diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index bee15a00b..ab0446e0d 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1044,9 +1044,9 @@ } }, "rule_name": "Kubectl Permission Discovery", - "sha256": "7b34ff0aea508f8547398667f9c008d7e8ad644cac9f386ca60ae6271002b975", + "sha256": "6d731657ec8c591dcefb910a3a67801314448feb8ea2db28a604c77d3be33979", "type": "eql", - "version": 104 + "version": 105 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "9.3", @@ -1434,6 +1434,12 @@ "type": "new_terms", "version": 211 }, + "1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": { + "rule_name": "Entra ID Domain Federation Configuration Change", + "sha256": "b991e58bb9febec0cf5ed7a76608a9ebc8025adc011b26dfe10a27851c63a867", + "type": "query", + "version": 1 + }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", "sha256": "2e108812f7164bba9127e0aa6659bcd9a2c8350f27be5be3a3fd06a9dcbaf48b", @@ -1755,9 +1761,9 @@ } }, "rule_name": "Potential Kubectl Masquerading via Unexpected Process", - "sha256": "8d46821a3cdc95b2621a769daff499f7f908802034e7c47f649884fb5c5bae04", + "sha256": "d70c260690f552cfacb02450ed891f4c669046f11b94c24f5f0973a7bb51d56f", "type": "eql", - "version": 102 + "version": 103 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", @@ -2860,9 +2866,9 @@ } }, "rule_name": "Potential Impersonation Attempt via Kubectl", - "sha256": "d688f985ff54d810509b5039443537aff744620740dc38d7622d3c308ca1ef51", + "sha256": "bdaa5069decd53d75ef631a5ca01e4278a643b1b8d2943d67de98646b9816fc7", "type": "eql", - "version": 102 + "version": 103 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", @@ -3303,9 +3309,9 @@ }, "472b4944-d810-43cf-83dc-7d080ae1b8dd": { "rule_name": "Multiple Cloud Secrets Accessed by Source Address", - "sha256": "ff41c11baab351eaebba65c96b1a87529582ee93161f65f77b892e94374ace8b", + "sha256": "d0c4f9e600d97fef5ad96bac93093b7a8c14fcd1e8984e95303ff1e323528203", "type": "esql", - "version": 4 + "version": 5 }, "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "rule_name": "AWS IAM OIDC Provider Created by Rare User", @@ -3347,6 +3353,13 @@ "type": "eql", "version": 106 }, + "47661529-15ed-4848-93da-9fbded7a3a0e": { + "min_stack_version": "9.3", + "rule_name": "Chroot Execution Detected via Defend for Containers", + "sha256": "8eef44e54c58bacf8930637ce3c1ccc456d47e98096fb6b90d0117c387cfb747", + "type": "eql", + "version": 1 + }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "a3c41fcfa1ca8b2ef3742212cb83d03ed47e7de62ec719449aea2350bc944579", @@ -3434,9 +3447,9 @@ }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", - "sha256": "b0ba8c5ebe208355146f0f9744658c7e7f9984f4ec6b5fa1db9a3568a97389df", - "type": "query", - "version": 1 + "sha256": "12b2f26e1de89428096370a95afe5282f53ef905809bc143ddbfe3283d5b799e", + "type": "new_terms", + "version": 2 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", @@ -4691,9 +4704,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "666ef6e51176ca7e40331d89b28255db0e3dd888348652674f8f7354ef86fb34", + "sha256": "36c806d8631c3382ce02b6ddc4f9fe4014909b9c44ac217b7884a8d585ad71a8", "type": "eql", - "version": 127 + "version": 128 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -5695,6 +5708,12 @@ "type": "eql", "version": 1 }, + "7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": { + "rule_name": "Entra ID Custom Domain Added or Verified", + "sha256": "dd26cd3faf49a87dbdbae5742f5eea1de370b89f32551d8795c9b5175b405cde", + "type": "query", + "version": 1 + }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { "rule_name": "SSH Key Generated via ssh-keygen", "sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843", @@ -5751,9 +5770,9 @@ }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", - "sha256": "582332b2e5ad8a181f60a7d1cb57e73aa87dc9f93d3400d8c0e1167faa2a6dbe", + "sha256": "9cb285c73a58b7f55d2270444624ce284968b053b72781884d5a33bff30e62b5", "type": "eql", - "version": 5 + "version": 6 }, "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { "rule_name": "Web Server Potential SQL Injection Request", @@ -6063,9 +6082,9 @@ } }, "rule_name": "Kubectl Network Configuration Modification", - "sha256": "6ae6852c50cac7da8c2ea64b823c43ec4f6f8027bd4d53e469ef8fcc702a2709", + "sha256": "610a8cb4d2094544038062f65ed4745f98198a7994038fa0aeb006581813e4de", "type": "eql", - "version": 101 + "version": 102 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -7461,6 +7480,12 @@ "type": "query", "version": 109 }, + "a6129187-c47b-48ab-a412-67a44836d918": { + "rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme", + "sha256": "66d9cffd3773855d4fd0f97ae360322f71d92a037133a287df4d4ac524497a54", + "type": "esql", + "version": 1 + }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", "sha256": "13b8297ead30f89bf1e834ac869dc0d250d9ed0b8604dea85acc5c85584ada84", @@ -7570,6 +7595,13 @@ "type": "query", "version": 105 }, + "a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": { + "min_stack_version": "9.3", + "rule_name": "Kubectl Secrets Enumeration Across All Namespaces", + "sha256": "dd2e61c000cb7733d1035682841ea2bd21ce20c73dc2b64c291657550b304ab2", + "type": "eql", + "version": 1 + }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", "sha256": "60319003b74e45deda3b2f9aef3f6d1b8a77a689505e9b01bdb66e0edc283460", @@ -8109,6 +8141,12 @@ "type": "eql", "version": 319 }, + "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { + "rule_name": "Suspicious Python Shell Command Execution", + "sha256": "dd9a52bf74d28ebffb64b83134917f8d6aee148108e4fb2f7cde27b41fb69285", + "type": "esql", + "version": 1 + }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "b39b64612ea429e5a2ed645157eee033df7f908d4e338f5dc7f27ef9f7257b39", @@ -8164,9 +8202,9 @@ } }, "rule_name": "Kubernetes Direct API Request via Curl or Wget", - "sha256": "2480a691df156e4b8b134f42d326af3b6b6b0bbd07fbbf0423a8dd61e8097906", + "sha256": "20b5bcb6b45398978619e78190a331e01385bd5c092d0769e6b36d1c8a28e413", "type": "eql", - "version": 102 + "version": 103 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", @@ -8296,6 +8334,12 @@ "type": "query", "version": 1 }, + "b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": { + "rule_name": "Potential Credential Discovery via Recursive Grep", + "sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0", + "type": "esql", + "version": 1 + }, "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": { "rule_name": "M365 Purview DLP Signal", "sha256": "04360f0ce85534f39be7ba0ec1699302b04855d9ef703ccd49c39e0d6e39c3e7", @@ -8550,9 +8594,9 @@ }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", - "sha256": "b473299604ae3ab3ae196b7fd790ffe7ac3e4fc11881a5cccd79510e5582e25c", + "sha256": "6ebfa1674b4fb1f63c8b2f093c2b147a12ca9cc31050e7e5dcc13e1338e4bd3e", "type": "eql", - "version": 5 + "version": 6 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -9112,6 +9156,12 @@ "type": "eql", "version": 1 }, + "cbda9a0e-2be4-4eaa-9571-8d6a503e9828": { + "rule_name": "Kubernetes Secret Access via Unusual User Agent", + "sha256": "779866cad0e79ce9f2c9c7234c09cc2ccc2d4642c9bec7b268d036a244638cd6", + "type": "new_terms", + "version": 1 + }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", @@ -9650,9 +9700,9 @@ }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", - "sha256": "23e9b2ae32366bd7367b52c73f3e73c3b04f0351467e4f9a4b06d5d28f145dbb", + "sha256": "60863e4019007a38c549c67afc285d909ed41523046489f619dd198934b92715", "type": "eql", - "version": 5 + "version": 6 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Storage Permissions Modified", @@ -10637,9 +10687,9 @@ } }, "rule_name": "File Execution Permission Modification Detected via Defend for Containers", - "sha256": "c02875fc6dfc7d8a299910738b01d4334c0184bc205d79b15c22974fb6271f10", + "sha256": "cb17a8960fbe32d16f37c061338c7d98a517c4803aa4f73b976ef7ad40c15496", "type": "eql", - "version": 105 + "version": 106 }, "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "rule_name": "Kubernetes Forbidden Creation Request", @@ -11629,6 +11679,12 @@ "type": "eql", "version": 10 }, + "feba48f6-40ca-4d04-b41f-5dfa327de865": { + "rule_name": "Data Encrypted via OpenSSL Utility", + "sha256": "7e4c14c019100eba38aacd09b9887e2a69be967cb5d4d31da74999b96845c8d4", + "type": "eql", + "version": 1 + }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "296701dc33e1684c4011dbf1ccfd9d85369255ae83c23295e720aa97b8e4136d", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index f29e6e812..ee5929233 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -182,6 +182,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-microsoft-entra-id-protection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-microsoft-exchange-online-message-trace](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange-online-message-trace.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-exchange](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-graph-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph-activity-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 7c21c4c2a..b5c951d39 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.9" +version = "1.6.10" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"