security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4347)

Browse Source
This commit is contained in:
github-actions[bot]
2025-01-07 22:54:34 +05:30
committed by GitHub
parent 2edc062b53
commit 47571956a7
2 changed files with 162 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+161 -24
View File
@@ -92,6 +92,13 @@
"type": "threshold",
"version": 7
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Detected - Elastic Defend",
"sha256": "9bd0f3d01ba4fa20cad1d9fbbc2e6ceb49cc0b07a3e1c1c6250c0f990af738e6",
"type": "query",
"version": 1
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.13",
"previous": {
@@ -407,6 +414,12 @@
"type": "eql",
"version": 210
},
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "d199c5e9dfd9aa2e6e54808f02b7c661ba51e4c78cc780b45d0e910dc09b0230",
"type": "eql",
"version": 1
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.14",
"previous": {
@@ -423,6 +436,13 @@
"type": "eql",
"version": 213
},
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Prevented- Elastic Defend",
"sha256": "542beb283553b21b373b87f1963fa845b95929b9664d3af97f7777e621206a0b",
"type": "query",
"version": 1
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.14",
"previous": {
@@ -708,6 +728,13 @@
"type": "threat_match",
"version": 7
},
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Detected - Elastic Defend",
"sha256": "d762ceed58b4360fed6a1ddbf89869a6d4548ddaaff3398092e868f20864f049",
"type": "query",
"version": 1
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.14",
"previous": {
@@ -831,6 +858,13 @@
"type": "eql",
"version": 3
},
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Detected - Elastic Defend",
"sha256": "744407645eb6ef1ce3977b8496e04d8f01d92fb09e755c6b86c46789bcc96172",
"type": "query",
"version": 1
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
@@ -877,6 +911,13 @@
"type": "query",
"version": 206
},
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Prevented - Elastic Defend",
"sha256": "66448c143965f6318351f4adfaf855518fd60f58e0fceab482a7e31720a276b9",
"type": "query",
"version": 1
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
@@ -1103,6 +1144,12 @@
"type": "eql",
"version": 411
},
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "b6c89e8c3a97272346f423ebb217dd3b570a754d8cf3cc976707c2b412198fdc",
"type": "eql",
"version": 1
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
"sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59",
@@ -1487,6 +1534,12 @@
"type": "eql",
"version": 201
},
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
"rule_name": "Simple HTTP Web Server Connection",
"sha256": "575964f96d787c02c6888d33c9161a93837fb176e8e240198586bbbd307789db",
"type": "eql",
"version": 1
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2",
@@ -1501,9 +1554,9 @@
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
"sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e",
"sha256": "c4dbede7ecb8a7d4cb801fda64b573c95bb9410728f7c9f08aa32550ce093b7d",
"type": "threshold",
"version": 1
"version": 2
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
@@ -1513,9 +1566,9 @@
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "abc2a9316141b799f35032d6ce4594520d1990765d3886ffe188c594fafd59a0",
"sha256": "298ff5b48b9ea67a5f5b35141f71ede83fd8f9844fe8a4bccba0f987df0a6899",
"type": "eql",
"version": 4
"version": 5
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
@@ -1523,6 +1576,12 @@
"type": "eql",
"version": 4
},
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
"rule_name": "Kernel Object File Creation",
"sha256": "2eb986eae007c47e943a3657d2458133f365a7cbb5f997b2bd18de59abedf5c6",
"type": "new_terms",
"version": 1
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
"sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7",
@@ -3730,6 +3789,13 @@
"type": "machine_learning",
"version": 4
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Azure Entra MFA TOTP Brute Force Attempts",
"sha256": "1a4b33f58f3f5e8119f8fdac2f49f61b75eb76cc5b91e8be6045078961c6f24c",
"type": "esql",
"version": 1
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc",
@@ -3873,6 +3939,12 @@
"type": "eql",
"version": 2
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Login via Unusual System User",
"sha256": "66fd861d1fa983a1abce1672b26a0ec424f5021eadbd38113c20cf070607a573",
"type": "eql",
"version": 1
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.15",
"previous": {
@@ -4336,6 +4408,12 @@
"type": "eql",
"version": 310
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "482163bba1d5afced4faf24a38e7ed0317164468a4faf3bcb8ecb58d21024320",
"type": "new_terms",
"version": 1
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.14",
"previous": {
@@ -4765,6 +4843,12 @@
"type": "eql",
"version": 106
},
"53ef31ea-1f8a-493b-9614-df23d8277232": {
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
"sha256": "4506697959db38106a2f20808c7650d71b4bb69ca921ecb433f9f7d437e1b418",
"type": "eql",
"version": 1
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.14",
"previous": {
@@ -4777,9 +4861,9 @@
}
},
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef",
"sha256": "05f4e7d83a92a1aaed215be67f65efbc6491fca10438887f10a7d47cfb88c838",
"type": "eql",
"version": 211
"version": 212
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.14",
@@ -5280,6 +5364,12 @@
"type": "query",
"version": 1
},
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "c07bd3dc94f7395887a9d16a2c6986600519ec86ba8f4082f4c1c546be147907",
"type": "eql",
"version": 1
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba",
@@ -5580,9 +5670,9 @@
}
},
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff",
"sha256": "4d6ac1ca8a19590fa0ac7866fe9b56931d6d7515611ebf4cd25c8ee1ecedfa95",
"type": "threshold",
"version": 206
"version": 207
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.14",
@@ -6264,6 +6354,12 @@
"type": "new_terms",
"version": 108
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
"sha256": "c252a18bf2a68359e1d94df169c9571410f418945f1b4a916cbba7bbc94330c3",
"type": "eql",
"version": 1
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.14",
"previous": {
@@ -7834,6 +7930,12 @@
"type": "query",
"version": 206
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "616c2c8d1ae0e869534ba6f3f7f497bdd72792f46de42e6c51d6bebcf3eebd99",
"type": "eql",
"version": 1
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3",
@@ -8438,10 +8540,11 @@
"version": 105
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"rule_name": "Endpoint Security",
"sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d",
"min_stack_version": "8.12",
"rule_name": "Endpoint Security (Elastic Defend)",
"sha256": "a4dde703652ee6884fe682bb32efc9fe966aaa7df53bca5436de63d993527889",
"type": "query",
"version": 103
"version": 104
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
@@ -8884,9 +8987,9 @@
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"rule_name": "My First Rule",
"sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29",
"sha256": "6e0a27cbad2201b443c14712e096547ab0f70144d8a1777fbc9a7118b6f31701",
"type": "threshold",
"version": 3
"version": 4
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
@@ -8923,6 +9026,12 @@
"type": "eql",
"version": 311
},
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
"rule_name": "Unusual Preload Environment Variable Process Execution",
"sha256": "30e15837fc2299fc5bd51618f8f9d726a4f81121c3e9213c9f0f37b7f1922784",
"type": "new_terms",
"version": 1
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "cfb03e9127dfd2a1580d29f64f412173261e28a1c22ca8b51e484f75b870ff8c",
@@ -9222,9 +9331,9 @@
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "93c49db43b03637f2c1d053b9f5ebcbd2776f483fe824854fae2ace948d956dd",
"sha256": "d83d4d35e0bb8980567f6aed233e06d8bcb4824a6e438a8f8606f7318ce7f204",
"type": "eql",
"version": 114
"version": 115
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"min_stack_version": "8.13",
@@ -12158,9 +12267,9 @@
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"rule_name": "Query Registry using Built-in Tools",
"sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd",
"sha256": "de848b5e9c4cb1dbf61d805263fb3e9d70aed03a3de0e18b44698957c53aa130",
"type": "new_terms",
"version": 105
"version": 106
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
@@ -12660,7 +12769,7 @@
"version": 207
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 205,
@@ -12668,12 +12777,19 @@
"sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20",
"type": "eql",
"version": 106
},
"8.14": {
"max_allowable_version": 305,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c",
"type": "eql",
"version": 206
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c",
"sha256": "c27d3d535d30d3af01b3d9c4fefd1fffd5d4aece3da4eec4fdcdd0ee716bdd22",
"type": "eql",
"version": 206
"version": 306
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"rule_name": "Potential Windows Session Hijacking via CcmExec",
@@ -12961,6 +13077,13 @@
"type": "eql",
"version": 104
},
"eb804972-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Prevented - Elastic Defend",
"sha256": "ec5e33322a047ec2ab8e5339bcbc0a666083f428226a5c77f0384a4fc1d25e4f",
"type": "query",
"version": 1
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef",
@@ -13359,6 +13482,13 @@
"type": "eql",
"version": 110
},
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Detected - Elastic Defend",
"sha256": "7b9a35f4a8a0e47cd62338e301fda982b665581e69582f6f07a420516a7c5d81",
"type": "query",
"version": 1
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
@@ -13502,9 +13632,9 @@
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
"sha256": "6dc8920fe9a4bc479c93299a5b594945d88909d894d5a90f8997caba441bfa2a",
"sha256": "28451a124942aacc3132dc4aa9cf07779c9879d2e81581d9a09e0715aa18514d",
"type": "eql",
"version": 2
"version": 3
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.14",
@@ -13846,6 +13976,13 @@
"type": "eql",
"version": 312
},
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Prevented - Elastic Defend",
"sha256": "9b4dc0fb3aa575631ab1f19f6059c644319158dc055b3ebf6dac4148d593c119",
"type": "query",
"version": 1
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"min_stack_version": "8.14",
"previous": {
@@ -14022,9 +14159,9 @@
}
},
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "5593d660090874e775e2dedabd7551d2cd2be7a6c684f617ce9b597f367e5238",
"sha256": "d31107882201846433a5c59aa2d72a82cb14836b79e86eb8a93521116638d30a",
"type": "eql",
"version": 313
"version": 314
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "0.3.11"
version = "0.3.12"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"