From 47571956a760dfbc897e547afb328e97e4e122b6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 7 Jan 2025 22:54:34 +0530 Subject: [PATCH] Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4347) --- detection_rules/etc/version.lock.json | 185 ++++++++++++++++++++++---- pyproject.toml | 2 +- 2 files changed, 162 insertions(+), 25 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 9ccf67398..10d8ed9f1 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -92,6 +92,13 @@ "type": "threshold", "version": 7 }, + "017de1e4-ea35-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Memory Threat - Detected - Elastic Defend", + "sha256": "9bd0f3d01ba4fa20cad1d9fbbc2e6ceb49cc0b07a3e1c1c6250c0f990af738e6", + "type": "query", + "version": 1 + }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "min_stack_version": "8.13", "previous": { @@ -407,6 +414,12 @@ "type": "eql", "version": 210 }, + "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { + "rule_name": "Dynamic Linker (ld.so) Creation", + "sha256": "d199c5e9dfd9aa2e6e54808f02b7c661ba51e4c78cc780b45d0e910dc09b0230", + "type": "eql", + "version": 1 + }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", "previous": { @@ -423,6 +436,13 @@ "type": "eql", "version": 213 }, + "06f3a26c-ea35-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Memory Threat - Prevented- Elastic Defend", + "sha256": "542beb283553b21b373b87f1963fa845b95929b9664d3af97f7777e621206a0b", + "type": "query", + "version": 1 + }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", "previous": { @@ -708,6 +728,13 @@ "type": "threat_match", "version": 7 }, + "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Ransomware - Detected - Elastic Defend", + "sha256": "d762ceed58b4360fed6a1ddbf89869a6d4548ddaaff3398092e868f20864f049", + "type": "query", + "version": 1 + }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", "previous": { @@ -831,6 +858,13 @@ "type": "eql", "version": 3 }, + "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Behavior - Detected - Elastic Defend", + "sha256": "744407645eb6ef1ce3977b8496e04d8f01d92fb09e755c6b86c46789bcc96172", + "type": "query", + "version": 1 + }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", @@ -877,6 +911,13 @@ "type": "query", "version": 206 }, + "10f3d520-ea35-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Ransomware - Prevented - Elastic Defend", + "sha256": "66448c143965f6318351f4adfaf855518fd60f58e0fceab482a7e31720a276b9", + "type": "query", + "version": 1 + }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", @@ -1103,6 +1144,12 @@ "type": "eql", "version": 411 }, + "135abb91-dcf4-48aa-b81a-5ad036b67c68": { + "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", + "sha256": "b6c89e8c3a97272346f423ebb217dd3b570a754d8cf3cc976707c2b412198fdc", + "type": "eql", + "version": 1 + }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", @@ -1487,6 +1534,12 @@ "type": "eql", "version": 201 }, + "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { + "rule_name": "Simple HTTP Web Server Connection", + "sha256": "575964f96d787c02c6888d33c9161a93837fb176e8e240198586bbbd307789db", + "type": "eql", + "version": 1 + }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", @@ -1501,9 +1554,9 @@ }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", - "sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e", + "sha256": "c4dbede7ecb8a7d4cb801fda64b573c95bb9410728f7c9f08aa32550ce093b7d", "type": "threshold", - "version": 1 + "version": 2 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", @@ -1513,9 +1566,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "abc2a9316141b799f35032d6ce4594520d1990765d3886ffe188c594fafd59a0", + "sha256": "298ff5b48b9ea67a5f5b35141f71ede83fd8f9844fe8a4bccba0f987df0a6899", "type": "eql", - "version": 4 + "version": 5 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -1523,6 +1576,12 @@ "type": "eql", "version": 4 }, + "1965eab8-d17f-4b21-8c48-ad5ff133695d": { + "rule_name": "Kernel Object File Creation", + "sha256": "2eb986eae007c47e943a3657d2458133f365a7cbb5f997b2bd18de59abedf5c6", + "type": "new_terms", + "version": 1 + }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7", @@ -3730,6 +3789,13 @@ "type": "machine_learning", "version": 4 }, + "3fac01b2-b811-11ef-b25b-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Azure Entra MFA TOTP Brute Force Attempts", + "sha256": "1a4b33f58f3f5e8119f8fdac2f49f61b75eb76cc5b91e8be6045078961c6f24c", + "type": "esql", + "version": 1 + }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", @@ -3873,6 +3939,12 @@ "type": "eql", "version": 2 }, + "428e9109-dc13-4ae9-84cb-100464d4c6fa": { + "rule_name": "Login via Unusual System User", + "sha256": "66fd861d1fa983a1abce1672b26a0ec424f5021eadbd38113c20cf070607a573", + "type": "eql", + "version": 1 + }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.15", "previous": { @@ -4336,6 +4408,12 @@ "type": "eql", "version": 310 }, + "4c3c6c47-e38f-4944-be27-5c80be973bd7": { + "rule_name": "Unusual SSHD Child Process", + "sha256": "482163bba1d5afced4faf24a38e7ed0317164468a4faf3bcb8ecb58d21024320", + "type": "new_terms", + "version": 1 + }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.14", "previous": { @@ -4765,6 +4843,12 @@ "type": "eql", "version": 106 }, + "53ef31ea-1f8a-493b-9614-df23d8277232": { + "rule_name": "Pluggable Authentication Module (PAM) Source Download", + "sha256": "4506697959db38106a2f20808c7650d71b4bb69ca921ecb433f9f7d437e1b418", + "type": "eql", + "version": 1 + }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", "previous": { @@ -4777,9 +4861,9 @@ } }, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef", + "sha256": "05f4e7d83a92a1aaed215be67f65efbc6491fca10438887f10a7d47cfb88c838", "type": "eql", - "version": 211 + "version": 212 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.14", @@ -5280,6 +5364,12 @@ "type": "query", "version": 1 }, + "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { + "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", + "sha256": "c07bd3dc94f7395887a9d16a2c6986600519ec86ba8f4082f4c1c546be147907", + "type": "eql", + "version": 1 + }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba", @@ -5580,9 +5670,9 @@ } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", + "sha256": "4d6ac1ca8a19590fa0ac7866fe9b56931d6d7515611ebf4cd25c8ee1ecedfa95", "type": "threshold", - "version": 206 + "version": 207 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", @@ -6264,6 +6354,12 @@ "type": "new_terms", "version": 108 }, + "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { + "rule_name": "Loadable Kernel Module Configuration File Creation", + "sha256": "c252a18bf2a68359e1d94df169c9571410f418945f1b4a916cbba7bbc94330c3", + "type": "eql", + "version": 1 + }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.14", "previous": { @@ -7834,6 +7930,12 @@ "type": "query", "version": 206 }, + "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { + "rule_name": "Simple HTTP Web Server Creation", + "sha256": "616c2c8d1ae0e869534ba6f3f7f497bdd72792f46de42e6c51d6bebcf3eebd99", + "type": "eql", + "version": 1 + }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", @@ -8438,10 +8540,11 @@ "version": 105 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { - "rule_name": "Endpoint Security", - "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", + "min_stack_version": "8.12", + "rule_name": "Endpoint Security (Elastic Defend)", + "sha256": "a4dde703652ee6884fe682bb32efc9fe966aaa7df53bca5436de63d993527889", "type": "query", - "version": 103 + "version": 104 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", @@ -8884,9 +8987,9 @@ }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", - "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", + "sha256": "6e0a27cbad2201b443c14712e096547ab0f70144d8a1777fbc9a7118b6f31701", "type": "threshold", - "version": 3 + "version": 4 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", @@ -8923,6 +9026,12 @@ "type": "eql", "version": 311 }, + "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { + "rule_name": "Unusual Preload Environment Variable Process Execution", + "sha256": "30e15837fc2299fc5bd51618f8f9d726a4f81121c3e9213c9f0f37b7f1922784", + "type": "new_terms", + "version": 1 + }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", "sha256": "cfb03e9127dfd2a1580d29f64f412173261e28a1c22ca8b51e484f75b870ff8c", @@ -9222,9 +9331,9 @@ }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "93c49db43b03637f2c1d053b9f5ebcbd2776f483fe824854fae2ace948d956dd", + "sha256": "d83d4d35e0bb8980567f6aed233e06d8bcb4824a6e438a8f8606f7318ce7f204", "type": "eql", - "version": 114 + "version": 115 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "min_stack_version": "8.13", @@ -12158,9 +12267,9 @@ }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", - "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", + "sha256": "de848b5e9c4cb1dbf61d805263fb3e9d70aed03a3de0e18b44698957c53aa130", "type": "new_terms", - "version": 105 + "version": 106 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", @@ -12660,7 +12769,7 @@ "version": 207 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 205, @@ -12668,12 +12777,19 @@ "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", "version": 106 + }, + "8.14": { + "max_allowable_version": 305, + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c", + "type": "eql", + "version": 206 } }, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c", + "sha256": "c27d3d535d30d3af01b3d9c4fefd1fffd5d4aece3da4eec4fdcdd0ee716bdd22", "type": "eql", - "version": 206 + "version": 306 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", @@ -12961,6 +13077,13 @@ "type": "eql", "version": 104 }, + "eb804972-ea34-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Behavior - Prevented - Elastic Defend", + "sha256": "ec5e33322a047ec2ab8e5339bcbc0a666083f428226a5c77f0384a4fc1d25e4f", + "type": "query", + "version": 1 + }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", @@ -13359,6 +13482,13 @@ "type": "eql", "version": 110 }, + "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Malicious File - Detected - Elastic Defend", + "sha256": "7b9a35f4a8a0e47cd62338e301fda982b665581e69582f6f07a420516a7c5d81", + "type": "query", + "version": 1 + }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", @@ -13502,9 +13632,9 @@ }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "6dc8920fe9a4bc479c93299a5b594945d88909d894d5a90f8997caba441bfa2a", + "sha256": "28451a124942aacc3132dc4aa9cf07779c9879d2e81581d9a09e0715aa18514d", "type": "eql", - "version": 2 + "version": 3 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.14", @@ -13846,6 +13976,13 @@ "type": "eql", "version": 312 }, + "f87e6122-ea34-11ee-a417-f661ea17fbce": { + "min_stack_version": "8.16", + "rule_name": "Malicious File - Prevented - Elastic Defend", + "sha256": "9b4dc0fb3aa575631ab1f19f6059c644319158dc055b3ebf6dac4148d593c119", + "type": "query", + "version": 1 + }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", "previous": { @@ -14022,9 +14159,9 @@ } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "5593d660090874e775e2dedabd7551d2cd2be7a6c684f617ce9b597f367e5238", + "sha256": "d31107882201846433a5c59aa2d72a82cb14836b79e86eb8a93521116638d30a", "type": "eql", - "version": 313 + "version": 314 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", diff --git a/pyproject.toml b/pyproject.toml index e420bd4e0..fb6af21ac 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.11" +version = "0.3.12" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"