkbnEtZG7NxmNDZ208g_HCgk5ROQ,7347
|
|
1339
|
+
nldcsc_elastic_rules/rules/windows/execution_posh_hacktool_functions.toml,sha256=md9pah_plTv-C_KUXLQ9XsYlz2OWLinX4jR6YB89Jrw,18988
|
|
1340
|
+
nldcsc_elastic_rules/rules/windows/execution_posh_malicious_script_agg.toml,sha256=Hg2d2tF7i3AsH8iHg2DeLt_uiGUOral-KxDvdQouOow,7881
|
|
1341
|
+
nldcsc_elastic_rules/rules/windows/execution_posh_portable_executable.toml,sha256=1c5RzfLHsb4LmNTIilvDgaZxru4_DOvWesmBvewvMxY,7999
|
|
1342
|
+
nldcsc_elastic_rules/rules/windows/execution_posh_psreflect.toml,sha256=UjH8AiNIE_1DYEgavEGqoY9qtIBEF40cgj7nJlMaAW8,9211
|
|
1343
|
+
nldcsc_elastic_rules/rules/windows/execution_powershell_susp_args_via_winscript.toml,sha256=M8IdVDLUM5izHsVqE4V_FbHaIwYr6fi7WT_j5wIhd5Y,6347
|
|
1344
|
+
nldcsc_elastic_rules/rules/windows/execution_psexec_lateral_movement_command.toml,sha256=UkS2etnO--R8YsIif4zIHhaQTSc4hcq5lccc9f67ysk,5744
|
|
1345
|
+
nldcsc_elastic_rules/rules/windows/execution_register_server_program_connecting_to_the_internet.toml,sha256=6gyNAcHyRYLYV3Bkt19TuqZxS6-PIQV4ynYWWH0RtLg,8533
|
|
1346
|
+
nldcsc_elastic_rules/rules/windows/execution_revshell_cmd_via_netcat.toml,sha256=_iPOjO7tXhpz4NuPOWEz3rXyO43HRPUp-q1pMcEiSFs,3914
|
|
1347
|
+
nldcsc_elastic_rules/rules/windows/execution_scheduled_task_powershell_source.toml,sha256=Ukii3UFyN-UBXR38e1nx4343xfuoLNvbXsLrfjPkn6Q,6366
|
|
1348
|
+
nldcsc_elastic_rules/rules/windows/execution_scripting_remote_webdav.toml,sha256=9aqVUlUCElNddS9-paTMmLcL__r5Ffs6ewsdKmjNlpI,4678
|
|
1349
|
+
nldcsc_elastic_rules/rules/windows/execution_scripts_archive_file.toml,sha256=250EUSRKlflfvfXXb2STv_7gxNWtI4tcieidmg1UxB0,6740
|
|
1350
|
+
nldcsc_elastic_rules/rules/windows/execution_shared_modules_local_sxs_dll.toml,sha256=6KtKP1sQpMPG2P8t5vsAY_Pxgb7S3yH3E--ty6m3I1k,2235
|
|
1351
|
+
nldcsc_elastic_rules/rules/windows/execution_suspicious_cmd_wmi.toml,sha256=-4Hoo7imXX8xOa6_S8vyRVgzGLrSFxs7WR4pBTFUpEI,6678
|
|
1352
|
+
nldcsc_elastic_rules/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml,sha256=oXZSLLYVYGDhKu4z2yv1-EGT3ncczzOtud0NE1EmRN0,6229
|
|
1353
|
+
nldcsc_elastic_rules/rules/windows/execution_suspicious_pdf_reader.toml,sha256=bR5Jv4nTWhGA98t69DzpaPnnGqn4WtGzC80oW1d3paI,6756
|
|
1354
|
+
nldcsc_elastic_rules/rules/windows/execution_suspicious_powershell_imgload.toml,sha256=PAfMKWXaK25pV0A6-CMPKyHqHof245I3HEfJgqlE9T0,6644
|
|
1355
|
+
nldcsc_elastic_rules/rules/windows/execution_suspicious_psexesvc.toml,sha256=ic2nrCsXMZniME32tkpy4HNMdo1-CTEqQ_04HofZmFE,4908
|
|
1356
|
+
nldcsc_elastic_rules/rules/windows/execution_via_compiled_html_file.toml,sha256=wdu_WI5h7QgX_3BspesTdTlszCl-G5nBfrIaLbMH7oc,8522
|
|
1357
|
+
nldcsc_elastic_rules/rules/windows/execution_via_hidden_shell_conhost.toml,sha256=A0XLi8MarYpc3HKALpWHwvxkUSzoMQJyloHhjHGI2Rk,6406
|
|
1358
|
+
nldcsc_elastic_rules/rules/windows/execution_via_mmc_console_file_unusual_path.toml,sha256=coOcynWXWswe_RY2uWRjyJ6uTSU7XDM4QbXTb7IiWaY,7089
|
|
1359
|
+
nldcsc_elastic_rules/rules/windows/execution_windows_cmd_shell_susp_args.toml,sha256=d4VzL7AyXFmmQ8MJpyXJUNBB_LSAsn9-i3viQ6Qa8jg,10526
|
|
1360
|
+
nldcsc_elastic_rules/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml,sha256=30e8gROm412sQcxTLcZwS6BOTIgVne61ajBkvIF4aLU,5687
|
|
1361
|
+
nldcsc_elastic_rules/rules/windows/execution_windows_phish_clickfix.toml,sha256=mhz5fOI0RpiWb2FpH8f22si9HtL0wzfhSwWNRC2jaV0,5564
|
|
1362
|
+
nldcsc_elastic_rules/rules/windows/execution_windows_powershell_susp_args.toml,sha256=kVLxv6X1_OTu3wpEUzF3jREsTTPScOYXSDavIro73LI,8623
|
|
1363
|
+
nldcsc_elastic_rules/rules/windows/execution_windows_script_from_internet.toml,sha256=bYCGWdYdNAzfSV_7s0r19LLz7Xm4740Wzo4p3bgnOp4,7345
|
|
1364
|
+
nldcsc_elastic_rules/rules/windows/exfiltration_smb_rare_destination.toml,sha256=_wtLhQ8pARBL-l3mXfop7qSOblDv8jxXviSqPWCGEhs,6530
|
|
1365
|
+
nldcsc_elastic_rules/rules/windows/impact_backup_file_deletion.toml,sha256=2xNOIQuekfe6RxkxyYHG706ozcO_HcMlQc6An8xKR9U,5553
|
|
1366
|
+
nldcsc_elastic_rules/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml,sha256=1Od1FkY5Osw6bnVJVkMrmp7xQvm3uZYPnNtIuxAiHHM,4807
|
|
1367
|
+
nldcsc_elastic_rules/rules/windows/impact_high_freq_file_renames_by_kernel.toml,sha256=EcVXU0usKaWvgfrvkBPfObjNezuYzn4vl7GFX9pNGJc,4975
|
|
1368
|
+
nldcsc_elastic_rules/rules/windows/impact_mod_critical_os_files.toml,sha256=XC4_wpBSJMD9T2lkaWNU19-lQMiRAEuwu4IyG2L3qQE,4214
|
|
1369
|
+
nldcsc_elastic_rules/rules/windows/impact_modification_of_boot_config.toml,sha256=p_xQQaFrLRDa2y9GSyC2H-KDpP3f6xZVhQpW2ZVRr5s,4605
|
|
1370
|
+
nldcsc_elastic_rules/rules/windows/impact_ransomware_file_rename_smb.toml,sha256=yuOkSMN7HB0IG3yZ_K1g3OWIfU6B9mNdrpe3SKvMcA8,4744
|
|
1371
|
+
nldcsc_elastic_rules/rules/windows/impact_ransomware_note_file_over_smb.toml,sha256=HjYDFOX4vpan1X3ElPd4V1Qy-AdHOQSmAbfZflvIVsU,4625
|
|
1372
|
+
nldcsc_elastic_rules/rules/windows/impact_stop_process_service_threshold.toml,sha256=LDad3pb85c60JYoO4xEhMHNWGJQOkAehbWlYySHpfAg,4251
|
|
1373
|
+
nldcsc_elastic_rules/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml,sha256=6o6d3tN57CKggjtetenudPo_t0GFDqkz9QYGKZ-eK3A,6138
|
|
1374
|
+
nldcsc_elastic_rules/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml,sha256=CYA8bXjDIvP9LIUa5qPjOE-zkkekmm2oGq3KRpgWuuQ,6805
|
|
1375
|
+
nldcsc_elastic_rules/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml,sha256=qePq_WqWQjh-yqaFlqOEo1Prcpc9G6SdUpfqMa4kCRw,6227
|
|
1376
|
+
nldcsc_elastic_rules/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml,sha256=xpUAEkFc1-iWrClJdKEZADRro0XO9Z8IUOACXuDJLk0,8615
|
|
1377
|
+
nldcsc_elastic_rules/rules/windows/initial_access_execution_from_inetcache.toml,sha256=St0s-hodAJk3gPP0Nfy7YTVzJ5Lc1GUVMMVsB2scz_E,7248
|
|
1378
|
+
nldcsc_elastic_rules/rules/windows/initial_access_execution_from_removable_media.toml,sha256=-ivRxxTMZL9_Av4RCI08Itn-sJTHzJQCNVbM8OkyuaE,5929
|
|
1379
|
+
nldcsc_elastic_rules/rules/windows/initial_access_execution_remote_via_msiexec.toml,sha256=YpUOCGGForsbJTcGewZqI-v61lSmxZu7j36f3YzWl00,8419
|
|
1380
|
+
nldcsc_elastic_rules/rules/windows/initial_access_execution_via_office_addins.toml,sha256=9N1AKA3-oXUrQMf7fZTdC5h7YSvCK8VgFQp1ySbz-Jo,8435
|
|
1381
|
+
nldcsc_elastic_rules/rules/windows/initial_access_exfiltration_first_time_seen_usb.toml,sha256=h4u7saCsLJMSHZiMRO22F-oQtlWOFF7GTMPh19CRcfs,6179
|
|
1382
|
+
nldcsc_elastic_rules/rules/windows/initial_access_exploit_jetbrains_teamcity.toml,sha256=sVFLXGry7649R07fftCtmre12RiLdOIrLPQS_sgT7bo,8312
|
|
1383
|
+
nldcsc_elastic_rules/rules/windows/initial_access_rdp_file_mail_attachment.toml,sha256=wZVayAcqomUSOuFChxajSHr6B6Grwi9jtMd65fYGHIU,6738
|
|
1384
|
+
nldcsc_elastic_rules/rules/windows/initial_access_script_executing_powershell.toml,sha256=4zCgBbWrC_gy54rghqp3lL8vgtqTGCHfsQGgJwUm5Rg,6172
|
|
1385
|
+
nldcsc_elastic_rules/rules/windows/initial_access_scripts_process_started_via_wmi.toml,sha256=sH6JR5fiJnujcYPGyHmoAL60muueSRwRFgP6CHMhov0,7350
|
|
1386
|
+
nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_exchange_files.toml,sha256=UtWxZ8dd390xlJe99VzMvDZwcXHEzpM_ymsHjBs8r78,3950
|
|
1387
|
+
nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_exchange_process.toml,sha256=3TtfdzAbCServFNM7MOTj4XGlJt1ex5oypkepIuaV2Q,8241
|
|
1388
|
+
nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml,sha256=VpXVpiCdgoreMl92vhEVKXNZzmb22wsQ26x-SI07zEU,7550
|
|
1389
|
+
nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_office_child_process.toml,sha256=hdL6L6bSAC2sPWMQBbtHJLuCmGYQa0ZN5LvcKeuK8Z8,7900
|
|
1390
|
+
nldcsc_elastic_rules/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml,sha256=gawfeD2jrcx8aFY7zGvaeuayatbfoWNfde2qe_ZK6dY,7158
|
|
1391
|
+
nldcsc_elastic_rules/rules/windows/initial_access_suspicious_windows_server_update_svc.toml,sha256=LEv4S7HT4zY-LhWxoEhCyQwbsheC8ztjbgXQrYpQ7ZE,5430
|
|
1392
|
+
nldcsc_elastic_rules/rules/windows/initial_access_url_cve_2025_33053.toml,sha256=cmmLNonNSdmBbAvMLW-0xMvE9FetE5VquUtFb7pWrfs,4665
|
|
1393
|
+
nldcsc_elastic_rules/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml,sha256=Y1YQkZVZt9rtJvgFz7Z5lIfRcpUqDXS-Xyoi22omv2M,7969
|
|
1394
|
+
nldcsc_elastic_rules/rules/windows/initial_access_webshell_screenconnect_server.toml,sha256=cNqxe5irmQ7QVNHqh5jzJCpeejD6_4bU22N7bsARH0g,7010
|
|
1395
|
+
nldcsc_elastic_rules/rules/windows/initial_access_xsl_script_execution_via_com.toml,sha256=NoSSCuAYQHs8QrjiLBQdGkE0YyLcqNHff2OlA9SzNW8,6533
|
|
1396
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_alternate_creds_pth.toml,sha256=qFnnTafyct_DTY8T7dDcTgztcIioPDTYkTdytfyzVmA,6014
|
|
1397
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_cmd_service.toml,sha256=9G94e6Y3KmSsquCqUFQMEOdRh6PlhxM31EQO5OnSLxQ,6500
|
|
1398
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml,sha256=LSpcZbrtQUaxzsNBJpoy0E9UrjrjQ-bq7QRsFW0tHM0,5466
|
|
1399
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_hta.toml,sha256=gEpTvWudeoZStefuMe6tDmKibtQNtk_KhpeYWT7Br3U,6639
|
|
1400
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_mmc20.toml,sha256=S1HB9Ld0M7TMSU3tjFbED_DemqNR7AKbj8tLveR5Cl8,6445
|
|
1401
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml,sha256=_MIRxeTLGXDjHnYJQgGv5Da-MLcwffJ750sjz1quMlQ,6325
|
|
1402
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml,sha256=ZJCl6KzuIkoYQ2UHdNEkVTSFTppLhB6Vvla5pubpHfE,6698
|
|
1403
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_direct_outbound_smb_connection.toml,sha256=h6Lz6mbGtRuMR2P4Q2DsjzSfaiSoc7dFiCbbWBF3c-c,8389
|
|
1404
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_evasion_rdp_shadowing.toml,sha256=d9mjpw2BfOTbnmaqjiAcwGRPvsugAxUTD0k0FBEoBK0,6586
|
|
1405
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_executable_tool_transfer_smb.toml,sha256=CzhkNIUTzxiFD4WMA9_XqXu-0pPbohnOWF6PAkM2GKE,5226
|
|
1406
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_execution_from_tsclient_mup.toml,sha256=Se2Wq3Ze0t1JX0-ZHzXJYPVEcSImReZ8YH4CNcGamXw,6139
|
|
1407
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml,sha256=L8QVfLJlmFk9kx0QVAkLE81K7I7UuQJK5OLwBqvfVNE,7545
|
|
1408
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml,sha256=Z1wQLbJ69Yo0kp5-18gvJfW4Rxe2CNWJb2QwxKLzHq4,6130
|
|
1409
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_incoming_wmi.toml,sha256=X-ST6KFz9EiHw5Vr64PFL0I9zC52LwgGRF7S1RDWKNE,6982
|
|
1410
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml,sha256=jDtlhgzz1As5YeTGc3k3VL0aNJMY89GC4ENVZ6XMjmk,7035
|
|
1411
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_powershell_remoting_target.toml,sha256=1nrfmGWaYohRxMnjtpfpMKYqzNuom7qW_qJ62eHFhX4,6744
|
|
1412
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_rdp_enabled_registry.toml,sha256=M3-fEtX-W4sNCwu8sAQAyc7nLbxbF5sdEaWwOoDvoIM,5570
|
|
1413
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_rdp_sharprdp_target.toml,sha256=8TpR6ecUn1w5QA6SVYZrYOKWPrvdliKgYSo9E0YJvPk,6678
|
|
1414
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml,sha256=ZLOPt0HXWRetgToQ2WlSoS5H-hJwY41D5BpOpDs2fak,6004
|
|
1415
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_remote_service_installed_winlog.toml,sha256=XKrC5WwooOdlfknHVaa19T0voPxHslbZ09U6-Vlijis,7696
|
|
1416
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_remote_services.toml,sha256=u1u1CINBlmKFGbPHr-82QLnTzXgwX8YcnNQzQMoZrfI,9595
|
|
1417
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_remote_task_creation_winlog.toml,sha256=9adwBkanumF87DWPl5FqaXzWm-0muxS-mH_Gam3ZlK8,4112
|
|
1418
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_scheduled_task_target.toml,sha256=Lc68YQgmB9uPms2zDD_bUcdFIGsnXDXWXBEUUKvKk-8,4768
|
|
1419
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml,sha256=ygBXLX6oPAfyi5CHQmQ0Ma3vGH3Y1jbxdt7vpa7bPsE,6706
|
|
1420
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_unusual_dns_service_children.toml,sha256=_zYzWEUS5w1MdYEPphXVJfUK5D1HlyNk7lo4vZ_zguc,6342
|
|
1421
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml,sha256=oKkF_nhf1x63kCDYR7rNP3zSKlXcbuk2wl0E7OlAnO8,5880
|
|
1422
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml,sha256=nQtCpnS_IeeyjXLk2-WnXgzL1BG-kDJoKH6P3toaGwM,7181
|
|
1423
|
+
nldcsc_elastic_rules/rules/windows/lateral_movement_via_wsus_update.toml,sha256=b_vlfgglV26zGuiA8WfQqm9RiS1RbBA4s04XWAONT_c,6347
|
|
1424
|
+
nldcsc_elastic_rules/rules/windows/persistence_ad_adminsdholder.toml,sha256=8-gJSzOvxfB6IX-VgSyCI-WKELD1s28MoFHdAxEVicM,6257
|
|
1425
|
+
nldcsc_elastic_rules/rules/windows/persistence_adobe_hijack_persistence.toml,sha256=lJKEBvl7KlIfyD7msw4sxltWXuQJ1xtegUd61_MFz-Q,7347
|
|
1426
|
+
nldcsc_elastic_rules/rules/windows/persistence_app_compat_shim.toml,sha256=7sny3AHhPTiCeo2R9IzRPcrbp2PlqkHjzmzt_iUzW2U,6838
|
|
1427
|
+
nldcsc_elastic_rules/rules/windows/persistence_appcertdlls_registry.toml,sha256=oqyEWPuHdLNTdM-lGMtWrFapC6MDIkDgKCWQQ2R2zqQ,6977
|
|
1428
|
+
nldcsc_elastic_rules/rules/windows/persistence_appinitdlls_registry.toml,sha256=6o_KRcTnOhbEwY2WdNXEdEZli9y9Dw8QtmV90Lr0jc8,9499
|
|
1429
|
+
nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml,sha256=Is5Iv1kjagauttUHw_LrwNFcD4Kb3J09AnJzIyzrjrc,6019
|
|
1430
|
+
nldcsc_elastic_rules/rules/windows/persistence_dontexpirepasswd_account.toml,sha256=AZXaI7PI9rdgkzslU1i6XrxQ0YJN6bHxapWQc22nRLU,5129
|
|
1431
|
+
nldcsc_elastic_rules/rules/windows/persistence_evasion_hidden_local_account_creation.toml,sha256=S_iyl_wqONlSR00uS_CGllonqvXpLPgS9iAUhXg7PQM,3930
|
|
1432
|
+
nldcsc_elastic_rules/rules/windows/persistence_evasion_registry_ifeo_injection.toml,sha256=gX-XC2BVe0whasBLIQXPPEKClZBC-KW9WoqDEVJ_K-I,7712
|
|
1433
|
+
nldcsc_elastic_rules/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml,sha256=hsrLgGXkCF75egxVbsGrxiiKumlTz_ZGEHmS3ABcY4I,9721
|
|
1434
|
+
nldcsc_elastic_rules/rules/windows/persistence_group_modification_by_system.toml,sha256=2QXh4A3kLgYal-tRWX_TXmaw6TlU_tvdtFkiceUsZgs,5706
|
|
1435
|
+
nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_job_creation.toml,sha256=NnafdcMu7_pe3HIenwn5_jeTA1UNbKIYcpVBIKn_cDA,6469
|
|
1436
|
+
nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_task_creation.toml,sha256=IBuY_5zZqclSpzNX9cmSfz-nERqJ7zMUeFrCZxrpO4I,7139
|
|
1437
|
+
nldcsc_elastic_rules/rules/windows/persistence_local_scheduled_task_scripting.toml,sha256=s_pbs0UqdP6q4nqjD21vvoXR-kSfZhHbFnG5a2aqH4k,2970
|
|
1438
|
+
nldcsc_elastic_rules/rules/windows/persistence_ms_office_addins_file.toml,sha256=cy3RyKwO4vdRodc3sw7ri0fMry5WyB0nmQCOjadPib8,6217
|
|
1439
|
+
nldcsc_elastic_rules/rules/windows/persistence_ms_outlook_vba_template.toml,sha256=JGPl37JjgEjnecyB8vsSk8UENi0UGuZhVs1iMPL7kY8,6049
|
|
1440
|
+
nldcsc_elastic_rules/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml,sha256=CDJsA_izN_TmjgRB12lzsVVd1ex1kA_b0R358MrSp_I,6418
|
|
1441
|
+
nldcsc_elastic_rules/rules/windows/persistence_msi_installer_task_startup.toml,sha256=nuoCfbclQ1d4oufv8JYHXuCq9ywrlfxr5y-ZaqXdXLY,6963
|
|
1442
|
+
nldcsc_elastic_rules/rules/windows/persistence_msoffice_startup_registry.toml,sha256=Z3eUPnDpSxQ5-Jl1WhGnVqYFI_tQBb-05xcxR2-wz98,6081
|
|
1443
|
+
nldcsc_elastic_rules/rules/windows/persistence_netsh_helper_dll.toml,sha256=y86NtRIlST2dtiOdIrw5PRjHghqbcd16Gzc36JJquQA,5914
|
|
1444
|
+
nldcsc_elastic_rules/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml,sha256=kL6Ogski61D2lOyolZk2mDYDERpIRds3ULpxmfWE1vg,6884
|
|
1445
|
+
nldcsc_elastic_rules/rules/windows/persistence_powershell_profiles.toml,sha256=nxTbeLwh3NxDXs54OapQbltK_H-AW-RTslotxjFp1jI,9063
|
|
1446
|
+
nldcsc_elastic_rules/rules/windows/persistence_priv_escalation_via_accessibility_features.toml,sha256=qaMbXjbErE3TiUT1aTOf_0pQn6-nszmVwO_s9Y3cgTg,8567
|
|
1447
|
+
nldcsc_elastic_rules/rules/windows/persistence_registry_uncommon.toml,sha256=Fg4KjYWjsSu3Q2wf-SLsNLcKULTrfCakfuSBOrDERaw,12169
|
|
1448
|
+
nldcsc_elastic_rules/rules/windows/persistence_remote_password_reset.toml,sha256=bFx4cJH5B6nrOLvaDEyB3Ic3jSWoB-jwW3JXoMj5woc,6707
|
|
1449
|
+
nldcsc_elastic_rules/rules/windows/persistence_run_key_and_startup_broad.toml,sha256=yt8Vy2kGhnlY1mmDMQCacmMMdPwkaxnsoLa6nObjhQw,10835
|
|
1450
|
+
nldcsc_elastic_rules/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml,sha256=rr_kFtiyokWS45HL2LkflVOVtXfq4ZD-O5cqfTvrv6s,6773
|
|
1451
|
+
nldcsc_elastic_rules/rules/windows/persistence_scheduled_task_creation_winlog.toml,sha256=xPf3XobPspYdkn3FSjuxfw34ZjFUBuX-gvEE4uE01W8,5827
|
|
1452
|
+
nldcsc_elastic_rules/rules/windows/persistence_scheduled_task_updated.toml,sha256=a4W4EtesfImtctDgVLQqoUhTuxwalTEcgR6GeTjocic,5499
|
|
1453
|
+
nldcsc_elastic_rules/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml,sha256=LucqhOTCiMD4LKOVzAyybqINXNGzlcAp_ZLGoD-2HQI,5342
|
|
1454
|
+
nldcsc_elastic_rules/rules/windows/persistence_service_dll_unsigned.toml,sha256=GrZl-Wmm2mimAgvefK9LulLUBjdTTetl9i7orguJgsI,10255
|
|
1455
|
+
nldcsc_elastic_rules/rules/windows/persistence_service_windows_service_winlog.toml,sha256=GQdhFJRcdnU5ZQa9lpgu4hXaRH12a0g0iWyZpxxuy0M,7352
|
|
1456
|
+
nldcsc_elastic_rules/rules/windows/persistence_services_registry.toml,sha256=qRhDxeRpn5XfmNIJcr2j_8xULLV1ZXfJa9HnrKtPNNQ,7868
|
|
1457
|
+
nldcsc_elastic_rules/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml,sha256=9lnH3fa8F375CQeEcrfVBkSZplb2pvQ5NSqM0_fjyFk,8096
|
|
1458
|
+
nldcsc_elastic_rules/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml,sha256=8Jz6WkLjJGw6IqtwYmozV0blhLk1m5OPkldT_FlozMc,8067
|
|
1459
|
+
nldcsc_elastic_rules/rules/windows/persistence_startup_folder_scripts.toml,sha256=yRa7JxAMnYqwcMOTIX1Wx9jn_lL_a0Yh6xeEKj7e7_s,8028
|
|
1460
|
+
nldcsc_elastic_rules/rules/windows/persistence_suspicious_com_hijack_registry.toml,sha256=O1lxVTsCH32qIt9F1YGPvOeEPc8fHuyX_-zFmEVwYhA,8156
|
|
1461
|
+
nldcsc_elastic_rules/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml,sha256=l1np43Kuu_g8lXVH2GM8j5iv5ZuJplbw8YeNquq4xxE,9279
|
|
1462
|
+
nldcsc_elastic_rules/rules/windows/persistence_suspicious_scheduled_task_runtime.toml,sha256=7eVfk5wxs08waRV2KfHUuqtHB0wBMuIHMCg2mWuop50,8058
|
|
1463
|
+
nldcsc_elastic_rules/rules/windows/persistence_suspicious_service_created_registry.toml,sha256=bP2ZxCkd7myIpsR89NI29Ra90K2xTZNNuaP5j-omruQ,6214
|
|
1464
|
+
nldcsc_elastic_rules/rules/windows/persistence_sysmon_wmi_event_subscription.toml,sha256=9Qx7_YKk9slHgBfR7ZqtCmNecLd9dTtTITPcQUnpt2c,6230
|
|
1465
|
+
nldcsc_elastic_rules/rules/windows/persistence_system_shells_via_services.toml,sha256=T72sPeDDVArWoCW01WcKVVZL1ne-xcNI9CMoJScdVdM,6838
|
|
1466
|
+
nldcsc_elastic_rules/rules/windows/persistence_temp_scheduled_task.toml,sha256=L30_D2T9iV407bRv0GteNk8piyXdhBaW_BIGKAOewh0,6152
|
|
1467
|
+
nldcsc_elastic_rules/rules/windows/persistence_time_provider_mod.toml,sha256=mFCP4Yo4X0BGLgmJM9FeqsWvA8A9jZ0Yzq39jghrmTY,8067
|
|
1468
|
+
nldcsc_elastic_rules/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml,sha256=iVYIz72BHW2jNAZ4_QWsV93AHnTLfGJX60qbVd0imSg,4313
|
|
1469
|
+
nldcsc_elastic_rules/rules/windows/persistence_user_account_creation.toml,sha256=d34lugH0guU-EOL8YEpdmlm32Hk2ssMyVCCkbiqzA0M,3921
|
|
1470
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_application_shimming.toml,sha256=_Slt17cmSaiwYIolYz2khVm3aHId8_nHulm_exOo-Ww,6469
|
|
1471
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_bits_job_notify_command.toml,sha256=1RB-1YfPFvC-1rmAO_vYHeUb2FpCx18-SpFA9JEg_ng,6320
|
|
1472
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_hidden_run_key_valuename.toml,sha256=PbVWdM15MMKTbPu6obodbM9VKlpU3w4_H7nlbRy84v4,7346
|
|
1473
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_lsa_security_support_provider_registry.toml,sha256=LilCihIdWiHBu-r9N0bKxdXONXntkWxtn70crDt--_A,6962
|
|
1474
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml,sha256=NhRaW9jBpgzvnFv8pzuyfLZasi1tOXdmiO2fkZlfgTE,7313
|
|
1475
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_update_orchestrator_service_hijack.toml,sha256=9PiKID-KMwKKr_742zfdiENfSZFm78gx46plUeBPHtQ,8766
|
|
1476
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml,sha256=oqsJt6wCLxcFgimA7q_V6WYwXKhRF68SvlCV4RdQVas,6603
|
|
1477
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_wmi_stdregprov_run_services.toml,sha256=Zx923dwdBeM2X2Q7a6h4CHoySKMQbj1wTkI7K8hZi3Q,12257
|
|
1478
|
+
nldcsc_elastic_rules/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml,sha256=VdOvYJYKpZLNQwBmeh5-ytJ6GXCuDXiT6LRgIPMBWi4,7057
|
|
1479
|
+
nldcsc_elastic_rules/rules/windows/persistence_web_shell_aspx_write.toml,sha256=hKYryygGGYjHy7ZcdIrafVyWGY1TyZcENiKb4QA1RKw,6480
|
|
1480
|
+
nldcsc_elastic_rules/rules/windows/persistence_webshell_detection.toml,sha256=6NmewmInZE-VhpZBQtJfLX8DKqjEfXJsDgP0GYas4RM,8581
|
|
1481
|
+
nldcsc_elastic_rules/rules/windows/persistence_werfault_reflectdebugger.toml,sha256=zP4to8CBNGOYxl2fh99FXdjYX15jB9mGZoxg-JfyR7I,6411
|
|
1482
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_badsuccessor_dmsa_abuse.toml,sha256=SDcUMIm5ic9MEVSD3oMqzbSz9MYccpj0GkQVUi4mJg8,3901
|
|
1483
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_create_process_as_different_user.toml,sha256=IOR4zon5Qzx1DvXysdb9D1lIFKb07uHqUaTbVUjj0kk,6162
|
|
1484
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_create_process_with_token_unpriv.toml,sha256=cRCPOcCsL-iBUKtP-1CauPqHNP-MRZI86-rMxHTHWcI,8084
|
|
1485
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_credroaming_ldap.toml,sha256=RqETi80qGAOMv2PL07GACwKoTMEeggzZHU4rpwb78D4,6466
|
|
1486
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_disable_uac_registry.toml,sha256=fDx3FSeDoqRI7syLUE4AE42Jcc1mMTBMeE6Ry0u3Fow,7634
|
|
1487
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml,sha256=yY6uHbyTvSn3DrCb2itiY3WzbjhMRJxeMm_ufePqOfw,3679
|
|
1488
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml,sha256=By3pab7JTH2gvz1q5PCed4FURgtTrTDEyK0vh4h2DJA,5915
|
|
1489
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_driver_newterm_imphash.toml,sha256=HvxZYo_y6xMXAhru0FSi4eDZzEk4htjzMLTFEkDS2bE,8380
|
|
1490
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_expired_driver_loaded.toml,sha256=4o8S2nojMRbU0qLmUapbVJD4DND38Fw-FeBkVn03RFI,5667
|
|
1491
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_exploit_cve_202238028.toml,sha256=TOeZ7w5EdVFDCnv6aJzqj8mDznxiKkT_rzdRemnkPdA,6997
|
|
1492
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml,sha256=FmOeG6iCTwQ7TDlbLtD9ibYf6w6lP0IP0zwpQEPFQgc,6994
|
|
1493
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_group_policy_iniscript.toml,sha256=Q-ZE1jt71B5frxlH01m5tkI6tJTghabYnf6GI8KMA8M,5282
|
|
1494
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_group_policy_privileged_groups.toml,sha256=FZ4FmDBZlnH8c6v5ZSvCxdGnZ1JUGdRvkJ14K-LfgU0,4127
|
|
1495
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_group_policy_scheduled_task.toml,sha256=hc2GQapWYlu6LnKQP5KwwBxYhyBckXtJgA-JKiWnXP4,5677
|
|
1496
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_installertakeover.toml,sha256=1TmwFX2UmGubx3O00U7n0BpTohU55lXJgdqaSyqHPfw,7822
|
|
1497
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_krbrelayup_service_creation.toml,sha256=Ft-8K-1XC1qcRN9NEbgECuy75AHUNt7KSWz1pXe_-r4,7081
|
|
1498
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_lsa_auth_package.toml,sha256=xgLw5lU_iv7VySHfH5LJBI8mD0mC8xcYCb_7dmi5Wjk,6174
|
|
1499
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_make_token_local.toml,sha256=j-o--7rwCLV8SZF3Wr2yrHKWRaZMON1jUIWsLV7zvws,6050
|
|
1500
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml,sha256=Ol8QUs6qcWn-sV6lHS1UpdqVFkn2TmJd2Y_--j27thI,6709
|
|
1501
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_named_pipe_impersonation.toml,sha256=FXCMt9RLRtepV9B7hJL0kNdttYMUgwO0yvIC2Cr2mJY,7478
|
|
1502
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml,sha256=us1AHh_03NE8OKQSYJEJGw2NcM8EhR2UaM5FDNv77hs,5764
|
|
1503
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_persistence_phantom_dll.toml,sha256=ArGoooXCpnW2d9iro5FP5kgbUG1wx1BLMR0Uzz9c96w,10100
|
|
1504
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml,sha256=ji-kgEzHOvCFeqsScGsbsfvSkAMoyHgXB-kOZmY43Mo,7325
|
|
1505
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_posh_token_impersonation.toml,sha256=qVKMcqb9DlSwe2uGmFpkQbYGpNn5q7FDb7mCugjdcmo,9785
|
|
1506
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml,sha256=Eg48LGw7VwKJOSnAuwMMhlM99OZHJIeMLf6O6TgW1e4,6660
|
|
1507
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml,sha256=TPqKkW8JC0-S3hid5m2ZwtUIG-TPZafQ-eYcOUxZOiE,7371
|
|
1508
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml,sha256=6Olg1aRWx55mkrgr8M0miiQ9IGmwMQeRyR1ohKS6VJo,5845
|
|
1509
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml,sha256=anlUETfBUTJ0eBdFxPg2pCCtFDIq5ScIGsIRVLJQrAE,7968
|
|
1510
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml,sha256=UWTYbQVThaIflkVxD_X4inb2g1sKSejTExtRL4zDVfM,9122
|
|
1511
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_rogue_windir_environment_var.toml,sha256=ZAdk_Q5fPwpje4gVXOZI4IByOVHd3GCCg1vbpqciBEg,6355
|
|
1512
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml,sha256=mTtiDTkIXzLZY_ZFMIJBzWtPT6KuKpYSz6BUOubzAo0,6933
|
|
1513
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_service_control_spawned_script_int.toml,sha256=ZreqoWddgjw4cKRpxSxjYDlXFIzr-QqtcmwsSPFbBOk,8019
|
|
1514
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml,sha256=XdQS5q3CcyaXwnXg2-ICNqR_uKXDZPvwkGfpr8xpeMY,6765
|
|
1515
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml,sha256=vZE6uCCgGpiOoyQFh8VNlqbb1Co1b-j_pGrAH8Mz1HQ,3617
|
|
1516
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml,sha256=3CwSw-oj6Ar3mfov3aAVXXWNBkjDVZ2r3obC01Fqyhw,7104
|
|
1517
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml,sha256=PhYC8BalSKrAuCZjRpnDQEoWOVf48VwuE9BjMEgfzmM,7485
|
|
1518
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml,sha256=MBFTRYxAq_f1nveeFpm1a6HYnBGIecOwj2Vj4VnpQeQ,7580
|
|
1519
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml,sha256=nOT_xIotEHyAvo6GvsMSiCS8J7ByCW4la_9K8qCcN8g,6912
|
|
1520
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml,sha256=9lWxFYv_G8wXAKgJRc4yiAp1JSkr7wikOh90AeuNIRM,7452
|
|
1521
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml,sha256=9FqkePH9R--lXMs4uksZRUOJaTQU4ofYzj079opdkbc,7254
|
|
1522
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml,sha256=CMksZTL1thkcN0T6GbM3kACxmEUjUaET9PsWmMnLndg,8807
|
|
1523
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml,sha256=G_6JPw4SnaOvFrds5mNO-6_pL-Hd91kX0nHjo8GwRjw,8625
|
|
1524
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml,sha256=ZctV6YJb52604KHgmkA678wgsQZUrqiCXLgUH2MGa5c,8539
|
|
1525
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_unquoted_service_path.toml,sha256=KAz8Bu33Lgkvst8UsmPd8bhkCHcefmHb-F_Hz7lYC4c,6355
|
|
1526
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml,sha256=_Axno6Ol0VTI3eJYhRjh2GkV7gvs__nwP2wcw_EZLn8,9841
|
|
1527
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml,sha256=xgLdwnORlQSHRhlao3HAwiiLGlZXgCQmGD2SR7L_c1k,7616
|
|
1528
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml,sha256=u_TLhyqMmCF4HBw0EYYk_DbEPO99haj9K5CbY-p0YvE,7828
|
|
1529
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_via_ppid_spoofing.toml,sha256=WKPQwNhpDJeqZnlMCfZ-NKc0Xi5in0dwv5vrZWaNgCo,9811
|
|
1530
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_via_rogue_named_pipe.toml,sha256=pUlGQseYyqX77bUWbD5nDMAs8T6-rgPh5uECXrKjS8E,6176
|
|
1531
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_via_token_theft.toml,sha256=9_pNHTlUhFvwPCoWOw7yCIC6PBqSinWldm6zgipznL0,9459
|
|
1532
|
+
nldcsc_elastic_rules/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml,sha256=Qfi-w1KpA3dLyZ_s0xc3vZOey9IasOKirk-C3JPzRkw,7502
|
|
1533
|
+
nldcsc_elastic_rules-0.0.8.dist-info/METADATA,sha256=TEZYRaEOp86-OBDuK0bwCcke6IrSiJoIJCzbLENfbqA,64
|
|
1534
|
+
nldcsc_elastic_rules-0.0.8.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
|
|
1535
|
+
nldcsc_elastic_rules-0.0.8.dist-info/top_level.txt,sha256=2ua0gPWflzV4D32kz6ZXXok1H-0wJVI2Scdm_qmNsrM,21
|
|
1536
|
+
nldcsc_elastic_rules-0.0.8.dist-info/RECORD,,
|