security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.18,8.19,9.0,9.1 (#4963)

Browse Source
This commit is contained in:
github-actions[bot]
2025-08-06 08:58:16 +05:30
committed by GitHub
parent b28338c680
commit 154283f457
3 changed files with 150 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/deprecated_rules.json
+5
View File
@@ -364,6 +364,11 @@
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"stack_version": "7.14.0"
},
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
"deprecation_date": "2025/07/16",
"rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
"stack_version": "8.18"
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"deprecation_date": "2021/04/15",
"rule_name": "Nmap Process Activity",
detection_rules/etc/version.lock.json
+144 -144
View File
@@ -307,9 +307,9 @@
},
"083383af-b9a4-42b7-a463-29c40efe7797": {
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
"sha256": "8cac51f0d1079a104a2c54bfaa644c28c71af8099346c03036e0b715984274e8",
"sha256": "ecac1068b5efcf837a17aa8bc11ec4898b57cf512f3d3953c575a14de27b12e4",
"type": "esql",
"version": 2
"version": 3
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
@@ -493,9 +493,9 @@
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5",
"sha256": "2d520b970c95e1e70958288a6575a3b71c21e856ff41cb18b171b44506169b45",
"type": "esql",
"version": 5
"version": 6
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "Suspicious Mailbox Permission Delegation in Exchange Online",
@@ -511,9 +511,9 @@
},
"0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
"rule_name": "Microsoft Entra ID Session Reuse with Suspicious Graph Access",
"sha256": "39e7ee73c98bb90aec7799cbc6fe4dee39040f58e58eb4e49267c2b5189a6edf",
"sha256": "2ff9a11a69b39d114739b56e1264c1c56b7fa7879955c39fc95314719ddfd722",
"type": "esql",
"version": 2
"version": 3
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
@@ -529,15 +529,15 @@
},
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "156805611533217338dd0a15eb5010ccbc4528c1188d7e5e6e299e430043fe77",
"sha256": "e78a9969bc5e054975c375e52db0dac90ce3655bdc77387b2748d688714f3375",
"type": "esql",
"version": 101
"version": 102
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7",
"sha256": "7f134644d8273c890ac5ca095836aa00db805397f4b82c8ec536a7663c1c7235",
"type": "esql",
"version": 2
"version": 3
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
@@ -553,9 +553,9 @@
},
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token",
"sha256": "9dcfdf0dee83a741f90f4f037aa0c512a57b6c5ebec5f01e11fe73ac1eb70da7",
"sha256": "707436cd4db52679e9c2e42f16b61590bd7851a49f03ea02f9c9f53a7c876d62",
"type": "esql",
"version": 2
"version": 3
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
@@ -907,9 +907,9 @@
},
"16acac42-b2f9-4802-9290-d6c30914db6e": {
"rule_name": "AWS S3 Static Site JavaScript File Uploaded",
"sha256": "20bd2d6a25a3247d29f055a381f839fa376d5e2d0456e0752f56973261d69518",
"sha256": "de781327d4333f9e6fcc9c4de9aab9ff7e589ff1af6f72061153e350754372e9",
"type": "esql",
"version": 1
"version": 2
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
@@ -925,9 +925,9 @@
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02",
"sha256": "5b8d5a1b99c6b3e9b8f23db751a98aa42d12ea85d9927aac93c2ed685d2b6655",
"type": "esql",
"version": 4
"version": 5
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
@@ -1045,9 +1045,9 @@
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
"sha256": "33f648f8fa253d9d09a1f3594faf4499982de1fc6d268944164a5d4b08313bbf",
"sha256": "93836865cdc9026a4cdaf2a69ae09fc7789927189af5f4ca4a359713fb12d8ec",
"type": "esql",
"version": 3
"version": 4
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
@@ -1255,9 +1255,9 @@
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"rule_name": "AWS Signin Single Factor Console Login with Federated User",
"sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7",
"sha256": "d7dfefbed76f68577979701e4d7c33a6f48472d06569c268597a2d9553913692",
"type": "esql",
"version": 3
"version": 4
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"rule_name": "Unusual Process Execution on WBEM Path",
@@ -1267,9 +1267,9 @@
},
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
"sha256": "8fd6834863e1a6153e14e7b50305a5c3bce7ae429464089d905675d62125ad6f",
"sha256": "5950b86e681b4be75861a8e08306a72d54926b09bc5d6752cf63f4877beeb107",
"type": "esql",
"version": 4
"version": 5
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
@@ -1429,9 +1429,9 @@
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "c36f877aae8c91862b5ab7eee70b483ae8d3103bc22dae5e336963e96cd7fc9d",
"sha256": "7bd6191d375f8df11be8e1f01eb80fe5ccf783a1431539a5f1a404e9b571a5f6",
"type": "esql",
"version": 205
"version": 206
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
@@ -1507,9 +1507,9 @@
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171",
"sha256": "17f2e732dffccfe95b1e8b3fd5f9806361f123bf905d25230378e2f44b8724f3",
"type": "esql",
"version": 2
"version": 3
},
"267dace3-a4de-4c94-a7b5-dd6c0f5482e5": {
"rule_name": "Successful SSH Authentication from Unusual SSH Public Key",
@@ -1537,9 +1537,9 @@
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Potential Microsoft 365 User Account Brute Force",
"sha256": "5c514169b6d79b56e7862806ed11630e068b9d8675fbe1f9f171736a3b42ad0e",
"sha256": "0fb493e61559cdde3c67997c7b484a73e2f559aaa48ea10c5fa2ffb791811d8d",
"type": "esql",
"version": 413
"version": 414
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"rule_name": "PowerShell Script with Archive Compression Capabilities",
@@ -1591,9 +1591,9 @@
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46",
"sha256": "ce81951ab3d4a4fdf53ec1d89559c7146d3adb5b6d73f7e417446e8307628be9",
"type": "esql",
"version": 3
"version": 4
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Account Discovery Command via SYSTEM Account",
@@ -1759,9 +1759,9 @@
},
"2d6f5332-42ea-11f0-b09a-f661ea17fbcd": {
"rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected",
"sha256": "0f02e577ddc1fe851a0145485a0c80e9146f51ff9d58736c18233e59adcdc755",
"sha256": "d304c5fb26b7457152ba6e6cc30c1004b3cd8c072c951f3451d6bc7d15b07dd1",
"type": "esql",
"version": 1
"version": 2
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
@@ -1819,9 +1819,9 @@
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "6375e8a5cf7e5157f5ac79e82ac7a54579bd7e92e69a3ba0eb3f1ec5faba5a33",
"sha256": "34161e67dda644eb6d3c363c3518925d284fb179797218c5277aba283ee64021",
"type": "esql",
"version": 306
"version": 307
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
@@ -1939,9 +1939,9 @@
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba",
"sha256": "5e62d95bdfadfdce8505ea429f74acce99d2c32d8fc2ca48883884f599022754",
"type": "esql",
"version": 2
"version": 3
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
@@ -2059,9 +2059,9 @@
},
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
"rule_name": "Microsoft 365 Brute Force via Entra ID Sign-Ins",
"sha256": "a57a6cb80e10414e3c96dfd434f104531608737308a5ed4027def6428d43c76e",
"sha256": "0223f10070fdf5546242cb47177cef7a4b2b183ba9a1deb3b04ef8303d0723c9",
"type": "esql",
"version": 105
"version": 106
},
"35c029c3-090e-4a25-b613-0b8099970fc1": {
"rule_name": "File System Debugger Launched Inside a Container",
@@ -2089,9 +2089,9 @@
},
"36188365-f88f-4f70-8c1d-0b9554186b9c": {
"rule_name": "Suspicious Microsoft 365 UserLoggedIn via OAuth Code",
"sha256": "ce6457e962a7fec1c0580e4f34c691fc6030f32990310ca8d568518ec6ca1ae5",
"sha256": "67b5c49045dbc6a01a55180ea1f17a136b2ab1c100276532ea61421b798e9604",
"type": "esql",
"version": 2
"version": 3
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"rule_name": "Process Started from Process ID (PID) File",
@@ -2119,9 +2119,9 @@
},
"375132c6-25d5-11f0-8745-f661ea17fbcd": {
"rule_name": "Suspicious Microsoft OAuth Flow via Auth Broker to DRS",
"sha256": "d30059429db55e2153898e53be14f42ddd4df5776f79a3702905867ae95cd0fe",
"sha256": "e5b671ce06f5ad1ae25c9d980e8f28fb4dade80b6a6ac8785137e6ca22ba322d",
"type": "esql",
"version": 2
"version": 3
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
@@ -2215,9 +2215,9 @@
},
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"sha256": "3baef76c046e4ec7eefef4ea4afd2a3ab5e3087df2e8501087fcd54235a0ea2c",
"sha256": "de1af1001bd67fdd967b116f1da6193d98831a0be504bea9b4c08d2628929381",
"type": "esql",
"version": 4
"version": 5
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"rule_name": "Persistence via Microsoft Outlook VBA",
@@ -2455,9 +2455,9 @@
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"rule_name": "Microsoft Entra ID MFA TOTP Brute Force Attempts",
"sha256": "00ca74cbcb463e4aab75e6f1c2caa5279929ef6c8c0ecc91e21716ab9f885a48",
"sha256": "e24bea46745eaea032be645e39a5121b68afd6151e6a1cb54438d89df40610e0",
"type": "esql",
"version": 3
"version": 4
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
@@ -2473,9 +2473,9 @@
},
"4021e78d-5293-48d3-adee-a70fa4c18fab": {
"rule_name": "Potential Azure OpenAI Model Theft",
"sha256": "ef195d098178a2dc0f66928ae6cf38dbf7eb1d7d847a573cb7236fb5b7a157aa",
"sha256": "f5943841572ea047091c8d64f568053c517e10ee41b48cb5f13a403583415c62",
"type": "esql",
"version": 2
"version": 3
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
@@ -2533,9 +2533,9 @@
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "a2c672b192a6a57d9e17c240ef6f3a68afa730cc1a44e87636d7b6cb3a2019d3",
"sha256": "c5f336182037e4433738832b6d5bc28d622dd67871af0e6e43f012b1667671f1",
"type": "esql",
"version": 6
"version": 7
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
@@ -2779,9 +2779,9 @@
},
"498e4094-60e7-11f0-8847-f661ea17fbcd": {
"rule_name": "OIDC Discovery URL Changed in Entra ID",
"sha256": "47e5e1ec1bd8c81aa5b602e13814559327caccb93b07ee8e756151d691089da0",
"sha256": "8f940ce690e48db3775aed4269c61cf79ee17ca1d9632ad3edf914233b972974",
"type": "esql",
"version": 2
"version": 3
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
@@ -2941,9 +2941,9 @@
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd",
"sha256": "e5102d089042d08384dbb93e20f1d6ca500573c87d6000063ca8dabf14ba8ce6",
"type": "esql",
"version": 6
"version": 7
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
@@ -3541,9 +3541,9 @@
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862",
"sha256": "b3ecf40e44a7d3998e8adc142b39d8177a9ccc2dbb6b8b38a086bc7f6ac11ec3",
"type": "esql",
"version": 4
"version": 5
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"rule_name": "Potential File Download via a Headless Browser",
@@ -3709,9 +3709,9 @@
},
"64f17c52-6c6e-479e-ba72-236f3df18f3d": {
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
"sha256": "94f9e9018d0be3334e3e68890fd2428b6e18e8bc2c5b0c39ff7be4d55290dc5a",
"sha256": "2deaae9f306ec436dbcaa80ca7c8eedc5a563285015398e4017c49fdeabfa756",
"type": "esql",
"version": 3
"version": 4
},
"6505e02e-28dd-41cd-b18f-64e649caa4e2": {
"rule_name": "Manual Memory Dumping via Proc Filesystem",
@@ -3817,9 +3817,9 @@
},
"6756ee27-9152-479b-9b73-54b5bbda301c": {
"rule_name": "Rare Connection to WebDAV Target",
"sha256": "92b9fe3e356e788ab08e04b80551d2c955982681d6c01d7bd8b098d0720ece71",
"sha256": "226bc2c66a12087220919af679f96b33f238a293993cc8a86a3b04d4544dca5f",
"type": "esql",
"version": 1
"version": 2
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
@@ -3979,9 +3979,9 @@
},
"6b341d03-1d63-41ac-841a-2009c86959ca": {
"rule_name": "Potential Port Scanning Activity from Compromised Host",
"sha256": "90eb4b21ae10fe4e4df380766d100bf1f1e849d19543bb9bc9481afc5494d138",
"sha256": "4b223bbbb2de1fdda098f39923b4c779a6e2bfdd88ccf0137b08808a96c02042",
"type": "esql",
"version": 4
"version": 5
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
@@ -4033,9 +4033,9 @@
},
"6ddb6c33-00ce-4acd-832a-24b251512023": {
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
"sha256": "e422dcbb8f4aabb423e792367a7067eed1b293d7dfb67c33ca2822a646486650",
"sha256": "8c4f5c161d76288dfa5f503ea1353b52bf9fc70d4dc497687833391b1952227a",
"type": "esql",
"version": 3
"version": 4
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
@@ -4190,9 +4190,9 @@
},
"713e0f5f-caf7-4dc2-88a7-3561f61f262a": {
"rule_name": "AWS EC2 EBS Snapshot Access Removed",
"sha256": "f5c4dc11b300026e5ae6340b94306e6264a22d7e196af355106e7ece622f9170",
"sha256": "52024b2e77cc4795b4f03cbcbc178c5b1ef9142451d06b12605d4031d44923d9",
"type": "esql",
"version": 1
"version": 2
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
@@ -4233,9 +4233,9 @@
"720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
"min_stack_version": "8.18",
"rule_name": "Elastic Security External Alerts",
"sha256": "422e82deeff98279777d95dbf0ed16eaf90b3bb1c5a3950ad92a7fff136b9406",
"sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee",
"type": "query",
"version": 1
"version": 2
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
@@ -4245,9 +4245,9 @@
},
"725a048a-88c5-4fc7-8677-a44fc0031822": {
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
"sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59",
"sha256": "f3a375efa9dad165b0ceee2708b1a82c91b5e018d88c7a9b2e3e9b92105cc17e",
"type": "esql",
"version": 4
"version": 5
},
"7290be75-2e10-49ec-b387-d4ed55b920ff": {
"rule_name": "Suspicious Network Tool Launched Inside A Container",
@@ -4336,9 +4336,9 @@
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642",
"sha256": "53be035e01bd869c4c8f86c9ace24ef2f4e616229a67d7fdc7f988937f3027c0",
"type": "esql",
"version": 2
"version": 3
},
"751b0329-7295-4682-b9c7-4473b99add69": {
"rule_name": "Spike in Group Management Events",
@@ -4420,9 +4420,9 @@
},
"77122db4-5876-4127-b91b-6c179eb21f88": {
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
"sha256": "8dc9432fe001b03729244ce15ce198f7929eb1e204dd5a9f2b2f6040a1a2a6ba",
"sha256": "bcfd7354aed5a764e46baa036e742d25e5e2d484a217268320a01bf60b2a2bc1",
"type": "esql",
"version": 4
"version": 5
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
@@ -4706,9 +4706,9 @@
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "2b48ff4f4ca95dc0932903ccf91fa825967498fd03466dca90f7da56b6c11cee",
"sha256": "6d88b7bf2484d20a30c85309900202651b324407d516d569f99e2d282dc2a8ba",
"type": "esql",
"version": 5
"version": 6
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
@@ -4880,15 +4880,15 @@
},
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
"sha256": "9ae59b86de8d3333c17b6cd3fc54f242d3f25a9cde4d9f3c8c62118473d31a4f",
"sha256": "d20f6ac63151a8527f3e3d7607516b14c02b5d6b364d23f9271adb90900ea3cd",
"type": "esql",
"version": 2
"version": 3
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
"sha256": "24b3bc6238840440eec8ea3177465747890437682060e94e676281b633eeb19b",
"sha256": "6937741695dc02c9bf74f0e166bf81212b51bfd952ae6f5c91c84cc592a66e86",
"type": "esql",
"version": 4
"version": 5
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
@@ -4994,9 +4994,9 @@
},
"894b7cc9-040b-427c-aca5-36b40d3667bf": {
"rule_name": "Unusual File Creation by Web Server",
"sha256": "db6f60f5d20150c9abf61b9d0c2a26b9dff9a562a4b050e719f161841bd71184",
"sha256": "fa5fc4ccea16df933ee8257a2e7743b75e88d0885c61ae805f69b2541793766a",
"type": "esql",
"version": 3
"version": 4
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
@@ -5066,9 +5066,9 @@
},
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
"rule_name": "Unusual Command Execution from Web Server Parent",
"sha256": "23778f586b66fb64c1ec04badcff4699da11153616b5f87f0cd119770cafc7c7",
"sha256": "9f04d7a84b28aa6755992666e62838bd70bd7b7b428ad1d9788f1a083e115f6b",
"type": "esql",
"version": 4
"version": 5
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
@@ -5198,9 +5198,9 @@
},
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
"rule_name": "Unusual File Transfer Utility Launched",
"sha256": "3a63ecae0f23eb291f2721d54ad0feb5fd99749a9232ec1b0af414189a8965af",
"sha256": "69c8afa3b8a767b0a2458a7b93bb995598c358f351aba9f58d4c8594929e3d74",
"type": "esql",
"version": 4
"version": 5
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
@@ -5408,9 +5408,9 @@
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "9fa4a01b6eb07f8ffaf4eca23ccec4dc5300b6e399f68021c2609c016b357945",
"sha256": "c0ff54d33f87c27d8078d40c14cf9ececf62c8a21b351855ec3eaa69805547da",
"type": "esql",
"version": 205
"version": 206
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
@@ -5450,9 +5450,9 @@
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "e759679cbed42a67b692ba8b6c714656060043ebf9325271c0f25b9e6525bfe4",
"sha256": "89975c16b8a516727a9b1cae53a92a59cc0eacc72527c5a2bb22ec2ed9ef8c4a",
"type": "esql",
"version": 205
"version": 206
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
@@ -5534,9 +5534,9 @@
},
"976b2391-413f-4a94-acb4-7911f3803346": {
"rule_name": "Unusual Process Spawned from Web Server Parent",
"sha256": "86b2b660397c6b611c43e37cc846a77ff9644ab6abc7dbe99b26e7558a8e4774",
"sha256": "450d7bfd876b254e435bbbab830503697dc8637b22533ccdebd455e521f31ac0",
"type": "esql",
"version": 4
"version": 5
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
@@ -5714,9 +5714,9 @@
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "42899d64e0c7f8f5826397057a894231972973708fcaafedd8152d335a51c3e0",
"sha256": "fe18f1e29bcdc1dcebe1106d801d86351d22fd0e8f8cf68879814bf0a2cc1c96",
"type": "esql",
"version": 6
"version": 7
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
@@ -5847,9 +5847,9 @@
},
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
"sha256": "51bda844e423b532d03fd2f700d2001ebc3fc8886e34ed9f6ff5299a158115a6",
"sha256": "818f3ee681de149ffba0cd3b9141ac53f478b6a921c742d6025a2ab0b70fc92a",
"type": "esql",
"version": 2
"version": 3
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
@@ -5865,9 +5865,9 @@
},
"9f432a8b-9588-4550-838e-1f77285580d3": {
"rule_name": "Dynamic IEX Reconstruction via Method String Access",
"sha256": "bbefbc778b3ce2757bbd09752d5bef93f023e3350c50478e9e75c6551f4414d3",
"sha256": "23f848bcf8ab02b3323f34b311b522159a77a6bf97dcc3d8089023e82dd9f9d1",
"type": "esql",
"version": 3
"version": 4
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
@@ -6220,9 +6220,9 @@
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "21d791a88489219e3f57f4d71a6e3568eb9b6256ae1a94d2fae86c709a77231e",
"sha256": "757b1c1389a22d0a43661670468aaf5f14b82e884b26c8905f5e9c19b20f0259",
"type": "esql",
"version": 5
"version": 6
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"rule_name": "Unusual Windows Process Calling the Metadata Service",
@@ -6437,9 +6437,9 @@
},
"b0450411-46e5-46d2-9b35-8b5dd9ba763e": {
"rule_name": "Potential Denial of Azure OpenAI ML Service",
"sha256": "c9d2dd4d5025502e98992e141e6b0d49267b5dcd50dbe6052eab9fd6a7040b56",
"sha256": "c1ef34302dc9874b98d408675be77d3bbd72765a0566a6b19735cd3f44abfcf7",
"type": "esql",
"version": 2
"version": 3
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"rule_name": "Netsh Helper DLL",
@@ -6455,9 +6455,9 @@
},
"b0c98cfb-0745-4513-b6f9-08dddb033490": {
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
"sha256": "b2eabca4a2b4fcbb651f53071cc40f07bafc549059fa1e9c87bbb611d41c72ab",
"sha256": "29e5db5ddaca083a914bfd531f068d353526cd492987ef80ced248ca1a8a5f29",
"type": "esql",
"version": 2
"version": 3
},
"b11116fd-023c-4718-aeb8-fa9d283fc53b": {
"rule_name": "Kubeconfig File Creation or Modification",
@@ -6473,9 +6473,9 @@
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e",
"sha256": "fe2dd63b825311ec149f4abbb7a2b4ac98755b8186de5519e40c46a42669e1c2",
"type": "esql",
"version": 4
"version": 5
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
@@ -6947,15 +6947,15 @@
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa",
"sha256": "3b617425debc3763357899a4263aa9e971a933de176e492566d0fc6f1c69ba8b",
"type": "esql",
"version": 2
"version": 3
},
"c07f7898-5dc3-11f0-9f27-f661ea17fbcd": {
"rule_name": "Excessive Secret or Key Retrieval from Azure Key Vault",
"sha256": "d9db32fb83e77419cf99052a5c949e37e1824566d96a93e4bd8259217df1468f",
"sha256": "2550fd2bc19a2895a1a4280704a7e8295d3071f7f660279906c890a15ebdca97",
"type": "esql",
"version": 1
"version": 2
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
@@ -7109,9 +7109,9 @@
},
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
"sha256": "148df65e1eea1a2b34d43e9b49dad27c38f1c299a98059b5002a37c716f8fa88",
"sha256": "dd7c4d836b8b90c5b5107cc4889992f11f3c126896601722f08d18234919bd58",
"type": "esql",
"version": 4
"version": 5
},
"c5677997-f75b-4cda-b830-a75920514096": {
"rule_name": "Service Path Modification via sc.exe",
@@ -7367,9 +7367,9 @@
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "1aca2b2c157a29b73f66668a3abc34927b44aa910aa2cb52ccc8a402d6d17e80",
"sha256": "68a4b258c94ca39d7665c16e96829e9165da996e5fd1fb17d5d8acfa3a7ed8e2",
"type": "esql",
"version": 306
"version": 307
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
@@ -7398,9 +7398,9 @@
"cca64114-fb8b-11ef-86e2-f661ea17fbce": {
"min_stack_version": "8.18",
"rule_name": "Microsoft Entra ID Sign-In Brute Force Activity",
"sha256": "f35374b6e8916877517d3b40d0b7667a8fc1f04c06a912b95708680736c45523",
"sha256": "adba3399e9ec28832fa4a7be8c2d816863e3b08bd97563ece2c7754b1ae1de8e",
"type": "esql",
"version": 3
"version": 4
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
@@ -7633,9 +7633,9 @@
},
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
"sha256": "eaeaebdaa3240798af533bd1db03a445ea59bf9841b14a82684a4de790cf0c2b",
"sha256": "d390cfde7a98a3e21ba61d850694e7bef67c2b67e530d666f3bfa33f8965c37b",
"type": "esql",
"version": 2
"version": 3
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
@@ -7987,9 +7987,9 @@
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "244ad73f1367274869544a7f3dda5a0e6123a2653435fa6de0c259324b3d4ee2",
"sha256": "22beec2712ccc6324db5a12c0229a5dbf1dfa203f5f40cdc2b8252829c11635b",
"type": "esql",
"version": 5
"version": 6
},
"ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
"rule_name": "File Creation in /var/log via Suspicious Process",
@@ -7999,9 +7999,9 @@
},
"de67f85e-2d43-11f0-b8c9-f661ea17fbcc": {
"rule_name": "Multiple Microsoft 365 User Account Lockouts in Short Time Window",
"sha256": "07d694305b31f0052f17a7913776429fcb04e0d68a500867c6a2e82049e1bfc6",
"sha256": "ca98f8ea3fc4b67ca5e90368d8b612d8c39cac92eaca37990c521b7069a2f954",
"type": "esql",
"version": 2
"version": 3
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
@@ -8053,9 +8053,9 @@
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "904372a1e65209bff4b9a7a90651a78ce37e3737d8d852d745754aff35182b34",
"sha256": "3425a710a5f13c4e30c9c4037a965992ccc0a30a688df68fece4052ac7458c30",
"type": "esql",
"version": 5
"version": 6
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
@@ -8215,9 +8215,9 @@
},
"e3bd85e9-7aff-46eb-b60e-20dfc9020d98": {
"rule_name": "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties",
"sha256": "6fecdb0d35593629ba03cc2c1a447db499bd93ec89e820dd5b497a5184c312e7",
"sha256": "d011d06d89477c177cb71e91bd2d73e91b3c5c4a3e7fe988dce024030d9cc410",
"type": "esql",
"version": 1
"version": 2
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
@@ -8420,9 +8420,9 @@
},
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
"rule_name": "Potential PowerShell Obfuscation via String Reordering",
"sha256": "662dd355e060da63a448281e28c1ef73d23ed6db49f881f3b6ca9787fe6c7f02",
"sha256": "61334267fab7a40c13164b761aa5542572e84f08266faa14e6282c22353baedb",
"type": "esql",
"version": 4
"version": 5
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
@@ -8798,9 +8798,9 @@
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23",
"sha256": "6ff7d13565c3fa8aaf9cead54500dbc3dd13e124a87f2b6c7eaf2d0d528cd55f",
"type": "esql",
"version": 2
"version": 3
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
@@ -8852,9 +8852,9 @@
},
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
"sha256": "3fbc0e998b1acce53e88e609ad82df6874d0c3dc201740bdc9de0ad25a41a819",
"sha256": "1a7bb59668aeb61b005ad82af62c813287c631d756892a3770a2eac56ca9102c",
"type": "esql",
"version": 2
"version": 3
},
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution",
@@ -8906,9 +8906,9 @@
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc",
"sha256": "20f641858b068dde9a75476a566ea629fab3125934c93b48a3aacd5f5b076441",
"type": "esql",
"version": 4
"version": 5
},
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
"rule_name": "DPKG Package Installed by Unusual Parent Process",
@@ -9021,9 +9021,9 @@
},
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
"sha256": "79c2aba00b276a80f5356f87e12239370d990d051c8a8021024345095990c6c7",
"sha256": "048b30521186afd04760fc0dfb8ca1957d7f5bdb6c98a7135a9707e201b4939c",
"type": "esql",
"version": 3
"version": 4
},
"f701be14-0a36-4e9a-a851-b3e20ae55f09": {
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
@@ -9045,9 +9045,9 @@
},
"f770ce79-05fd-4d74-9866-1c5d66c9b34b": {
"rule_name": "Potential Malicious PowerShell Based on Alert Correlation",
"sha256": "2665411355719f14050940eff596f0153f2b0f765f5c9fe2e44758dbda67e016",
"sha256": "4ddf7e935836ae79df33c7406f3e6ca7225d0c4e4f77992dd7ce9913fc461000",
"type": "esql",
"version": 1
"version": 2
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
@@ -9153,9 +9153,9 @@
},
"f9753455-8d55-4ad8-b70a-e07b6f18deea": {
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
"sha256": "c4923f00e82b142b5a4bcf2fe72541045e8f469ea7e9a23be38aab17b341cdb5",
"sha256": "54c9ab288e075807483eab23fbbea59aba7d8f760406d32755b0f297bbfe0810",
"type": "esql",
"version": 1
"version": 2
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"rule_name": "Privileged Account Brute Force",
@@ -9171,9 +9171,9 @@
},
"f9abcddc-a05d-4345-a81d-000b79aa5525": {
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
"sha256": "86aadafc119e441d02add4a75f139de49ab21a69899eaac4ec320574f94bbf2b",
"sha256": "014464fccb4a724e2e3fe5fcc79cc09c6d0fa696ee1d2d18d1a4ebe8c97ac533",
"type": "esql",
"version": 3
"version": 4
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
@@ -9225,9 +9225,9 @@
},
"fb16f9ef-cb03-4234-adc2-44641f3b71ee": {
"rule_name": "Azure OpenAI Insecure Output Handling",
"sha256": "e58142a8bf546e096bbe8c91f73efb44d1322b1e0f14f51a6b33f10b5d5a22ca",
"sha256": "799952ea9ded7fa71e9d842e3a27b248bc6c4d49ac83aa56949ca1bd6d6447df",
"type": "esql",
"version": 2
"version": 3
},
"fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": {
"rule_name": "Unusual Group Name Accessed by a User",
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.3.22"
version = "1.3.23"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"