From 4cf3d28367b6f2860c8db7251459892bc2884a0e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 2 Jun 2025 21:53:59 +0530 Subject: [PATCH] Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4758) --- detection_rules/etc/version.lock.json | 106 ++++++++++++++++++++------ pyproject.toml | 2 +- 2 files changed, 82 insertions(+), 26 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index dcf843324..0d91723af 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -546,10 +546,20 @@ "version": 113 }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { - "rule_name": "AWS STS Temporary IAM Session Token Used from Multiple Addresses", - "sha256": "fb175cfc21beb83df7bcff6a18a7a0e8a0d6d449a76447a0ab35e979a20980f3", + "min_stack_version": "8.17", + "previous": { + "8.14": { + "max_allowable_version": 100, + "rule_name": "AWS STS Temporary IAM Session Token Used from Multiple Addresses", + "sha256": "fb175cfc21beb83df7bcff6a18a7a0e8a0d6d449a76447a0ab35e979a20980f3", + "type": "esql", + "version": 1 + } + }, + "rule_name": "AWS Access Token Used from Multiple Addresses", + "sha256": "156805611533217338dd0a15eb5010ccbc4528c1188d7e5e6e299e430043fe77", "type": "esql", - "version": 1 + "version": 101 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", @@ -759,9 +769,9 @@ }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "0fe1dc18cb0e32621e2cb136231d7c6f4d0cd3fa200f16cffd311a90e970b95e", + "sha256": "3158b0d587e1f5c04d72866daa49f755711572ab959d2b9ed59f244d0c20d50f", "type": "eql", - "version": 318 + "version": 319 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", @@ -1167,9 +1177,9 @@ }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "e0d9285e7c8f43cd27db35781cb34899ad5526f021ddf491ecf12869ac95bfc2", + "sha256": "921f844de42402e057a22237ec95b488f34123e89ca610c7e7ea344ef489406e", "type": "eql", - "version": 211 + "version": 212 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.15", @@ -1591,9 +1601,9 @@ } }, "rule_name": "Potential Microsoft 365 User Account Brute Force", - "sha256": "e19432ea193cb159db6a83bccae69b3a2165162645c22b0f8e36bee3f71ddb29", + "sha256": "5c514169b6d79b56e7862806ed11630e068b9d8675fbe1f9f171736a3b42ad0e", "type": "esql", - "version": 412 + "version": 413 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -1622,9 +1632,9 @@ }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "d477fb4eaf78098182fc9ea4c9530a55f951c3ad1a66b4781f84353a520f25f2", + "sha256": "26034bdbca84819d08621e81f45335b6b0a5a4b72080897d89583cfad64df74d", "type": "eql", - "version": 212 + "version": 213 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", @@ -1652,9 +1662,9 @@ }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "da6a302b1088ca207afc522f46ac04c7f1964192a0faa18132c282657506cd83", + "sha256": "33c1f21b8ad943e006b0b8c052cb8e8e00dfc46a3d39b3b1baf2da061b691319", "type": "eql", - "version": 213 + "version": 214 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", @@ -1821,6 +1831,12 @@ "type": "eql", "version": 206 }, + "2c74e26b-dfe3-4644-b62b-d0482f124210": { + "rule_name": "Delegated Managed Service Account Modification by an Unusual User", + "sha256": "21e09dab982fc75a8effbb761eed248ac52d6662278b026bc12407896cfda7c7", + "type": "new_terms", + "version": 1 + }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", "sha256": "a8452b808ef5b2d08e80de2855c7e515669631992be43640d6a9180a9e02c7d6", @@ -2127,10 +2143,20 @@ "version": 7 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { - "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", - "sha256": "93996a82dfb600e7e40a0bc6c930c29592b522b81f785c3d11c67bd43e234bbe", + "min_stack_version": "8.17", + "previous": { + "8.14": { + "max_allowable_version": 103, + "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", + "sha256": "93996a82dfb600e7e40a0bc6c930c29592b522b81f785c3d11c67bd43e234bbe", + "type": "esql", + "version": 4 + } + }, + "rule_name": "Potential Microsoft 365 Brute Force via Entra ID Sign-Ins", + "sha256": "e001d9362eed086bc923624a65783867be0e1257151bba0624238afbb168c521", "type": "esql", - "version": 4 + "version": 104 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", @@ -2201,10 +2227,10 @@ "version": 209 }, "37994bca-0611-4500-ab67-5588afe73b77": { - "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "8506657157976e0c60e4ce3589a7cbb8d9c1a1f7e7f0b2ab4069cf4bbd476c50", + "rule_name": "Microsoft Entra ID High Risk Sign-in", + "sha256": "1d35cfbce798e2708c203ef68dc41b4a78d4a8690f839136b3da3c56e2f7c659", "type": "query", - "version": 107 + "version": 108 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -2218,6 +2244,12 @@ "type": "new_terms", "version": 213 }, + "37cb6756-8892-4af3-a6bd-ddc56db0069d": { + "rule_name": "Disabling Lsa Protection via Registry Modification", + "sha256": "da16b682e3af6a8ba8b753f079facc33cfc6e4632d6cc699a30659325a41d493", + "type": "eql", + "version": 1 + }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "min_stack_version": "8.18", "rule_name": "Spike in User Account Management Events", @@ -2565,6 +2597,12 @@ "type": "new_terms", "version": 110 }, + "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { + "rule_name": "Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails", + "sha256": "2b4c21afcd84ae10ad9914fe8bd9cbce95d0bb7876d9b07c65c5a750e25048f1", + "type": "new_terms", + "version": 1 + }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", "sha256": "f9818727aa0de6e62f321106e05a53d222d1d6f05fea7da47f6428bb18106dce", @@ -5055,9 +5093,9 @@ }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "8efd7c20dc5cd351358fb3c564fc7726035e276cab467106eb76cfb61c804252", + "sha256": "15c2ef603fa386034d9c15726475fdb118c5068f3a25df4559a4213273c5b1f9", "type": "query", - "version": 209 + "version": 210 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", @@ -5260,6 +5298,12 @@ "type": "eql", "version": 5 }, + "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { + "rule_name": "Microsoft Entra ID Elevated Access to User Access Administrator", + "sha256": "ec9ac65f7b62971dbd3b66da050bb66e142abaf6931ac3230abcd430d612f8b8", + "type": "new_terms", + "version": 1 + }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "deb464e30e85354dc3dcfc4f32483257772a7a1b609d9dc33a8560f230be4e90", @@ -7437,6 +7481,12 @@ "type": "eql", "version": 12 }, + "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { + "rule_name": "Microsoft Entra ID User Reported Suspicious Activity", + "sha256": "2b26266bf5ae68b193aa06b9346248c70882cafeb1197534177438fc861cf584", + "type": "query", + "version": 1 + }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", @@ -8948,6 +8998,12 @@ "type": "esql", "version": 2 }, + "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { + "rule_name": "dMSA Account Creation by an Unusual User", + "sha256": "51ee0ffcc257a17519e1f53b4296157b87cb7f1beb88e611f390ae8debbb37f9", + "type": "new_terms", + "version": 1 + }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "c238de5d2b0c57efaa4780d8e7f5f95a05cf99a2ec8a5840a05e31456acd97c4", @@ -9041,9 +9097,9 @@ }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "368bc703785ca4701d987a7c4a47999df5f4d11ba2afa7c5248bc17f5f1fb741", + "sha256": "09e8a918c81fe0701b414046f7b2978cf6917f27d256594f18f20c0766f12651", "type": "eql", - "version": 214 + "version": 215 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", @@ -9234,9 +9290,9 @@ }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Microsoft Entra ID Service Principal Credentials Added by Rare User", - "sha256": "7709314f0814aebb585e14fe705cbb9a332d42ddd461c74162cbc89ce1c8d267", + "sha256": "029d79b21a99fe77788692b50de1c496e820f6451b39dd167d55f278b02da705", "type": "new_terms", - "version": 106 + "version": 107 }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", diff --git a/pyproject.toml b/pyproject.toml index 0f99cf270..4878ac6c3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.2.11" +version = "1.2.12" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"