security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845)

Browse Source
This commit is contained in:
github-actions[bot]
2024-06-28 17:49:18 +05:30
committed by GitHub
parent 357204e1c5
commit aef9fe8ec4
1 changed files with 141 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+141 -62
View File
@@ -40,9 +40,9 @@
}
},
"rule_name": "System Shells via Services",
"sha256": "f39660853e5b117b27a58684c32fc3028f841c2bfa0676a1716d4775a8fbc5bb",
"sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465",
"type": "eql",
"version": 312
"version": 313
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
@@ -226,9 +226,9 @@
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c",
"sha256": "a94b677993a1ef1bed8626490fcb593b210a3fdbe2751e7e2b38a35b5cc4395d",
"type": "eql",
"version": 110
"version": 111
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
@@ -267,9 +267,9 @@
}
},
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "793a191ad34ae91c56955a490de13ca8298e1f75a10de07ae143ed3766096355",
"sha256": "56429d1cd02f3329c6753fbb15a52eee3bffe8568d69b72013586dde2be95b57",
"type": "eql",
"version": 210
"version": 211
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
@@ -378,6 +378,12 @@
"type": "query",
"version": 106
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "3a2bd6c4c3a22a51b9ccc02420cce8fbbf1827c026e43f7f8b04905409711bf7",
"type": "eql",
"version": 1
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
"sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c",
@@ -476,10 +482,10 @@
"version": 109
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "36731a2b745266798a86c82eee4dbc160faad33f2480d2e5d3f489d91db2ba8f",
"type": "new_terms",
"version": 111
"rule_name": "rc.local/rc.common File Creation",
"sha256": "85ee9b791a4c7e68fa137cb3157d12117568d3c28d86fe9d8fcec00fc60e084a",
"type": "eql",
"version": 112
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
@@ -815,9 +821,9 @@
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "b6d52138336ffdc9944d3309166f6e193ae0cda6f421144245bc69bf4a6559eb",
"sha256": "f39790b9b3abb2ae93c8dd17424d49585bf433630f77d22f8e71e727ded3ef05",
"type": "eql",
"version": 11
"version": 12
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
@@ -948,9 +954,9 @@
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "bf4cceb5ae7a5878a49003e662cdc61a43a63016cf7c081482666a0dac24247b",
"sha256": "40ddcb49b09cc55adadb4d77faa7e2399a198f85b05ae0091ff28080d0b3e163",
"type": "eql",
"version": 114
"version": 115
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
@@ -1415,6 +1421,12 @@
"type": "eql",
"version": 5
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "d4750d3483d151cf29d387937a0c53e16532bb6c7f76c4129182f11af26907bd",
"type": "eql",
"version": 1
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "26fb29a8c8c328b8e46ed17a8fda1d07250948bb305e19031173410ae35d3669",
@@ -1528,9 +1540,9 @@
}
},
"rule_name": "Adobe Hijack Persistence",
"sha256": "eb4e880bc7d79b0831cdd9063d6745aad9f422d7f4b708a0894c414c790af064",
"sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a",
"type": "eql",
"version": 313
"version": 314
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
@@ -1700,9 +1712,9 @@
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c",
"sha256": "f68acc17e7920c1e4f473b0e72524adf18803529c9ab6fbb7b3f4369cc464908",
"type": "eql",
"version": 112
"version": 113
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
@@ -1730,9 +1742,9 @@
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
"sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa",
"sha256": "e86edbafc8daaa9e5141a1d1c7ef7582752907da5625aadc6aa59f4c7418e7b1",
"type": "eql",
"version": 109
"version": 110
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.13",
@@ -1753,9 +1765,9 @@
}
},
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "a7e4e52230f1a2f269732a45b210a8cded335e4867e2095abbb2d707d4a0e932",
"sha256": "d795d9c2b5323cd4d471b74493354dc0efd031e16c8fa6f35c34b0e17c0d6f5c",
"type": "eql",
"version": 313
"version": 314
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
@@ -1968,6 +1980,12 @@
"type": "eql",
"version": 107
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "942799a502924a8770a66f92b4f43fa2438edf86eef4d2e1fc81c5d5934ca45b",
"type": "eql",
"version": 1
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035",
@@ -2035,9 +2053,9 @@
}
},
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "99fe156012393a6350811a3ccf9ecaf4dc0d399569a90aa01cc5cebe44117352",
"sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c",
"type": "eql",
"version": 312
"version": 313
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
@@ -2157,6 +2175,12 @@
"type": "machine_learning",
"version": 4
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "a84dfe6ccc1996ada49913439cc47e7a0a10d463f3385caf7a4f35804f884888",
"type": "eql",
"version": 1
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"rule_name": "Unusual Process Spawned by a User",
"sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134",
@@ -2338,10 +2362,10 @@
"version": 105
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "f475866a4eb28902febd629ce11fefe77e80d41baabebe63a0b893ddd7d9a753",
"type": "new_terms",
"version": 10
"rule_name": "System V Init Script Created",
"sha256": "2466e400fbb2609de0e103e31fce633373687c8f415da505013088e414873e97",
"type": "eql",
"version": 11
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Sensitive Files Compression Inside A Container",
@@ -2614,9 +2638,9 @@
}
},
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "f5b43f0f0f3a4cd3823fedc6900054657f8adb7bd85b6cc8097f892872bf6f3b",
"sha256": "56b311155088f43b725ed46b4f073ce9e8c6c4cf56e3a435b24b86d86aad53c2",
"type": "eql",
"version": 310
"version": 311
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
@@ -3442,6 +3466,12 @@
"type": "eql",
"version": 1
},
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
"rule_name": "AWS RDS DB Snapshot Created",
"sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31",
"type": "query",
"version": 1
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459",
@@ -3467,6 +3497,12 @@
"type": "threat_match",
"version": 204
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "0b487e1b833bcafdcb2b535bc15463752b290f256859f2abdfb8a98f096a69bb",
"type": "query",
"version": 1
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525",
@@ -3510,9 +3546,9 @@
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "9a2bd321243f33c29af8cab474c2a52763818ef4340040453bf1e111f2e47503",
"sha256": "d96da39b124844378ebe2dccb3f7abd14b3ea249368ba1cc52f0569beb16aebf",
"type": "eql",
"version": 313
"version": 314
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
@@ -3610,6 +3646,12 @@
"type": "eql",
"version": 7
},
"6f024bde-7085-489b-8250-5957efdf1caf": {
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "c9b21cdf8c1e8c7c10492858026a18da544e7c035d10d55ccc0026ef0f488f57",
"type": "eql",
"version": 1
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
@@ -3738,7 +3780,13 @@
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578",
"sha256": "37aa131f6982a43283697967e08ef37198a296567f76495c23c42aa2350aa1ca",
"type": "eql",
"version": 2
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "f72ef3ae820cc7827a173bd53ee654a144ca8e561720eb21b16aa8038e77cc52",
"type": "eql",
"version": 1
},
@@ -3849,9 +3897,9 @@
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "5dc0aa50792a92d4380b7f0f4e326e624d77e221bc6825424687daac0e26083f",
"sha256": "c762e1ba8e72d23f0ccff398f0213ae177b8f5c62687a8a5df50f506ac30fc3f",
"type": "eql",
"version": 312
"version": 313
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
@@ -3883,6 +3931,12 @@
"type": "threshold",
"version": 6
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "fc16f370dc60f9055462ab95361c53882679cdb66bc38d1af9e0d11c7fe6cae2",
"type": "eql",
"version": 1
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6",
@@ -3920,9 +3974,9 @@
}
},
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "1cd4ba234bf93cf872872658b01960cdc2fdcd04262dadd0399b738cff42d2e4",
"sha256": "be515aa4079a17e1c8bfa4a48abf4988546407c452bb83a12e8a9ea37618a65c",
"type": "eql",
"version": 203
"version": 204
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
@@ -4026,6 +4080,12 @@
"type": "query",
"version": 106
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"rule_name": "Git Hook Child Process",
"sha256": "e77cd450455ec49667cac7e0a1957a71b6b3644f627fe8c00b5bd2c41a8e0262",
"type": "eql",
"version": 1
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c",
@@ -4057,6 +4117,13 @@
"type": "eql",
"version": 2
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"min_stack_version": "8.9",
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "adb75f0219164c5e3c96a145f69d0da86658f728ce7ced78350c0b40f97eb464",
"type": "eql",
"version": 2
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2",
@@ -4071,9 +4138,9 @@
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "677de35cf201258b8369fc2085f3f72db239e9011cff322e8f5f332afcf46888",
"sha256": "45cb9853a105ac47b63d0424f8bae22ba4f4cd32a1a54641b355e1ca2600cc91",
"type": "eql",
"version": 11
"version": 12
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"min_stack_version": "8.13",
@@ -4376,10 +4443,10 @@
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "Setuid / Setgid Bit Set via chmod",
"sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5",
"type": "query",
"version": 103
"rule_name": "SUID/SGID Bit Set",
"sha256": "d30b78adc54d39f3c741ae106d085d3b2c772c7bcc6ff6cd5f0431e699ffb069",
"type": "eql",
"version": 104
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"rule_name": "Suspicious Execution from a Mounted Device",
@@ -4417,9 +4484,9 @@
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298",
"sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0",
"type": "eql",
"version": 108
"version": 109
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"rule_name": "Enable Host Network Discovery via Netsh",
@@ -4684,10 +4751,10 @@
"version": 204
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for rc.local/rc.common",
"sha256": "7dbae46a5a71705bc609aadd65a6bc77c9d8674e353966fa6c00c152d96f0990",
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "45b22e6a32cde549ff94fed6e252272ab50f5e930618ac392c419221bc2e7a0b",
"type": "eql",
"version": 1
"version": 2
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Creation of Kernel Module",
@@ -4845,9 +4912,9 @@
}
},
"rule_name": "Suspicious Zoom Child Process",
"sha256": "ab6c4f09d32014591e2a374947f000d68295f96989a72225b3e4930e37e5bc20",
"sha256": "fdc712e98749caac8f80fb5adc343a38c6b7eed30751ae4cf8616c996a9cf8bc",
"type": "eql",
"version": 312
"version": 313
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -5399,6 +5466,12 @@
"type": "eql",
"version": 314
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "0e054a4d038b07eafcacda1d0db5d03bdcfc365eea986702a69ed4aa816a50fe",
"type": "eql",
"version": 1
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee",
@@ -5768,9 +5841,9 @@
}
},
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "5b9416b0c074d30e24badf5a0daa0825766bb7ae7d99b88130f7c0999a392af3",
"sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190",
"type": "eql",
"version": 310
"version": 311
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
@@ -5797,9 +5870,9 @@
}
},
"rule_name": "Kirbi File Creation",
"sha256": "001f917502544177abdc78801aa208266c38c099300c58dbb69e62bb88128594",
"sha256": "5f68a51fbff3daf700727004dda7323867ebada906851b39cfff85701f065634",
"type": "eql",
"version": 207
"version": 208
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
@@ -7638,9 +7711,9 @@
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"rule_name": "Whoami Process Activity",
"sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202",
"sha256": "9c2c8cc7096f66d1cccbd876773ab14c54045122e9d6ed221d2182e7f9f4c4c4",
"type": "eql",
"version": 111
"version": 112
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
@@ -8037,9 +8110,9 @@
}
},
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "a2061359bd190293621c8e71ff1e35c08834d74f598fc6364b28a74c8af177de",
"sha256": "deebb3f8653613c053c8950cdc1faccaed3b88863584bfe375bab08de94f6b10",
"type": "eql",
"version": 211
"version": 212
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
@@ -8089,6 +8162,12 @@
"type": "new_terms",
"version": 1
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "490363306b4257204e506425c71095a8e6d0d7dacd80b8c9ab0d2896a95eeba1",
"type": "eql",
"version": 1
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"rule_name": "GitHub App Deleted",
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
@@ -8152,9 +8231,9 @@
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "c033fe9cac3214062e42bdc5f3653c396356866c3f62fea669337f7efa7cf7b6",
"sha256": "3b4caccd62315bfba09e8fc1003d105a3d8246446718aad67d327b284b7e2f97",
"type": "eql",
"version": 111
"version": 112
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
@@ -8202,9 +8281,9 @@
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18",
"sha256": "6b4878af88365170479ac74ad0afcc51029ed6448d58fcb9f720bb70d9f25c45",
"type": "eql",
"version": 7
"version": 8
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",