Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (

#3431) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 * Update detection_rules/etc/version.lock.json * updated downloadable updates file to reconcile changes * Removed spacing from downloadable updates file --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 827dfa7)
elastic · Feb 6, 2024 · 08403c2 · 08403c2
1 parent d87cdbf
commit 08403c2
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 24 deletions.
diff --git a/detection_rules/etc/downloadable_updates.json b/detection_rules/etc/downloadable_updates.json
@@ -153,4 +153,4 @@
       "url": "https://www.elastic.co/guide/en/security/current/prebuilt-rule-0-13-1-prebuilt-rules-0-13-1-summary.html"
     }
   ]
-}
+}
diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json
@@ -131,6 +131,20 @@
     "type": "threshold",
     "version": 107
   },
+  "035a6f21-4092-471d-9cda-9e379f459b1e": {
+    "min_stack_version": "8.3",
+    "rule_name": "Potential Memory Seeking Activity",
+    "sha256": "cf7288d5a8b54dbec325b6a09a60bfe6e15ec568f36d383957de4e52d825d740",
+    "type": "eql",
+    "version": 1
+  },
+  "0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious Dynamic Linker Discovery via od",
+    "sha256": "ee4583e8996395a3e208c355990b54a0e05d19c2189888df9e14c2a5ae96d52d",
+    "type": "eql",
+    "version": 1
+  },
   "03a514d9-500e-443e-b6a9-72718c548f6c": {
     "min_stack_version": "8.8",
     "rule_name": "SSH Process Launched From Inside A Container",
@@ -1242,6 +1256,13 @@
     "type": "eql",
     "version": 108
   },
+  "202829f6-0271-4e88-b882-11a655c590d4": {
+    "min_stack_version": "8.3",
+    "rule_name": "Executable Masquerading as Kernel Process",
+    "sha256": "9040a822ed47ef2d3bf89675fe2fdb67018a559f75c854ee80ad84714ff4fc4c",
+    "type": "eql",
+    "version": 1
+  },
   "203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
     "min_stack_version": "8.3",
     "rule_name": "Creation or Modification of Root Certificate",
@@ -1788,6 +1809,13 @@
     "type": "eql",
     "version": 108
   },
+  "2f95540c-923e-4f57-9dae-de30169c68b9": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious /proc/maps Discovery",
+    "sha256": "6ff711bf9210efc3644140457f78037989cc2a13cc4d303260183a696d07acb8",
+    "type": "eql",
+    "version": 1
+  },
   "2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
     "min_stack_version": "8.3",
     "rule_name": "Startup Folder Persistence via Unsigned Process",
@@ -3296,9 +3324,9 @@
   "5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
     "min_stack_version": "8.4",
     "rule_name": "FirstTime Seen Account Performing DCSync",
-    "sha256": "6d5bf9fe5d4e6cc423f1a2c017576e9714f20baf6d4fa80d1bdf31e37e1e7267",
+    "sha256": "60c5c2f2a9749a79720ee47e2e930a9f80242258293a89a271aa2721701939fd",
     "type": "new_terms",
-    "version": 8
+    "version": 9
   },
   "5c81fc9d-1eae-437f-ba07-268472967013": {
     "min_stack_version": "8.3",
@@ -4071,6 +4099,13 @@
     "type": "eql",
     "version": 107
   },
+  "71d6a53d-abbd-40df-afee-c21fff6aafb0": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious Passwd File Event Action",
+    "sha256": "643fd4dc9cb7afb75d6f948bdf9b15f87829f59236c645698ef6ceb52a951768",
+    "type": "eql",
+    "version": 1
+  },
   "721999d0-7ab2-44bf-b328-6e63367b9b29": {
     "min_stack_version": "8.3",
     "rule_name": "Microsoft 365 Potential ransomware activity",
@@ -4110,9 +4145,9 @@
   "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
     "min_stack_version": "8.3",
     "rule_name": "Potential Modification of Accessibility Binaries",
-    "sha256": "9f5997c2b0fe4dada04cf6f3b344fbaddbe1f19800ee466dd053e2f7cb2879e5",
+    "sha256": "3c39eaa16fbbb098a00adccdbfc303de378e965597565878032ed552bc825043",
     "type": "eql",
-    "version": 108
+    "version": 109
   },
   "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
     "min_stack_version": "8.3",
@@ -4307,9 +4342,9 @@
   "79124edf-30a8-4d48-95c4-11522cad94b1": {
     "min_stack_version": "8.3",
     "rule_name": "File Compressed or Archived into Common Format",
-    "sha256": "ffc63f1281c5daf184121bec10deda5e91670f64baeaf47d2ee5336649bf2c78",
+    "sha256": "18b4a7010976c9f689780ad80ae4d9a48f943c15092dea05795d1f861e867648",
     "type": "eql",
-    "version": 1
+    "version": 2
   },
   "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
     "min_stack_version": "8.3",
@@ -4683,6 +4718,13 @@
     "type": "query",
     "version": 205
   },
+  "86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
+    "min_stack_version": "8.3",
+    "rule_name": "Potential Linux Reverse Connection through Port Knocking",
+    "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
+    "type": "eql",
+    "version": 1
+  },
   "870aecc0-cea4-4110-af3f-e02e9b373655": {
     "min_stack_version": "8.3",
     "rule_name": "Security Software Discovery via Grep",
@@ -5375,9 +5417,9 @@
   "97fc44d3-8dae-4019-ae83-298c3015600f": {
     "min_stack_version": "8.3",
     "rule_name": "Startup or Run Key Registry Modification",
-    "sha256": "e35230136b3e8717e95ef5022b13c355c44d14666a14d564449b2982dfc27e9d",
+    "sha256": "531c4084f03ee3d1b847fd5b7e1a08b698d464c9f75172572d311ce3fd3c7b78",
     "type": "eql",
-    "version": 109
+    "version": 110
   },
   "980b70a0-c820-11ed-8799-f661ea17fbcc": {
     "min_stack_version": "8.4",
@@ -5542,9 +5584,16 @@
   "9c865691-5599-447a-bac9-b3f2df5f9a9d": {
     "min_stack_version": "8.3",
     "rule_name": "Remote Scheduled Task Creation via RPC",
-    "sha256": "22e8e1bb2a6a9366178e012e1811993b0ce5f79b27afc154f93ed760c6489f1e",
+    "sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e",
     "type": "eql",
-    "version": 7
+    "version": 8
+  },
+  "9c951837-7d13-4b0c-be7a-f346623c8795": {
+    "min_stack_version": "8.3",
+    "rule_name": "Potential Enumeration via Active Directory Web Service",
+    "sha256": "17ac2376542784780fa798b0756416f6c54757e2d72dab6b2ddd28dfd165d3b3",
+    "type": "eql",
+    "version": 1
   },
   "9ccf3ce0-0057-440a-91f5-870c6ad39093": {
     "min_stack_version": "8.3",
@@ -5659,9 +5708,9 @@
   "9f962927-1a4f-45f3-a57b-287f2c7029c1": {
     "min_stack_version": "8.3",
     "rule_name": "Potential Credential Access via DCSync",
-    "sha256": "ce811f22916b00b56a6bdde9eeaa631f6ccf08130ad18edfb552d0205424c5b1",
+    "sha256": "008b0f6532321a77ee911abe070b818d971c7f5c23e3e4c5b78caf79ea21af08",
     "type": "eql",
-    "version": 111
+    "version": 112
   },
   "9f9a2a82-93a8-4b1a-8778-1780895626d4": {
     "min_stack_version": "8.6",
@@ -5931,10 +5980,10 @@
   },
   "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
     "min_stack_version": "8.3",
-    "rule_name": "Potential Malicious File Downloaded from Google Drive",
-    "sha256": "7a0d22e648caa03cd127a00cad9baff4f242263c35d9ad59ab1c7a9fe46a321a",
+    "rule_name": "Suspicious File Downloaded from Google Drive",
+    "sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295",
     "type": "eql",
-    "version": 2
+    "version": 3
   },
   "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
     "min_stack_version": "8.9",
@@ -6152,6 +6201,13 @@
     "type": "query",
     "version": 105
   },
+  "ad959eeb-2b7b-4722-ba08-a45f6622f005": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious APT Package Manager Execution",
+    "sha256": "8b78fc4a9959793ebadb1dd12240e38a6331356b5ce0733f090b31e48fd71b7d",
+    "type": "eql",
+    "version": 1
+  },
   "adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
     "min_stack_version": "8.3",
     "rule_name": "File Transfer or Listener Established via Netcat",
@@ -6456,9 +6512,9 @@
   "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
     "min_stack_version": "8.3",
     "rule_name": "Kirbi File Creation",
-    "sha256": "34a4c6af4a0abec4b49761fd3410e7ce843a7cd917929009de084283086d34f2",
+    "sha256": "c38344254490e667df0c99f72e41895e32340abeed8333e6a5ed6305757ffb6d",
     "type": "eql",
-    "version": 2
+    "version": 3
   },
   "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
     "min_stack_version": "8.3",
@@ -6886,9 +6942,9 @@
   "c55badd3-3e61-4292-836f-56209dc8a601": {
     "min_stack_version": "8.3",
     "rule_name": "Attempted Private Key Access",
-    "sha256": "878964185cf6bcfd3d1cee459b0664977de42cce6b31af0fb2ad35413e764dc5",
+    "sha256": "5381a29dcefb0cee21b24a6b62d7d0d3e2a287eea7433b36fe1c6851204841a8",
     "type": "eql",
-    "version": 1
+    "version": 2
   },
   "c5677997-f75b-4cda-b830-a75920514096": {
     "min_stack_version": "8.3",
@@ -7618,6 +7674,13 @@
     "type": "query",
     "version": 102
   },
+  "d74d6506-427a-4790-b170-0c2a6ddac799": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious Memory grep Activity",
+    "sha256": "f38af2112e0042344d3102dcb974eff219cdb2192cf7174c291647c0ac09d87c",
+    "type": "eql",
+    "version": 1
+  },
   "d75991f2-b989-419d-b797-ac1e54ec2d61": {
     "min_stack_version": "8.3",
     "rule_name": "SystemKey Access via Command Line",
@@ -8222,9 +8285,9 @@
   "e707a7be-cc52-41ac-8ab3-d34b38c20005": {
     "min_stack_version": "8.3",
     "rule_name": "Potential Credential Access via Memory Dump File Creation",
-    "sha256": "49debe62710e167c237de800f3dd2ce6ad4a3f4a6effd957439d576770b4e7c9",
+    "sha256": "8e637f03a8f8eb325e7801996c5641dcd8972185da239d2786d603ce93786836",
     "type": "eql",
-    "version": 1
+    "version": 2
   },
   "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
     "min_stack_version": "8.3",
@@ -8425,6 +8488,13 @@
     "type": "machine_learning",
     "version": 103
   },
+  "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious APT Package Manager Network Connection",
+    "sha256": "835b8c13f7ca75ca0c3cbd05603c8ecedda758ee6736f886b793937b40b4cf3d",
+    "type": "eql",
+    "version": 1
+  },
   "eb079c62-4481-4d6e-9643-3ca499df7aaa": {
     "min_stack_version": "8.3",
     "rule_name": "External Alerts",
@@ -8435,9 +8505,9 @@
   "eb44611f-62a8-4036-a5ef-587098be6c43": {
     "min_stack_version": "8.3",
     "rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
-    "sha256": "801852a3300f7b11b19c32b8f4151194247eb06f60814b531d70187da14da0a1",
+    "sha256": "59511943017b6f3b3d7a961fa15dbae63734417cf74479ac19a17febbd5181b7",
     "type": "query",
-    "version": 2
+    "version": 3
   },
   "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
     "min_stack_version": "8.3",
@@ -8784,6 +8854,13 @@
     "type": "threshold",
     "version": 104
   },
+  "f3818c85-2207-4b51-8a28-d70fb156ee87": {
+    "min_stack_version": "8.3",
+    "rule_name": "Suspicious Network Connection via systemd",
+    "sha256": "a735567676266d1a679f92125be7cf4a9e43d4da691ed2d93e4365e572aa2440",
+    "type": "eql",
+    "version": 1
+  },
   "f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
     "min_stack_version": "8.5",
     "rule_name": "Threat Intel URL Indicator Match",
-Original file line number
+Diff line change
@@ Expand Up / @@ -153,4 +153,4 @@ @@
           "url": "https://www.elastic.co/guide/en/security/current/prebuilt-rule-0-13-1-prebuilt-rules-0-13-1-summary.html"
         }
       ]
-    }
+    }