From de2b97a492e6e6b3f9b7ddd9430db247ff5374b9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 11:14:42 -0400 Subject: [PATCH] Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3108) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- detection_rules/etc/version.lock.json | 135 +++++++++++++++++++++++--- 1 file changed, 120 insertions(+), 15 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 64e084555..c18651999 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -190,6 +190,13 @@ "type": "eql", "version": 106 }, + "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.3", + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c", + "type": "eql", + "version": 1 + }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -340,9 +347,9 @@ "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "88e3b7fed59fc79874b0d6375168a21a7623b3a38a74c838ea3c3698190a92d1", + "sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb", "type": "threat_match", - "version": 2 + "version": 3 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", @@ -637,6 +644,13 @@ "type": "query", "version": 102 }, + "14dab405-5dd9-450c-8106-72951af2391f": { + "min_stack_version": "8.3", + "rule_name": "Office Test Registry Persistence", + "sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3", + "type": "eql", + "version": 1 + }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", "previous": { @@ -967,6 +981,13 @@ "type": "query", "version": 6 }, + "1f460f12-a3cf-4105-9ebb-f788cc63f365": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process Execution on WBEM Path", + "sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966", + "type": "eql", + "version": 1 + }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1036,6 +1057,13 @@ "type": "query", "version": 100 }, + "210d4430-b371-470e-b879-80b7182aa75e": { + "min_stack_version": "8.3", + "rule_name": "Mofcomp Activity", + "sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a", + "type": "eql", + "version": 1 + }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", @@ -1517,6 +1545,13 @@ "type": "eql", "version": 1 }, + "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.3", + "rule_name": "GitHub Repository Deleted", + "sha256": "82225047c1559d8bba7c15944953088395802e8a1ad8fd0552714eee65b22635", + "type": "eql", + "version": 1 + }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", @@ -1655,6 +1690,13 @@ "type": "query", "version": 103 }, + "39157d52-4035-44a8-9d1a-6f8c5f580a07": { + "min_stack_version": "8.3", + "rule_name": "Downloaded Shortcut Files", + "sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d", + "type": "eql", + "version": 1 + }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", @@ -1706,9 +1748,9 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "a9acccb7d18adc13099ab88eb003c037bf57f2defa18fc91c8945299c38cba92", + "sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792", "type": "eql", - "version": 106 + "version": 107 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", @@ -2334,12 +2376,19 @@ "type": "eql", "version": 106 }, + "53dedd83-1be7-430f-8026-363256395c8b": { + "min_stack_version": "8.3", + "rule_name": "Binary Content Copy via Cmd.exe", + "sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d", + "type": "eql", + "version": 1 + }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", - "sha256": "950bfce6a55758ef6c60b1fd13ef84531915c61992e405c7217f3bcb40df0f3f", + "sha256": "470d8e6c5c1dfd3564bd5f3b59d7853db9137942de25c38e4281b2d16df70ede", "type": "eql", - "version": 104 + "version": 105 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", @@ -2586,6 +2635,13 @@ "type": "new_terms", "version": 6 }, + "5c895b4f-9133-4e68-9e23-59902175355c": { + "min_stack_version": "8.6", + "rule_name": "Potential Meterpreter Reverse Shell", + "sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5", + "type": "eql", + "version": 1 + }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", @@ -3537,6 +3593,13 @@ "type": "eql", "version": 3 }, + "800e01be-a7a4-46d0-8de9-69f3c9582b44": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process Extension", + "sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed", + "type": "eql", + "version": 1 + }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", "rule_name": "Unusual City For an AWS Command", @@ -4577,6 +4640,13 @@ "type": "eql", "version": 2 }, + "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { + "min_stack_version": "8.6", + "rule_name": "Potential Reverse Shell via UDP", + "sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f", + "type": "eql", + "version": 1 + }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -4601,9 +4671,9 @@ "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "1867577987b72a8cb67a4b74b89643d3df862354ae3eadfd616c9b51ec1000a0", + "sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234", "type": "threat_match", - "version": 2 + "version": 3 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", @@ -4714,9 +4784,9 @@ "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "b84f93be7b12d9e7b6dc37e4b6f6f68f717bbb33d181321aaa4a2f77ed66a60d", + "sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81", "type": "threat_match", - "version": 3 + "version": 4 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", @@ -4889,6 +4959,13 @@ "type": "eql", "version": 105 }, + "afd04601-12fc-4149-9b78-9c3f8fe45d39": { + "min_stack_version": "8.3", + "rule_name": "Network Activity Detected via cat", + "sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566", + "type": "eql", + "version": 1 + }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", @@ -5091,6 +5168,13 @@ "type": "eql", "version": 104 }, + "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { + "min_stack_version": "8.3", + "rule_name": "Kirbi File Creation", + "sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac", + "type": "eql", + "version": 1 + }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -5745,6 +5829,13 @@ "type": "eql", "version": 105 }, + "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { + "min_stack_version": "8.3", + "rule_name": "Downloaded URL Files", + "sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938", + "type": "eql", + "version": 1 + }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate MFA for an Okta User Account", @@ -5886,6 +5977,13 @@ "type": "eql", "version": 6 }, + "d3551433-782f-4e22-bbea-c816af2d41c6": { + "min_stack_version": "8.3", + "rule_name": "WMI WBEMTEST Utility Execution", + "sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76", + "type": "eql", + "version": 1 + }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", @@ -6492,7 +6590,7 @@ "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", "type": "eql", - "version": 2 + "version": 4 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", @@ -6886,9 +6984,9 @@ "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", - "sha256": "b03b79e60e32f4744d7db406946e56fc43bf99671ae3c7cd9af2dabdb17d171f", + "sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601", "type": "threat_match", - "version": 2 + "version": 3 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", @@ -6938,6 +7036,13 @@ "type": "query", "version": 1 }, + "f59668de-caa0-4b84-94c1-3a1549e1e798": { + "min_stack_version": "8.3", + "rule_name": "WMIC Remote Command", + "sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9", + "type": "eql", + "version": 1 + }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", @@ -7004,9 +7109,9 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "b1b304251797d95d12cc192562063ef62b6569b453974d77fb9f017320ae1731", + "sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665", "type": "eql", - "version": 107 + "version": 108 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3",