version revert

patel-bhavin · patel-bhavin · commit 07c0ba75e496 · 2025-01-27T13:10:46.000-08:00
diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml
@@ -1,6 +1,6 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: '10'
+version: 9
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml
@@ -1,6 +1,6 @@
 name: Detect Renamed PSExec
 id: 683e6196-b8e8-11eb-9a79-acde48001122
-version: '11'
+version: 10
 date: '2025-01-27'
 author: Michael Haag, Splunk, Alex Oberkircher, Github Community
 status: production
diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml
@@ -1,6 +1,6 @@
 name: Detect Renamed WinRAR
 id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122
-version: '9'
+version: 8
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
@@ -1,6 +1,6 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: '11'
+version: 10
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml
@@ -1,6 +1,6 @@
 name: Linux Auditd File Permission Modification Via Chmod
 id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: '7'
+version: 6
 date: '2025-01-27'
 author: "Teoderick Contreras, Splunk, Ivar Nyg\xE5rd"
 status: production
diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml
@@ -1,6 +1,6 @@
 name: Linux Auditd Nopasswd Entry In Sudoers File
 id: 651df959-ad17-4b73-a323-90cb96d5fa1b
-version: '5'
+version: 4
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml
@@ -1,6 +1,6 @@
 name: Linux Auditd Possible Access To Credential Files
 id: 0419cb7a-57ea-467b-974f-77c303dfe2a3
-version: '5'
+version: 4
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
@@ -1,6 +1,6 @@
 name: Linux Auditd Possible Access To Sudoers File
 id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834
-version: '5'
+version: 4
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml
@@ -1,6 +1,6 @@
 name: Linux Auditd Preload Hijack Library Calls
 id: 35c50572-a70b-452f-afa9-bebdf3c3ce36
-version: '5'
+version: 4
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml
@@ -1,6 +1,6 @@
 name: Linux Common Process For Elevation Control
 id: 66ab15c0-63d0-11ec-9e70-acde48001122
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml
@@ -1,6 +1,6 @@
 name: Linux File Creation In Init Boot Directory
 id: 97d9cfb2-61ad-11ec-bb2d-acde48001122
-version: '7'
+version: 6
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml
@@ -1,6 +1,6 @@
 name: Linux Iptables Firewall Modification
 id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml
@@ -1,6 +1,6 @@
 name: Linux NOPASSWD Entry In Sudoers File
 id: ab1e0d52-624a-11ec-8e0b-acde48001122
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml
@@ -1,6 +1,6 @@
 name: Linux Possible Access To Credential Files
 id: 16107e0e-71fc-11ec-b862-acde48001122
-version: '7'
+version: 6
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml
@@ -1,6 +1,6 @@
 name: Linux Possible Access To Sudoers File
 id: 4479539c-71fc-11ec-b2e2-acde48001122
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml
@@ -1,6 +1,6 @@
 name: Linux Preload Hijack Library Calls
 id: cbe2ca30-631e-11ec-8670-acde48001122
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml
@@ -1,6 +1,6 @@
 name: Linux Sudoers Tmp File Creation
 id: be254a5c-63e7-11ec-89da-acde48001122
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
@@ -1,6 +1,6 @@
 name: Malicious PowerShell Process - Execution Policy Bypass
 id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: '10'
+version: 9
 date: '2025-01-27'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml
@@ -1,6 +1,6 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: '7'
+version: 6
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
@@ -1,6 +1,6 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: '11'
+version: 10
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -1,6 +1,6 @@
 name: Registry Keys Used For Persistence
 id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: '16'
+version: 15
 date: '2025-01-27'
 author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
 status: production
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml
@@ -1,6 +1,6 @@
 name: Remote Process Instantiation via WMI
 id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da
-version: '12'
+version: 11
 date: '2025-01-27'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -1,6 +1,6 @@
 name: Scheduled Task Deleted Or Created via CMD
 id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: '11'
+version: 10
 date: '2025-01-27'
 author: Bhavin Patel, Splunk
 status: production
diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
@@ -1,6 +1,6 @@
 name: Suspicious Regsvr32 Register Suspicious Path
 id: 62732736-6250-11eb-ae93-0242ac130002
-version: '11'
+version: 10
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -1,6 +1,6 @@
 name: Suspicious Scheduled Task from Public Directory
 id: 7feb7972-7ac3-11eb-bac8-acde48001122
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml
@@ -1,6 +1,6 @@
 name: Windows Access Token Manipulation SeDebugPrivilege
 id: 6ece9ed0-5f92-4315-889d-48560472b188
-version: '11'
+version: 10
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml
@@ -1,6 +1,6 @@
 name: Windows Archive Collected Data via Rar
 id: 2015de95-fe91-413d-9d62-2fe011b67e82
-version: '6'
+version: 5
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome LocalState Access
 id: 3b1d09a8-a26f-473e-a510-6c6613573657
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome Login Data Access
 id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
@@ -1,6 +1,6 @@
 name: Windows Curl Download to Suspicious Path
 id: c32f091e-30db-11ec-8738-acde48001122
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml
@@ -1,6 +1,6 @@
 name: Windows Replication Through Removable Media
 id: 60df805d-4605-41c8-bbba-57baa6a4eb97
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
@@ -1,6 +1,6 @@
 name: Windows Service Created with Suspicious Service Path
 id: 429141be-8311-11eb-adb6-acde48001122
-version: '12'
+version: 11
 date: '2025-01-27'
 author: Teoderick Contreras, Mauricio Velazco, Splunk
 status: production
diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml
@@ -1,6 +1,6 @@
 name: Windows Service Creation Using Registry Entry
 id: 25212358-948e-11ec-ad47-acde48001122
-version: '12'
+version: 11
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml
@@ -1,6 +1,6 @@
 name: Windows Unsigned DLL Side-Loading
 id: 5a83ce44-8e0f-4786-a775-8249a525c879
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
@@ -1,6 +1,6 @@
 name: Windows Unsigned DLL Side-Loading In Same Process Path
 id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f
-version: '7'
+version: 6
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 data_source:
diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
@@ -1,6 +1,6 @@
 name: Windows Unsigned MS DLL Side-Loading
 id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c
-version: '8'
+version: 7
 date: '2025-01-27'
 author: Teoderick Contreras, Splunk
 data_source:
diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml
@@ -1,6 +1,6 @@
 name: WinEvent Scheduled Task Created to Spawn Shell
 id: 203ef0ea-9bd8-11eb-8201-acde48001122
-version: '9'
+version: 8
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
@@ -1,6 +1,6 @@
 name: WinEvent Scheduled Task Created Within Public Path
 id: 5d9c6eee-988c-11eb-8253-acde48001122
-version: '9'
+version: 8
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production
diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml
@@ -1,6 +1,6 @@
 name: Detect Large Outbound ICMP Packets
 id: e9c102de-4d43-42a7-b1c8-8062ea297419
-version: '9'
+version: 8
 date: '2025-01-27'
 author: Rico Valdez, Dean Luxton, Splunk
 status: production
