Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4820)

detection_rules/etc/version.lock.json

@@ -127,9 +127,9 @@
   },
   "035889c4-2686-4583-a7df-67f89c292f2c": {
     "rule_name": "High Number of Process and/or Service Terminations",
-    "sha256": "b222726fe75a2d97f2c6af63ccff582a6efbe1e087ea0f4ff4a5bd499c7e71c9",
+    "sha256": "2a22d0f3cf317970be4b88c0a8ccdfe129a55d326c2025d0b931e84121a5ba59",
     "type": "threshold",
-    "version": 215
+    "version": 216
   },
   "035a6f21-4092-471d-9cda-9e379f459b1e": {
     "rule_name": "Potential Memory Seeking Activity",
@@ -234,10 +234,10 @@
     "version": 216
   },
   "064a2e08-25da-11f0-b1f1-f661ea17fbcd": {
-    "rule_name": "Microsoft Entra ID Protection Anonymized IP Risk Detection",
-    "sha256": "88d6085f4cb924d5a89fc80c05f57e7de76c00a86a1143008272edbe9adbb28c",
+    "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk",
+    "sha256": "2d9696b9804309379956f4234f1de956bb83f53271f594fef7e22b983003fb70",
     "type": "query",
-    "version": 1
+    "version": 2
   },
   "06568a02-af29-4f20-929c-f3af281e41aa": {
     "rule_name": "System Time Discovery",
@@ -836,9 +836,9 @@
   },
   "14de811c-d60f-11ec-9fd7-f661ea17fbce": {
     "rule_name": "Kubernetes User Exec into Pod",
-    "sha256": "e576e9c1ea21e8d5d59a7fe99cca4528e6d951ac751cb86a7b5f01b7b530854f",
-    "type": "query",
-    "version": 206
+    "sha256": "612193e6d925016d5bfecf2a0fdbf8578516233997c0629e4301c91e16c779f3",
+    "type": "eql",
+    "version": 207
   },
   "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
     "rule_name": "Potential Persistence via Time Provider Modification",
@@ -898,6 +898,12 @@
     "type": "eql",
     "version": 112
   },
+  "1600f9e2-5be6-4742-8593-1ba50cd94069": {
+    "rule_name": "Kubectl Permission Discovery",
+    "sha256": "fbccf3b9c6e75b3c174b09bdefb11e2c2497b56987ab37d56ae81e1b243f6459",
+    "type": "eql",
+    "version": 1
+  },
   "160896de-b66f-42cb-8fef-20f53a9006ea": {
     "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
     "sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
@@ -1549,9 +1555,9 @@
   },
   "264c641e-c202-11ef-993e-f661ea17fbce": {
     "rule_name": "AWS EC2 Deprecated AMI Discovery",
-    "sha256": "e1b5c74b588f7185d199e465d42bb2342825c359e88902b82c77c9adeae91b10",
+    "sha256": "96bd4f7b0a5632f55759aab37fe89da7663eb3daeeaf0f9720d265a48a50ab5c",
     "type": "query",
-    "version": 4
+    "version": 5
   },
   "265db8f5-fc73-4d0d-b434-6483b56372e2": {
     "rule_name": "Persistence via Update Orchestrator Service Hijack",
@@ -1720,9 +1726,9 @@
   },
   "28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
     "rule_name": "Shell Configuration Creation or Modification",
-    "sha256": "8b70188e6d20f104a1a2d92709089bf114cb1474bb219f9901eea546a992c479",
+    "sha256": "960cf081df43627f6f9371b360266a01b45c8d4bae647d0c1e9152c5bba3193e",
     "type": "eql",
-    "version": 8
+    "version": 9
   },
   "29052c19-ff3e-42fd-8363-7be14d7c5469": {
     "rule_name": "AWS EC2 Security Group Configuration Change",
@@ -1843,6 +1849,13 @@
     "type": "eql",
     "version": 205
   },
+  "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": {
+    "min_stack_version": "8.17",
+    "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected",
+    "sha256": "0f02e577ddc1fe851a0145485a0c80e9146f51ff9d58736c18233e59adcdc755",
+    "type": "esql",
+    "version": 1
+  },
   "2d8043ed-5bda-4caf-801c-c1feb7410504": {
     "rule_name": "Enumeration of Kernel Modules",
     "sha256": "32aeae8271aadc06ca29f0a5bdc384f811d8f1bc3da2df99cdaccfd42035f467",
@@ -2166,9 +2179,9 @@
   },
   "35df0dd8-092d-4a83-88c1-5151a804f31b": {
     "rule_name": "Unusual Parent-Child Relationship",
-    "sha256": "1b35387c2bbd3ea58f517390de61ae4e7f9a49e77ab67a08ee3f80135d42bc74",
+    "sha256": "dbd205d0455f5c80c9c6ef5c0bc88b7a2028098a9aefde11c54d3b8b9f3fbcca",
     "type": "eql",
-    "version": 318
+    "version": 319
   },
   "35f86980-1fb1-4dff-b311-3be941549c8d": {
     "rule_name": "Network Traffic to Rare Destination Country",
@@ -2215,10 +2228,10 @@
   },
   "375132c6-25d5-11f0-8745-f661ea17fbcd": {
     "min_stack_version": "8.17",
-    "rule_name": "Suspicious Activity via Auth Broker On-Behalf-of Principal User",
-    "sha256": "09ed97c79557bbb088d9225dead1bf3c06b746875cf3480922bf1dda5c00e832",
+    "rule_name": "Suspicious Microsoft OAuth Flow via Auth Broker to DRS",
+    "sha256": "d30059429db55e2153898e53be14f42ddd4df5776f79a3702905867ae95cd0fe",
     "type": "esql",
-    "version": 1
+    "version": 2
   },
   "378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
     "rule_name": "AWS RDS Security Group Creation",
@@ -2311,9 +2324,9 @@
   },
   "39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
     "rule_name": "AWS EC2 Network Access Control List Creation",
-    "sha256": "a9e5edeb06a2a0c3f67c23b8f098504518bd2b07cf13e0c182bfd1343554d719",
+    "sha256": "91741e10ac5227692cd6659e65bdb206406e59a0bb49b4beb07ee9b30d3d6a23",
     "type": "query",
-    "version": 209
+    "version": 210
   },
   "39157d52-4035-44a8-9d1a-6f8c5f580a07": {
     "rule_name": "Downloaded Shortcut Files",
@@ -2629,9 +2642,9 @@
   },
   "4182e486-fc61-11ee-a05d-f661ea17fbce": {
     "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
-    "sha256": "8e761cae475d2ad1f1ccab98b9c8dbcb1ba6a2ed51cd309d4481595eaf355106",
+    "sha256": "a2c672b192a6a57d9e17c240ef6f3a68afa730cc1a44e87636d7b6cb3a2019d3",
     "type": "esql",
-    "version": 5
+    "version": 6
   },
   "41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
     "rule_name": "Potential Hidden Local User Account Creation",
@@ -2901,6 +2914,12 @@
     "type": "eql",
     "version": 6
   },
+  "4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": {
+    "rule_name": "Entra ID Protection - Risk Detection - User Risk",
+    "sha256": "c5af00471be7064f2bfaee19936213324f7b4fa530bd99fdc16906ebab0a5800",
+    "type": "query",
+    "version": 1
+  },
   "4b438734-3793-4fda-bd42-ceeada0be8f9": {
     "rule_name": "Disable Windows Firewall Rules via Netsh",
     "sha256": "8b0ebf29f24beae56eb99431550627a0e281254d764c3580a9a8d69ce2e6b145",
@@ -2915,9 +2934,9 @@
   },
   "4b74d3b0-416e-4099-b432-677e1cd098cc": {
     "rule_name": "Container Management Utility Run Inside A Container",
-    "sha256": "5ce2c11eda9bb4d6a21eaec46735b3b7f1af2d90a40e84d7e416e8f271b7bdcb",
+    "sha256": "773a6f1539f3ddbe4a7ccc56216caa6b20e7fd231b42179cae8005b092865955",
     "type": "eql",
-    "version": 2
+    "version": 3
   },
   "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
     "rule_name": "ProxyChains Activity",
@@ -3616,6 +3635,12 @@
     "type": "query",
     "version": 109
   },
+  "5e23495f-09e2-4484-8235-bdb150d698c9": {
+    "rule_name": "Potential CVE-2025-33053 Exploitation",
+    "sha256": "e515ba416d112f154ee9c1ea73f1ac151201233455473ca6ac4c7bb238c79648",
+    "type": "eql",
+    "version": 1
+  },
   "5e4023e7-6357-4061-ae1c-9df33e78c674": {
     "rule_name": "Memory Swap Modification",
     "sha256": "4057788684412d061d4da08a599e2826415b89cea6358903f10773366b45d795",
@@ -3821,9 +3846,9 @@
   },
   "64f17c52-6c6e-479e-ba72-236f3df18f3d": {
     "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
-    "sha256": "64241fbdce4cbe75d6d49945bec0a265cc28502d993e961ef207916659bbc716",
+    "sha256": "17766af17fc98cb55a5faad620667ecf1fa5ce5f55b01721a2b83abc678a766e",
     "type": "esql",
-    "version": 1
+    "version": 2
   },
   "6505e02e-28dd-41cd-b18f-64e649caa4e2": {
     "rule_name": "Manual Memory Dumping via Proc Filesystem",
@@ -4186,9 +4211,9 @@
   },
   "6ddb6c33-00ce-4acd-832a-24b251512023": {
     "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
-    "sha256": "d76b1ae821692910302705f22322c89936e5db62bfe2fa3a8f3b3b2f747eb1ed",
+    "sha256": "c363d877bead10e2100d942d71225435cf896ecd1aedeaf07ba3f4c0f3053cdc",
     "type": "esql",
-    "version": 1
+    "version": 2
   },
   "6ded0996-7d4b-40f2-bf4a-6913e7591795": {
     "rule_name": "Root Certificate Installation",
@@ -4204,9 +4229,9 @@
   },
   "6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
     "rule_name": "Loadable Kernel Module Configuration File Creation",
-    "sha256": "80d291535238ff34e7e30ff84739bc7c3ed2e73b19a111bed581d3957c59c011",
+    "sha256": "9b9b7f3c885260e578a0b82883d82007dc06ce8b50492c1ca835a211db9d8dc0",
     "type": "eql",
-    "version": 4
+    "version": 5
   },
   "6e40d56f-5c0e-4ac6-aece-bee96645b172": {
     "rule_name": "Anomalous Process For a Windows Population",
@@ -4345,6 +4370,12 @@
     "type": "eql",
     "version": 110
   },
+  "713e0f5f-caf7-4dc2-88a7-3561f61f262a": {
+    "rule_name": "AWS EC2 EBS Snapshot Access Removed",
+    "sha256": "f5c4dc11b300026e5ae6340b94306e6264a22d7e196af355106e7ece622f9170",
+    "type": "esql",
+    "version": 1
+  },
   "7164081a-3930-11ed-a261-0242ac120002": {
     "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
     "sha256": "54cd3de4ffd1a4bfc1e0716fdb06810274be795ecfa4e0a75fc5917a5ede585a",
@@ -4971,10 +5002,10 @@
     "version": 113
   },
   "8446517c-f789-11ee-8ad0-f661ea17fbce": {
-    "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
-    "sha256": "b0619e673aa470b69e0b071f0a63e3cab3caaec325d779132a3ff1174623fde0",
+    "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
+    "sha256": "09f6c49d3b72f57141f343b4f77c8b4112cb859139b6ef1a85f09ae998fb6a1f",
     "type": "new_terms",
-    "version": 6
+    "version": 7
   },
   "846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
     "rule_name": "Microsoft Exchange Transport Agent Install Script",
@@ -5027,9 +5058,9 @@
   },
   "8623535c-1e17-44e1-aa97-7a0699c3037d": {
     "rule_name": "AWS EC2 Network Access Control List Deletion",
-    "sha256": "b99dcebd1096e5fc20ee2446166c388a7b01f8f46fb77848b2ab642b2b11f6b7",
+    "sha256": "c274913be86de801027a68714627b0f65176fd765156673efcebb2bcd5996bfa",
     "type": "query",
-    "version": 209
+    "version": 210
   },
   "863cdf31-7fd3-41cf-a185-681237ea277b": {
     "rule_name": "AWS RDS Security Group Deletion",
@@ -5492,9 +5523,9 @@
   },
   "9395fd2c-9947-4472-86ef-4aceb2f7e872": {
     "rule_name": "AWS VPC Flow Logs Deletion",
-    "sha256": "252ac0fc6dac5368e41dd109d36d473558120c52028da04298adb0fd9c1c848e",
+    "sha256": "a7065e1b8fe61ce3a22ffa4ef3c73475edafa82b86918e0e0c1225bc06fd4203",
     "type": "query",
-    "version": 211
+    "version": 212
   },
   "93b22c0a-06a0-4131-b830-b10d5e166ff4": {
     "rule_name": "Suspicious SolarWinds Child Process",
@@ -5783,10 +5814,10 @@
     "version": 209
   },
   "98fd7407-0bd5-5817-cda0-3fcc33113a56": {
-    "rule_name": "AWS EC2 Snapshot Activity",
-    "sha256": "74ef6df7d216e8b65caba920e194ef7cd329e9f19b2a41a57fdcc80f4af8914c",
+    "rule_name": "Deprecated - AWS EC2 Snapshot Activity",
+    "sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121",
     "type": "query",
-    "version": 211
+    "version": 212
   },
   "990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
     "rule_name": "Process Injection - Prevented - Elastic Endgame",
@@ -5818,6 +5849,12 @@
     "type": "eql",
     "version": 106
   },
+  "99ac5005-8a9e-4625-a0af-5f7bb447204b": {
+    "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
+    "sha256": "386127d0c66af62ae5577f0cd57b8f5c8627cbcc9d3484f413ffe10d01dcabb2",
+    "type": "eql",
+    "version": 1
+  },
   "99c2b626-de44-4322-b1f9-157ca408c17e": {
     "rule_name": "Web Server Spawned via Python",
     "sha256": "77b22cd08b5914432d68b171d61a3905c8672618463d246175b170c87f519845",
@@ -5854,6 +5891,12 @@
     "type": "eql",
     "version": 312
   },
+  "9a6f5d74-c7e7-4a8b-945e-462c102daee4": {
+    "rule_name": "Kubeconfig File Discovery",
+    "sha256": "4b6e2373aa7b6061a428b812e35745483880c096f4fee191fb913240d1e572fa",
+    "type": "eql",
+    "version": 1
+  },
   "9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
     "rule_name": "Scheduled Tasks AT Command Enabled",
     "sha256": "4b91494419375f075074641d265c9472249db37ae1bd4883afff77746fac5ae9",
@@ -5980,6 +6023,12 @@
     "type": "new_terms",
     "version": 4
   },
+  "9ebd48ac-a0e2-430a-a219-fe072a50146b": {
+    "rule_name": "AWS CloudTrail Log Evasion",
+    "sha256": "9e5d44c6c292f3f18557af3764294a0e03bfcc100c90a5eb9a012b201ecdaca2",
+    "type": "query",
+    "version": 1
+  },
   "9edd1804-83c7-4e48-b97d-c776b4c97564": {
     "rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
     "sha256": "6a515fb5dd38fdc765201c0cd3ed8ab1bfbfbea0dbe8f0f6aa079de7770fcc26",
@@ -6181,9 +6230,9 @@
   },
   "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
     "rule_name": "AWS IAM Assume Role Policy Update",
-    "sha256": "d7b40a3892c7573279dbc52673e975ecee3c2c10770c90a7041b120009c6f37e",
+    "sha256": "9584518787484f72c256fff654ff994c12be947f48b98532c3015aea697a3b94",
     "type": "new_terms",
-    "version": 212
+    "version": 213
   },
   "a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
     "rule_name": "Azure Active Directory PowerShell Sign-in",
@@ -6387,9 +6436,9 @@
   },
   "ac5a2759-5c34-440a-b0c4-51fe674611d6": {
     "rule_name": "Outlook Home Page Registry Modification",
-    "sha256": "d0449a4563dadd5725ad18cdf7650bb95ec21581946817998cb08147d823afad",
+    "sha256": "6a545cb482f00a99599a606fd89ec0320635566a5f5c7cbc39245111e68d2c2e",
     "type": "eql",
-    "version": 204
+    "version": 205
   },
   "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
     "rule_name": "WPS Office Exploitation via DLL Hijack",
@@ -6589,6 +6638,12 @@
     "type": "esql",
     "version": 1
   },
+  "b11116fd-023c-4718-aeb8-fa9d283fc53b": {
+    "rule_name": "Kubeconfig File Creation or Modification",
+    "sha256": "433c519eca574db06b9495334f4964984b21ba89d66d59c039816ca7cd62886c",
+    "type": "eql",
+    "version": 1
+  },
   "b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
     "rule_name": "Hidden Directory Creation via Unusual Parent",
     "sha256": "0cf427bce0665a9f2c65ff8c2a3e0e55c2def5a3360f8fe744de9f85b85354ac",
@@ -7145,9 +7200,9 @@
   },
   "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
     "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
-    "sha256": "5257f8214728864891c026bd4b35e24b22d0fe5b89fc60fdaec6f11588fb5d60",
+    "sha256": "defe0bc07c56e49e5594a7309be55cfa4b60ca9bb421b2f270389797ecf625d0",
     "type": "new_terms",
-    "version": 5
+    "version": 6
   },
   "c20cd758-07b1-46a1-b03f-fa66158258b8": {
     "rule_name": "Unsigned DLL Loaded by a Trusted Process",
@@ -7167,6 +7222,12 @@
     "type": "eql",
     "version": 316
   },
+  "c28750fa-4092-11f0-aca6-f661ea17fbcd": {
+    "rule_name": "BloodHound Suite User-Agents Detected",
+    "sha256": "dcb1aa029f3628fdc348daa9e3574a8e482cb7f8645f5f085334c21ed9a070b0",
+    "type": "eql",
+    "version": 1
+  },
   "c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
     "rule_name": "Unusual Linux Network Connection Discovery",
     "sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e",
@@ -7312,10 +7373,10 @@
     "version": 100
   },
   "c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
-    "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
-    "sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3",
+    "rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
+    "sha256": "99b9962c6c09378b4025d49a579ee99cb8a9ae0277d461ac8296cc86e51c6e49",
     "type": "esql",
-    "version": 3
+    "version": 4
   },
   "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
     "rule_name": "AWS IAM API Calls via Temporary Session Tokens",
@@ -7621,9 +7682,9 @@
   },
   "cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
     "rule_name": "Downloaded URL Files",
-    "sha256": "c8fa16c73d4a4ff4302a2c71c2972cb7bc87d320079d24f10185b7e511c59b52",
+    "sha256": "4a47b2f5d23fc106e911c3431fc7d04910bf0abfb0acde9b0815898441f17516",
     "type": "eql",
-    "version": 6
+    "version": 7
   },
   "cd89602e-9db0-48e3-9391-ae3bf241acd8": {
     "min_stack_version": "8.15",
@@ -7659,9 +7720,9 @@
   },
   "cde1bafa-9f01-4f43-a872-605b678968b0": {
     "rule_name": "Potential PowerShell HackTool Script by Function Names",
-    "sha256": "85eb65d42abc1d3a89fc72ca22fbeaf7a401dbea06c2871819b0e173688eade5",
+    "sha256": "db282c1b5260005aaac9a7be20f9fdf5dfd6193ead99215421700d509c677f57",
     "type": "query",
-    "version": 216
+    "version": 217
   },
   "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
     "rule_name": "Shadow File Modification by Unusual Process",
@@ -7687,6 +7748,12 @@
     "type": "eql",
     "version": 315
   },
+  "ce73954b-a0a4-4f05-b67b-294c500dac77": {
+    "rule_name": "Kubernetes Service Account Secret Access",
+    "sha256": "698e8aa937abca509a33d7a5bfa1a0fc2905bcd055e884d97349ec35b2e4429f",
+    "type": "eql",
+    "version": 1
+  },
   "cf53f532-9cc9-445a-9ae7-fced307ec53c": {
     "rule_name": "Cobalt Strike Command and Control Beacon",
     "sha256": "358f978a2e6f3e446c7216cd749cba581f6d777dd924f3883764e299d4ff4945",
@@ -8008,6 +8075,12 @@
     "type": "query",
     "version": 108
   },
+  "d84a11c0-eb12-4e7d-8a0a-718e38351e29": {
+    "rule_name": "Potential Machine Account Relay Attack via SMB",
+    "sha256": "6f4aee34c8f0feb976f365d1cd5bdf3e176e9989cd95d28708daeab47a106a7b",
+    "type": "eql",
+    "version": 1
+  },
   "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
     "rule_name": "Untrusted Driver Loaded",
     "sha256": "fefd28d4a5e4cbad93ef34c95fce341b58293c0d2c1b4ede0b99b541b64c82bb",
@@ -8652,9 +8725,9 @@
   },
   "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
     "rule_name": "Potential PowerShell Obfuscation via String Reordering",
-    "sha256": "30bd3238b8867d94701c4f3fc502b74298005cad84fef3368f4aa0587900a832",
+    "sha256": "d9a43f6435dbbafdf88bd9f933023d11a9d1ec0d52465af7e48642ee3d415a75",
     "type": "esql",
-    "version": 2
+    "version": 3
   },
   "e90ee3af-45fc-432e-a850-4a58cf14a457": {
     "min_stack_version": "8.15",
@@ -9278,8 +9351,14 @@
   },
   "f6d8c743-0916-4483-8333-3c6f107e0caa": {
     "rule_name": "Potential PowerShell Obfuscation via String Concatenation",
-    "sha256": "6169ac41dcca7234b32135552fcb0db95bab95cce4966d55a5e70618ef4c178e",
+    "sha256": "a8446f13b0d4ab167367fc332fed02fe68f5ff6e8c0eb79f8fe127986ac00ba4",
     "type": "esql",
+    "version": 2
+  },
+  "f701be14-0a36-4e9a-a851-b3e20ae55f09": {
+    "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
+    "sha256": "023f201f19f55fa32002748bd7a5baf47607e32cd8939b2a67821dce314dd210",
+    "type": "query",
     "version": 1
   },
   "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
@@ -9433,9 +9512,9 @@
   },
   "f9abcddc-a05d-4345-a81d-000b79aa5525": {
     "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
-    "sha256": "5049ed89606ac8c5067143066404d7ebf1a25a9bbdebd6935a521f1a126e6ff5",
+    "sha256": "c5aeb231b7a3abfef05bd0dfb0c916ffaf0d0651cba897293d28fb262959dc58",
     "type": "esql",
-    "version": 1
+    "version": 2
   },
   "fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
     "rule_name": "Remote File Copy to a Hidden Share",

docs-dev/ATT&CK-coverage.md

@@ -85,6 +85,7 @@ coverage from the state of rules in the `main` branch.
 |[Elastic-detection-rules-tags-aws-sts](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sts.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws-systems-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-systems-manager.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-azure-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-activity-logs.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)|
@@ -117,8 +118,11 @@ coverage from the state of rules in the `main` branch.
 |[Elastic-detection-rules-tags-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-github.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-google-cloud-platform](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-cloud-platform.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-google-workspace](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-workspace.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-graph-api-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api-activity-logs.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-graph-api](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-impact](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-impact.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-initial-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-initial-access.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-investigation-guide](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-investigation-guide.json&leave_site_dialog=false&tabs=false)|
@@ -155,6 +159,7 @@ coverage from the state of rules in the `main` branch.
 |[Elastic-detection-rules-tags-privileged-access-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-privileged-access-detection.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-reconnaissance](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-reconnaissance.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-resource-development](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-resource-development.json&leave_site_dialog=false&tabs=false)|
+|[Elastic-detection-rules-tags-risk-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-risk-detection.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-rootkit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-rootkit.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-saas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-saas.json&leave_site_dialog=false&tabs=false)|
 |[Elastic-detection-rules-tags-sentinelone](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sentinelone.json&leave_site_dialog=false&tabs=false)|

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.19"
+version = "1.2.20"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"