security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3155)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 0e2ae5b9ef)
This commit is contained in:
github-actions[bot]
2023-10-03 14:34:22 -04:00
parent 54303f84fc
commit e38cb6ee58
1 changed files with 116 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+116 -2
View File
@@ -169,6 +169,13 @@
"type": "eql",
"version": 4
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.5",
"rule_name": "Unusual Remote File Size",
"sha256": "4474648fdc8f0b955f03bda5337ba2f2645db4f902f82c9b5f399502684d327d",
"type": "machine_learning",
"version": 1
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
@@ -806,6 +813,13 @@
"type": "eql",
"version": 100
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "8.5",
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "eea67da7d863bb4da8802088e97d3e0f188941c8484338c6e17099c6f9c88450",
"type": "machine_learning",
"version": 1
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
@@ -820,6 +834,13 @@
"type": "machine_learning",
"version": 106
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "8.5",
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "c2a98c086c35d0e6339615bc26c449c6e6e2a3cb850572c19b445f22fd02d3bc",
"type": "machine_learning",
"version": 1
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Network Tool Launched Inside A Container",
@@ -1120,6 +1141,13 @@
"type": "eql",
"version": 105
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.5",
"rule_name": "Remote File Creation on a Sensitive Directory",
"sha256": "6c62d2b1221abd06ad64acfcf05620adc52bc244fa55a8eccf63b284d974ab08",
"type": "eql",
"version": 1
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
@@ -1447,6 +1475,13 @@
"type": "eql",
"version": 106
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.5",
"rule_name": "Malicious Remote File Creation",
"sha256": "a77b63c0cec99d37a8e4a3609137a34580f0cca84198c663fb6adcb5efb462bf",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Creation",
@@ -1607,6 +1642,13 @@
"type": "eql",
"version": 104
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.5",
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "5e13a7be5f8a00aa914acf030478774a709c75e65e739272b194674bebf33f1d",
"type": "machine_learning",
"version": 1
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious File Edit",
@@ -1780,6 +1822,13 @@
"type": "query",
"version": 106
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.5",
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "65fe46f9242a840f6c97a70fa3782f5c6b4b016bf458fecb8460e3ca8e3e17f3",
"type": "machine_learning",
"version": 1
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
@@ -1852,6 +1901,13 @@
"type": "eql",
"version": 2
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "8.5",
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "616e8eb4fc391b32d81e6e8219a3c053453306a6048116d1e837b55ec439363f",
"type": "machine_learning",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
@@ -3614,6 +3670,13 @@
"type": "query",
"version": 101
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.5",
"rule_name": "Unusual Remote File Extension",
"sha256": "6e54a46cf82894aa5484fcd4379b15fedf0c9cb10afb88344a3035f32f6a5727",
"type": "machine_learning",
"version": 1
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script Block Logging Disabled",
@@ -3911,6 +3974,13 @@
"type": "eql",
"version": 7
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "4aee04fcae9856c8db9a767d12e37c08a83d89f0665b4be03150aa01c6e03b4b",
"type": "eql",
"version": 1
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
@@ -4689,6 +4759,13 @@
"type": "eql",
"version": 104
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.5",
"rule_name": "High Mean of RDP Session Duration",
"sha256": "261e95ec78136218300b4b17a48e642b472f7a6cd692487fb36e3a707b6ce56a",
"type": "machine_learning",
"version": 1
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
@@ -4717,6 +4794,13 @@
"type": "eql",
"version": 1
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.5",
"rule_name": "High Variance in RDP Session Duration",
"sha256": "7b577644248850837c58cfb8850fdce3df772501393676bb090118f5ca4c3f22",
"type": "machine_learning",
"version": 1
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
@@ -5357,6 +5441,13 @@
"type": "eql",
"version": 105
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.5",
"rule_name": "Unusual Remote File Directory",
"sha256": "031fe3c29bbf87093165028e79236de7553cdf3f3f10ab76a86289f3e6dfa1f6",
"type": "machine_learning",
"version": 1
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
"rule_name": "Searching for Saved Credentials via VaultCmd",
@@ -6374,6 +6465,13 @@
"type": "threshold",
"version": 105
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.3",
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "b30b5b205b4d258de4072197ae2f131b0716891f4297ffc36e6a2549b7ca66fc",
"type": "eql",
"version": 1
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16",
"rule_name": "Whitespace Padding in Process Command Line",
@@ -6586,11 +6684,20 @@
"version": 105
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "ab002c02bd96a6d77776ccb1b5fe96cb19d8ee3fa408b8c5853d7a4580f3fc18",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
"type": "eql",
"version": 4
"version": 105
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"min_stack_version": "8.3",
@@ -6669,6 +6776,13 @@
"type": "eql",
"version": 104
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.5",
"rule_name": "Spike in Remote File Transfers",
"sha256": "0f4119237d356fe2c032c074c5de136fb71aec5533ecac64a6152b49c3b3f92a",
"type": "machine_learning",
"version": 1
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",