From aef9fe8ec46e0d12c674aa640cc1020f15325285 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 17:49:18 +0530 Subject: [PATCH] Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845) --- detection_rules/etc/version.lock.json | 203 ++++++++++++++++++-------- 1 file changed, 141 insertions(+), 62 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 53bc1c6d9..2a52e57eb 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -40,9 +40,9 @@ } }, "rule_name": "System Shells via Services", - "sha256": "f39660853e5b117b27a58684c32fc3028f841c2bfa0676a1716d4775a8fbc5bb", + "sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465", "type": "eql", - "version": 312 + "version": 313 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", @@ -226,9 +226,9 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", + "sha256": "a94b677993a1ef1bed8626490fcb593b210a3fdbe2751e7e2b38a35b5cc4395d", "type": "eql", - "version": 110 + "version": 111 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", @@ -267,9 +267,9 @@ } }, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "793a191ad34ae91c56955a490de13ca8298e1f75a10de07ae143ed3766096355", + "sha256": "56429d1cd02f3329c6753fbb15a52eee3bffe8568d69b72013586dde2be95b57", "type": "eql", - "version": 210 + "version": 211 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -378,6 +378,12 @@ "type": "query", "version": 106 }, + "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { + "rule_name": "Yum Package Manager Plugin File Creation", + "sha256": "3a2bd6c4c3a22a51b9ccc02420cce8fbbf1827c026e43f7f8b04905409711bf7", + "type": "eql", + "version": 1 + }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", @@ -476,10 +482,10 @@ "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { - "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "36731a2b745266798a86c82eee4dbc160faad33f2480d2e5d3f489d91db2ba8f", - "type": "new_terms", - "version": 111 + "rule_name": "rc.local/rc.common File Creation", + "sha256": "85ee9b791a4c7e68fa137cb3157d12117568d3c28d86fe9d8fcec00fc60e084a", + "type": "eql", + "version": 112 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", @@ -815,9 +821,9 @@ }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "b6d52138336ffdc9944d3309166f6e193ae0cda6f421144245bc69bf4a6559eb", + "sha256": "f39790b9b3abb2ae93c8dd17424d49585bf433630f77d22f8e71e727ded3ef05", "type": "eql", - "version": 11 + "version": 12 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", @@ -948,9 +954,9 @@ }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "bf4cceb5ae7a5878a49003e662cdc61a43a63016cf7c081482666a0dac24247b", + "sha256": "40ddcb49b09cc55adadb4d77faa7e2399a198f85b05ae0091ff28080d0b3e163", "type": "eql", - "version": 114 + "version": 115 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", @@ -1415,6 +1421,12 @@ "type": "eql", "version": 5 }, + "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { + "rule_name": "Privilege Escalation via SUID/SGID", + "sha256": "d4750d3483d151cf29d387937a0c53e16532bb6c7f76c4129182f11af26907bd", + "type": "eql", + "version": 1 + }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", "sha256": "26fb29a8c8c328b8e46ed17a8fda1d07250948bb305e19031173410ae35d3669", @@ -1528,9 +1540,9 @@ } }, "rule_name": "Adobe Hijack Persistence", - "sha256": "eb4e880bc7d79b0831cdd9063d6745aad9f422d7f4b708a0894c414c790af064", + "sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a", "type": "eql", - "version": 313 + "version": 314 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", @@ -1700,9 +1712,9 @@ }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", + "sha256": "f68acc17e7920c1e4f473b0e72524adf18803529c9ab6fbb7b3f4369cc464908", "type": "eql", - "version": 112 + "version": 113 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", @@ -1730,9 +1742,9 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", + "sha256": "e86edbafc8daaa9e5141a1d1c7ef7582752907da5625aadc6aa59f4c7418e7b1", "type": "eql", - "version": 109 + "version": 110 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.13", @@ -1753,9 +1765,9 @@ } }, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "a7e4e52230f1a2f269732a45b210a8cded335e4867e2095abbb2d707d4a0e932", + "sha256": "d795d9c2b5323cd4d471b74493354dc0efd031e16c8fa6f35c34b0e17c0d6f5c", "type": "eql", - "version": 313 + "version": 314 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -1968,6 +1980,12 @@ "type": "eql", "version": 107 }, + "39c06367-b700-4380-848a-cab06e7afede": { + "rule_name": "Systemd Generator Created", + "sha256": "942799a502924a8770a66f92b4f43fa2438edf86eef4d2e1fc81c5d5934ca45b", + "type": "eql", + "version": 1 + }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", @@ -2035,9 +2053,9 @@ } }, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "99fe156012393a6350811a3ccf9ecaf4dc0d399569a90aa01cc5cebe44117352", + "sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c", "type": "eql", - "version": 312 + "version": 313 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", @@ -2157,6 +2175,12 @@ "type": "machine_learning", "version": 4 }, + "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { + "rule_name": "DNF Package Manager Plugin File Creation", + "sha256": "a84dfe6ccc1996ada49913439cc47e7a0a10d463f3385caf7a4f35804f884888", + "type": "eql", + "version": 1 + }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "rule_name": "Unusual Process Spawned by a User", "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", @@ -2338,10 +2362,10 @@ "version": 105 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { - "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "f475866a4eb28902febd629ce11fefe77e80d41baabebe63a0b893ddd7d9a753", - "type": "new_terms", - "version": 10 + "rule_name": "System V Init Script Created", + "sha256": "2466e400fbb2609de0e103e31fce633373687c8f415da505013088e414873e97", + "type": "eql", + "version": 11 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -2614,9 +2638,9 @@ } }, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "f5b43f0f0f3a4cd3823fedc6900054657f8adb7bd85b6cc8097f892872bf6f3b", + "sha256": "56b311155088f43b725ed46b4f073ce9e8c6c4cf56e3a435b24b86d86aad53c2", "type": "eql", - "version": 310 + "version": 311 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", @@ -3442,6 +3466,12 @@ "type": "eql", "version": 1 }, + "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { + "rule_name": "AWS RDS DB Snapshot Created", + "sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31", + "type": "query", + "version": 1 + }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", @@ -3467,6 +3497,12 @@ "type": "threat_match", "version": 204 }, + "69c116bb-d86f-48b0-857d-3648511a6cac": { + "rule_name": "Suspicious rc.local Error Message", + "sha256": "0b487e1b833bcafdcb2b535bc15463752b290f256859f2abdfb8a98f096a69bb", + "type": "query", + "version": 1 + }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", @@ -3510,9 +3546,9 @@ } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "9a2bd321243f33c29af8cab474c2a52763818ef4340040453bf1e111f2e47503", + "sha256": "d96da39b124844378ebe2dccb3f7abd14b3ea249368ba1cc52f0569beb16aebf", "type": "eql", - "version": 313 + "version": 314 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", @@ -3610,6 +3646,12 @@ "type": "eql", "version": 7 }, + "6f024bde-7085-489b-8250-5957efdf1caf": { + "rule_name": "Active Directory Group Modification by SYSTEM", + "sha256": "c9b21cdf8c1e8c7c10492858026a18da544e7c035d10d55ccc0026ef0f488f57", + "type": "eql", + "version": 1 + }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", @@ -3738,7 +3780,13 @@ }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", + "sha256": "37aa131f6982a43283697967e08ef37198a296567f76495c23c42aa2350aa1ca", + "type": "eql", + "version": 2 + }, + "7318affb-bfe8-4d50-a425-f617833be160": { + "rule_name": "Potential Execution of rc.local Script", + "sha256": "f72ef3ae820cc7827a173bd53ee654a144ca8e561720eb21b16aa8038e77cc52", "type": "eql", "version": 1 }, @@ -3849,9 +3897,9 @@ } }, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "5dc0aa50792a92d4380b7f0f4e326e624d77e221bc6825424687daac0e26083f", + "sha256": "c762e1ba8e72d23f0ccff398f0213ae177b8f5c62687a8a5df50f506ac30fc3f", "type": "eql", - "version": 312 + "version": 313 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", @@ -3883,6 +3931,12 @@ "type": "threshold", "version": 6 }, + "78390eb5-c838-4c1d-8240-69dd7397cfb7": { + "rule_name": "Yum/DNF Plugin Status Discovery", + "sha256": "fc16f370dc60f9055462ab95361c53882679cdb66bc38d1af9e0d11c7fe6cae2", + "type": "eql", + "version": 1 + }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6", @@ -3920,9 +3974,9 @@ } }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "1cd4ba234bf93cf872872658b01960cdc2fdcd04262dadd0399b738cff42d2e4", + "sha256": "be515aa4079a17e1c8bfa4a48abf4988546407c452bb83a12e8a9ea37618a65c", "type": "eql", - "version": 203 + "version": 204 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -4026,6 +4080,12 @@ "type": "query", "version": 106 }, + "7ce5e1c7-6a49-45e6-a101-0720d185667f": { + "rule_name": "Git Hook Child Process", + "sha256": "e77cd450455ec49667cac7e0a1957a71b6b3644f627fe8c00b5bd2c41a8e0262", + "type": "eql", + "version": 1 + }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", @@ -4057,6 +4117,13 @@ "type": "eql", "version": 2 }, + "7e23dfef-da2c-4d64-b11d-5f285b638853": { + "min_stack_version": "8.9", + "rule_name": "Microsoft Management Console File from Unusual Path", + "sha256": "adb75f0219164c5e3c96a145f69d0da86658f728ce7ced78350c0b40f97eb464", + "type": "eql", + "version": 2 + }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", @@ -4071,9 +4138,9 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "677de35cf201258b8369fc2085f3f72db239e9011cff322e8f5f332afcf46888", + "sha256": "45cb9853a105ac47b63d0424f8bae22ba4f4cd32a1a54641b355e1ca2600cc91", "type": "eql", - "version": 11 + "version": 12 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", @@ -4376,10 +4443,10 @@ "version": 1 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { - "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", - "type": "query", - "version": 103 + "rule_name": "SUID/SGID Bit Set", + "sha256": "d30b78adc54d39f3c741ae106d085d3b2c772c7bcc6ff6cd5f0431e699ffb069", + "type": "eql", + "version": 104 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", @@ -4417,9 +4484,9 @@ }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", + "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", "type": "eql", - "version": 108 + "version": 109 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", @@ -4684,10 +4751,10 @@ "version": 204 }, "94418745-529f-4259-8d25-a713a6feb6ae": { - "rule_name": "Executable Bit Set for rc.local/rc.common", - "sha256": "7dbae46a5a71705bc609aadd65a6bc77c9d8674e353966fa6c00c152d96f0990", + "rule_name": "Executable Bit Set for Potential Persistence Script", + "sha256": "45b22e6a32cde549ff94fed6e252272ab50f5e930618ac392c419221bc2e7a0b", "type": "eql", - "version": 1 + "version": 2 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", @@ -4845,9 +4912,9 @@ } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "ab6c4f09d32014591e2a374947f000d68295f96989a72225b3e4930e37e5bc20", + "sha256": "fdc712e98749caac8f80fb5adc343a38c6b7eed30751ae4cf8616c996a9cf8bc", "type": "eql", - "version": 312 + "version": 313 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -5399,6 +5466,12 @@ "type": "eql", "version": 314 }, + "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { + "rule_name": "Git Hook Created or Modified", + "sha256": "0e054a4d038b07eafcacda1d0db5d03bdcfc365eea986702a69ed4aa816a50fe", + "type": "eql", + "version": 1 + }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", @@ -5768,9 +5841,9 @@ } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "5b9416b0c074d30e24badf5a0daa0825766bb7ae7d99b88130f7c0999a392af3", + "sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190", "type": "eql", - "version": 310 + "version": 311 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", @@ -5797,9 +5870,9 @@ } }, "rule_name": "Kirbi File Creation", - "sha256": "001f917502544177abdc78801aa208266c38c099300c58dbb69e62bb88128594", + "sha256": "5f68a51fbff3daf700727004dda7323867ebada906851b39cfff85701f065634", "type": "eql", - "version": 207 + "version": 208 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -7638,9 +7711,9 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", + "sha256": "9c2c8cc7096f66d1cccbd876773ab14c54045122e9d6ed221d2182e7f9f4c4c4", "type": "eql", - "version": 111 + "version": 112 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", @@ -8037,9 +8110,9 @@ } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "a2061359bd190293621c8e71ff1e35c08834d74f598fc6364b28a74c8af177de", + "sha256": "deebb3f8653613c053c8950cdc1faccaed3b88863584bfe375bab08de94f6b10", "type": "eql", - "version": 211 + "version": 212 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", @@ -8089,6 +8162,12 @@ "type": "new_terms", "version": 1 }, + "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { + "rule_name": "User or Group Creation/Modification", + "sha256": "490363306b4257204e506425c71095a8e6d0d7dacd80b8c9ab0d2896a95eeba1", + "type": "eql", + "version": 1 + }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", @@ -8152,9 +8231,9 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "c033fe9cac3214062e42bdc5f3653c396356866c3f62fea669337f7efa7cf7b6", + "sha256": "3b4caccd62315bfba09e8fc1003d105a3d8246446718aad67d327b284b7e2f97", "type": "eql", - "version": 111 + "version": 112 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", @@ -8202,9 +8281,9 @@ }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", + "sha256": "6b4878af88365170479ac74ad0afcc51029ed6448d58fcb9f720bb70d9f25c45", "type": "eql", - "version": 7 + "version": 8 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation",