diff --git a/detection_rules/etc/downloadable_updates.json b/detection_rules/etc/downloadable_updates.json index a08a42e13..423ca4642 100644 --- a/detection_rules/etc/downloadable_updates.json +++ b/detection_rules/etc/downloadable_updates.json @@ -153,4 +153,4 @@ "url": "https://www.elastic.co/guide/en/security/current/prebuilt-rule-0-13-1-prebuilt-rules-0-13-1-summary.html" } ] -} \ No newline at end of file +} diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 8cdd02459..6307f0392 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -131,6 +131,20 @@ "type": "threshold", "version": 107 }, + "035a6f21-4092-471d-9cda-9e379f459b1e": { + "min_stack_version": "8.3", + "rule_name": "Potential Memory Seeking Activity", + "sha256": "cf7288d5a8b54dbec325b6a09a60bfe6e15ec568f36d383957de4e52d825d740", + "type": "eql", + "version": 1 + }, + "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Dynamic Linker Discovery via od", + "sha256": "ee4583e8996395a3e208c355990b54a0e05d19c2189888df9e14c2a5ae96d52d", + "type": "eql", + "version": 1 + }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "min_stack_version": "8.8", "rule_name": "SSH Process Launched From Inside A Container", @@ -1242,6 +1256,13 @@ "type": "eql", "version": 108 }, + "202829f6-0271-4e88-b882-11a655c590d4": { + "min_stack_version": "8.3", + "rule_name": "Executable Masquerading as Kernel Process", + "sha256": "9040a822ed47ef2d3bf89675fe2fdb67018a559f75c854ee80ad84714ff4fc4c", + "type": "eql", + "version": 1 + }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of Root Certificate", @@ -1788,6 +1809,13 @@ "type": "eql", "version": 108 }, + "2f95540c-923e-4f57-9dae-de30169c68b9": { + "min_stack_version": "8.3", + "rule_name": "Suspicious /proc/maps Discovery", + "sha256": "6ff711bf9210efc3644140457f78037989cc2a13cc4d303260183a696d07acb8", + "type": "eql", + "version": 1 + }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", @@ -3296,9 +3324,9 @@ "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "6d5bf9fe5d4e6cc423f1a2c017576e9714f20baf6d4fa80d1bdf31e37e1e7267", + "sha256": "60c5c2f2a9749a79720ee47e2e930a9f80242258293a89a271aa2721701939fd", "type": "new_terms", - "version": 8 + "version": 9 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "min_stack_version": "8.3", @@ -4071,6 +4099,13 @@ "type": "eql", "version": 107 }, + "71d6a53d-abbd-40df-afee-c21fff6aafb0": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Passwd File Event Action", + "sha256": "643fd4dc9cb7afb75d6f948bdf9b15f87829f59236c645698ef6ceb52a951768", + "type": "eql", + "version": 1 + }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Potential ransomware activity", @@ -4110,9 +4145,9 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "9f5997c2b0fe4dada04cf6f3b344fbaddbe1f19800ee466dd053e2f7cb2879e5", + "sha256": "3c39eaa16fbbb098a00adccdbfc303de378e965597565878032ed552bc825043", "type": "eql", - "version": 108 + "version": 109 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", @@ -4307,9 +4342,9 @@ "79124edf-30a8-4d48-95c4-11522cad94b1": { "min_stack_version": "8.3", "rule_name": "File Compressed or Archived into Common Format", - "sha256": "ffc63f1281c5daf184121bec10deda5e91670f64baeaf47d2ee5336649bf2c78", + "sha256": "18b4a7010976c9f689780ad80ae4d9a48f943c15092dea05795d1f861e867648", "type": "eql", - "version": 1 + "version": 2 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", @@ -4683,6 +4718,13 @@ "type": "query", "version": 205 }, + "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { + "min_stack_version": "8.3", + "rule_name": "Potential Linux Reverse Connection through Port Knocking", + "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", + "type": "eql", + "version": 1 + }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", @@ -5375,9 +5417,9 @@ "97fc44d3-8dae-4019-ae83-298c3015600f": { "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", - "sha256": "e35230136b3e8717e95ef5022b13c355c44d14666a14d564449b2982dfc27e9d", + "sha256": "531c4084f03ee3d1b847fd5b7e1a08b698d464c9f75172572d311ce3fd3c7b78", "type": "eql", - "version": 109 + "version": 110 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "min_stack_version": "8.4", @@ -5542,9 +5584,16 @@ "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "22e8e1bb2a6a9366178e012e1811993b0ce5f79b27afc154f93ed760c6489f1e", + "sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e", "type": "eql", - "version": 7 + "version": 8 + }, + "9c951837-7d13-4b0c-be7a-f346623c8795": { + "min_stack_version": "8.3", + "rule_name": "Potential Enumeration via Active Directory Web Service", + "sha256": "17ac2376542784780fa798b0756416f6c54757e2d72dab6b2ddd28dfd165d3b3", + "type": "eql", + "version": 1 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", @@ -5659,9 +5708,9 @@ "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", - "sha256": "ce811f22916b00b56a6bdde9eeaa631f6ccf08130ad18edfb552d0205424c5b1", + "sha256": "008b0f6532321a77ee911abe070b818d971c7f5c23e3e4c5b78caf79ea21af08", "type": "eql", - "version": 111 + "version": 112 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.6", @@ -5931,10 +5980,10 @@ }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "min_stack_version": "8.3", - "rule_name": "Potential Malicious File Downloaded from Google Drive", - "sha256": "7a0d22e648caa03cd127a00cad9baff4f242263c35d9ad59ab1c7a9fe46a321a", + "rule_name": "Suspicious File Downloaded from Google Drive", + "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295", "type": "eql", - "version": 2 + "version": 3 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "8.9", @@ -6152,6 +6201,13 @@ "type": "query", "version": 105 }, + "ad959eeb-2b7b-4722-ba08-a45f6622f005": { + "min_stack_version": "8.3", + "rule_name": "Suspicious APT Package Manager Execution", + "sha256": "8b78fc4a9959793ebadb1dd12240e38a6331356b5ce0733f090b31e48fd71b7d", + "type": "eql", + "version": 1 + }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", @@ -6456,9 +6512,9 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", - "sha256": "34a4c6af4a0abec4b49761fd3410e7ce843a7cd917929009de084283086d34f2", + "sha256": "c38344254490e667df0c99f72e41895e32340abeed8333e6a5ed6305757ffb6d", "type": "eql", - "version": 2 + "version": 3 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", @@ -6886,9 +6942,9 @@ "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.3", "rule_name": "Attempted Private Key Access", - "sha256": "878964185cf6bcfd3d1cee459b0664977de42cce6b31af0fb2ad35413e764dc5", + "sha256": "5381a29dcefb0cee21b24a6b62d7d0d3e2a287eea7433b36fe1c6851204841a8", "type": "eql", - "version": 1 + "version": 2 }, "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.3", @@ -7618,6 +7674,13 @@ "type": "query", "version": 102 }, + "d74d6506-427a-4790-b170-0c2a6ddac799": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Memory grep Activity", + "sha256": "f38af2112e0042344d3102dcb974eff219cdb2192cf7174c291647c0ac09d87c", + "type": "eql", + "version": 1 + }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "min_stack_version": "8.3", "rule_name": "SystemKey Access via Command Line", @@ -8222,9 +8285,9 @@ "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Memory Dump File Creation", - "sha256": "49debe62710e167c237de800f3dd2ce6ad4a3f4a6effd957439d576770b4e7c9", + "sha256": "8e637f03a8f8eb325e7801996c5641dcd8972185da239d2786d603ce93786836", "type": "eql", - "version": 1 + "version": 2 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", @@ -8425,6 +8488,13 @@ "type": "machine_learning", "version": 103 }, + "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { + "min_stack_version": "8.3", + "rule_name": "Suspicious APT Package Manager Network Connection", + "sha256": "835b8c13f7ca75ca0c3cbd05603c8ecedda758ee6736f886b793937b40b4cf3d", + "type": "eql", + "version": 1 + }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "min_stack_version": "8.3", "rule_name": "External Alerts", @@ -8435,9 +8505,9 @@ "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "801852a3300f7b11b19c32b8f4151194247eb06f60814b531d70187da14da0a1", + "sha256": "59511943017b6f3b3d7a961fa15dbae63734417cf74479ac19a17febbd5181b7", "type": "query", - "version": 2 + "version": 3 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", @@ -8784,6 +8854,13 @@ "type": "threshold", "version": 104 }, + "f3818c85-2207-4b51-8a28-d70fb156ee87": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Network Connection via systemd", + "sha256": "a735567676266d1a679f92125be7cf4a9e43d4da691ed2d93e4365e572aa2440", + "type": "eql", + "version": 1 + }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match",