From 17ec40d54360df5644c15752b443e6e479c045ae Mon Sep 17 00:00:00 2001 From: shashank-elastic Date: Wed, 18 Jun 2025 04:53:24 +0000 Subject: [PATCH 1/2] Locked versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 --- detection_rules/etc/version.lock.json | 193 ++++++++++++++++++-------- docs-dev/ATT&CK-coverage.md | 5 + 2 files changed, 141 insertions(+), 57 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 0d91723af88..914a33ce799 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -127,9 +127,9 @@ }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "b222726fe75a2d97f2c6af63ccff582a6efbe1e087ea0f4ff4a5bd499c7e71c9", + "sha256": "2a22d0f3cf317970be4b88c0a8ccdfe129a55d326c2025d0b931e84121a5ba59", "type": "threshold", - "version": 215 + "version": 216 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", @@ -234,10 +234,10 @@ "version": 216 }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { - "rule_name": "Microsoft Entra ID Protection Anonymized IP Risk Detection", - "sha256": "88d6085f4cb924d5a89fc80c05f57e7de76c00a86a1143008272edbe9adbb28c", + "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", + "sha256": "2d9696b9804309379956f4234f1de956bb83f53271f594fef7e22b983003fb70", "type": "query", - "version": 1 + "version": 2 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", @@ -836,9 +836,9 @@ }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", - "sha256": "e576e9c1ea21e8d5d59a7fe99cca4528e6d951ac751cb86a7b5f01b7b530854f", - "type": "query", - "version": 206 + "sha256": "612193e6d925016d5bfecf2a0fdbf8578516233997c0629e4301c91e16c779f3", + "type": "eql", + "version": 207 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", @@ -898,6 +898,12 @@ "type": "eql", "version": 112 }, + "1600f9e2-5be6-4742-8593-1ba50cd94069": { + "rule_name": "Kubectl Permission Discovery", + "sha256": "fbccf3b9c6e75b3c174b09bdefb11e2c2497b56987ab37d56ae81e1b243f6459", + "type": "eql", + "version": 1 + }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File", "sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a", @@ -1549,9 +1555,9 @@ }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", - "sha256": "e1b5c74b588f7185d199e465d42bb2342825c359e88902b82c77c9adeae91b10", + "sha256": "96bd4f7b0a5632f55759aab37fe89da7663eb3daeeaf0f9720d265a48a50ab5c", "type": "query", - "version": 4 + "version": 5 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", @@ -1720,9 +1726,9 @@ }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", - "sha256": "8b70188e6d20f104a1a2d92709089bf114cb1474bb219f9901eea546a992c479", + "sha256": "960cf081df43627f6f9371b360266a01b45c8d4bae647d0c1e9152c5bba3193e", "type": "eql", - "version": 8 + "version": 9 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", @@ -1843,6 +1849,13 @@ "type": "eql", "version": 205 }, + "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { + "min_stack_version": "8.17", + "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", + "sha256": "0f02e577ddc1fe851a0145485a0c80e9146f51ff9d58736c18233e59adcdc755", + "type": "esql", + "version": 1 + }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", "sha256": "32aeae8271aadc06ca29f0a5bdc384f811d8f1bc3da2df99cdaccfd42035f467", @@ -2166,9 +2179,9 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "1b35387c2bbd3ea58f517390de61ae4e7f9a49e77ab67a08ee3f80135d42bc74", + "sha256": "dbd205d0455f5c80c9c6ef5c0bc88b7a2028098a9aefde11c54d3b8b9f3fbcca", "type": "eql", - "version": 318 + "version": 319 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", @@ -2215,10 +2228,10 @@ }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "min_stack_version": "8.17", - "rule_name": "Suspicious Activity via Auth Broker On-Behalf-of Principal User", - "sha256": "09ed97c79557bbb088d9225dead1bf3c06b746875cf3480922bf1dda5c00e832", + "rule_name": "Suspicious Microsoft OAuth Flow via Auth Broker to DRS", + "sha256": "d30059429db55e2153898e53be14f42ddd4df5776f79a3702905867ae95cd0fe", "type": "esql", - "version": 1 + "version": 2 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", @@ -2311,9 +2324,9 @@ }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "a9e5edeb06a2a0c3f67c23b8f098504518bd2b07cf13e0c182bfd1343554d719", + "sha256": "91741e10ac5227692cd6659e65bdb206406e59a0bb49b4beb07ee9b30d3d6a23", "type": "query", - "version": 209 + "version": 210 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", @@ -2629,9 +2642,9 @@ }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", - "sha256": "8e761cae475d2ad1f1ccab98b9c8dbcb1ba6a2ed51cd309d4481595eaf355106", + "sha256": "a2c672b192a6a57d9e17c240ef6f3a68afa730cc1a44e87636d7b6cb3a2019d3", "type": "esql", - "version": 5 + "version": 6 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", @@ -2901,6 +2914,12 @@ "type": "eql", "version": 6 }, + "4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": { + "rule_name": "Entra ID Protection - Risk Detection - User Risk", + "sha256": "c5af00471be7064f2bfaee19936213324f7b4fa530bd99fdc16906ebab0a5800", + "type": "query", + "version": 1 + }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "8b0ebf29f24beae56eb99431550627a0e281254d764c3580a9a8d69ce2e6b145", @@ -2915,9 +2934,9 @@ }, "4b74d3b0-416e-4099-b432-677e1cd098cc": { "rule_name": "Container Management Utility Run Inside A Container", - "sha256": "5ce2c11eda9bb4d6a21eaec46735b3b7f1af2d90a40e84d7e416e8f271b7bdcb", + "sha256": "773a6f1539f3ddbe4a7ccc56216caa6b20e7fd231b42179cae8005b092865955", "type": "eql", - "version": 2 + "version": 3 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", @@ -3616,6 +3635,12 @@ "type": "query", "version": 109 }, + "5e23495f-09e2-4484-8235-bdb150d698c9": { + "rule_name": "Potential CVE-2025-33053 Exploitation", + "sha256": "e515ba416d112f154ee9c1ea73f1ac151201233455473ca6ac4c7bb238c79648", + "type": "eql", + "version": 1 + }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { "rule_name": "Memory Swap Modification", "sha256": "4057788684412d061d4da08a599e2826415b89cea6358903f10773366b45d795", @@ -3821,9 +3846,9 @@ }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "sha256": "64241fbdce4cbe75d6d49945bec0a265cc28502d993e961ef207916659bbc716", + "sha256": "17766af17fc98cb55a5faad620667ecf1fa5ce5f55b01721a2b83abc678a766e", "type": "esql", - "version": 1 + "version": 2 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", @@ -4186,9 +4211,9 @@ }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "d76b1ae821692910302705f22322c89936e5db62bfe2fa3a8f3b3b2f747eb1ed", + "sha256": "c363d877bead10e2100d942d71225435cf896ecd1aedeaf07ba3f4c0f3053cdc", "type": "esql", - "version": 1 + "version": 2 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -4204,9 +4229,9 @@ }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", - "sha256": "80d291535238ff34e7e30ff84739bc7c3ed2e73b19a111bed581d3957c59c011", + "sha256": "9b9b7f3c885260e578a0b82883d82007dc06ce8b50492c1ca835a211db9d8dc0", "type": "eql", - "version": 4 + "version": 5 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", @@ -4345,6 +4370,12 @@ "type": "eql", "version": 110 }, + "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { + "rule_name": "AWS EC2 EBS Snapshot Access Removed", + "sha256": "f5c4dc11b300026e5ae6340b94306e6264a22d7e196af355106e7ece622f9170", + "type": "esql", + "version": 1 + }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "54cd3de4ffd1a4bfc1e0716fdb06810274be795ecfa4e0a75fc5917a5ede585a", @@ -4971,10 +5002,10 @@ "version": 113 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { - "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", - "sha256": "b0619e673aa470b69e0b071f0a63e3cab3caaec325d779132a3ff1174623fde0", + "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role", + "sha256": "09f6c49d3b72f57141f343b4f77c8b4112cb859139b6ef1a85f09ae998fb6a1f", "type": "new_terms", - "version": 6 + "version": 7 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "rule_name": "Microsoft Exchange Transport Agent Install Script", @@ -5027,9 +5058,9 @@ }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "b99dcebd1096e5fc20ee2446166c388a7b01f8f46fb77848b2ab642b2b11f6b7", + "sha256": "c274913be86de801027a68714627b0f65176fd765156673efcebb2bcd5996bfa", "type": "query", - "version": 209 + "version": 210 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "AWS RDS Security Group Deletion", @@ -5492,9 +5523,9 @@ }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "252ac0fc6dac5368e41dd109d36d473558120c52028da04298adb0fd9c1c848e", + "sha256": "a7065e1b8fe61ce3a22ffa4ef3c73475edafa82b86918e0e0c1225bc06fd4203", "type": "query", - "version": 211 + "version": 212 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", @@ -5783,10 +5814,10 @@ "version": 209 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "74ef6df7d216e8b65caba920e194ef7cd329e9f19b2a41a57fdcc80f4af8914c", + "rule_name": "Deprecated - AWS EC2 Snapshot Activity", + "sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121", "type": "query", - "version": 211 + "version": 212 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", @@ -5818,6 +5849,12 @@ "type": "eql", "version": 106 }, + "99ac5005-8a9e-4625-a0af-5f7bb447204b": { + "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query", + "sha256": "386127d0c66af62ae5577f0cd57b8f5c8627cbcc9d3484f413ffe10d01dcabb2", + "type": "eql", + "version": 1 + }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "rule_name": "Web Server Spawned via Python", "sha256": "77b22cd08b5914432d68b171d61a3905c8672618463d246175b170c87f519845", @@ -5854,6 +5891,12 @@ "type": "eql", "version": 312 }, + "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { + "rule_name": "Kubeconfig File Discovery", + "sha256": "4b6e2373aa7b6061a428b812e35745483880c096f4fee191fb913240d1e572fa", + "type": "eql", + "version": 1 + }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "4b91494419375f075074641d265c9472249db37ae1bd4883afff77746fac5ae9", @@ -5980,6 +6023,12 @@ "type": "new_terms", "version": 4 }, + "9ebd48ac-a0e2-430a-a219-fe072a50146b": { + "rule_name": "AWS CloudTrail Log Evasion", + "sha256": "9e5d44c6c292f3f18557af3764294a0e03bfcc100c90a5eb9a012b201ecdaca2", + "type": "query", + "version": 1 + }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", "sha256": "6a515fb5dd38fdc765201c0cd3ed8ab1bfbfbea0dbe8f0f6aa079de7770fcc26", @@ -6181,9 +6230,9 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "d7b40a3892c7573279dbc52673e975ecee3c2c10770c90a7041b120009c6f37e", + "sha256": "9584518787484f72c256fff654ff994c12be947f48b98532c3015aea697a3b94", "type": "new_terms", - "version": 212 + "version": 213 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Azure Active Directory PowerShell Sign-in", @@ -6387,9 +6436,9 @@ }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", - "sha256": "d0449a4563dadd5725ad18cdf7650bb95ec21581946817998cb08147d823afad", + "sha256": "6a545cb482f00a99599a606fd89ec0320635566a5f5c7cbc39245111e68d2c2e", "type": "eql", - "version": 204 + "version": 205 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", @@ -6589,6 +6638,12 @@ "type": "esql", "version": 1 }, + "b11116fd-023c-4718-aeb8-fa9d283fc53b": { + "rule_name": "Kubeconfig File Creation or Modification", + "sha256": "433c519eca574db06b9495334f4964984b21ba89d66d59c039816ca7cd62886c", + "type": "eql", + "version": 1 + }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "rule_name": "Hidden Directory Creation via Unusual Parent", "sha256": "0cf427bce0665a9f2c65ff8c2a3e0e55c2def5a3360f8fe744de9f85b85354ac", @@ -7145,9 +7200,9 @@ }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", - "sha256": "5257f8214728864891c026bd4b35e24b22d0fe5b89fc60fdaec6f11588fb5d60", + "sha256": "defe0bc07c56e49e5594a7309be55cfa4b60ca9bb421b2f270389797ecf625d0", "type": "new_terms", - "version": 5 + "version": 6 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", @@ -7167,6 +7222,12 @@ "type": "eql", "version": 316 }, + "c28750fa-4092-11f0-aca6-f661ea17fbcd": { + "rule_name": "BloodHound Suite User-Agents Detected", + "sha256": "dcb1aa029f3628fdc348daa9e3574a8e482cb7f8645f5f085334c21ed9a070b0", + "type": "eql", + "version": 1 + }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e", @@ -7312,10 +7373,10 @@ "version": 100 }, "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { - "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", - "sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3", + "rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", + "sha256": "99b9962c6c09378b4025d49a579ee99cb8a9ae0277d461ac8296cc86e51c6e49", "type": "esql", - "version": 3 + "version": 4 }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "rule_name": "AWS IAM API Calls via Temporary Session Tokens", @@ -7621,9 +7682,9 @@ }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", - "sha256": "c8fa16c73d4a4ff4302a2c71c2972cb7bc87d320079d24f10185b7e511c59b52", + "sha256": "4a47b2f5d23fc106e911c3431fc7d04910bf0abfb0acde9b0815898441f17516", "type": "eql", - "version": 6 + "version": 7 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.15", @@ -7659,9 +7720,9 @@ }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "85eb65d42abc1d3a89fc72ca22fbeaf7a401dbea06c2871819b0e173688eade5", + "sha256": "db282c1b5260005aaac9a7be20f9fdf5dfd6193ead99215421700d509c677f57", "type": "query", - "version": 216 + "version": 217 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", @@ -7687,6 +7748,12 @@ "type": "eql", "version": 315 }, + "ce73954b-a0a4-4f05-b67b-294c500dac77": { + "rule_name": "Kubernetes Service Account Secret Access", + "sha256": "698e8aa937abca509a33d7a5bfa1a0fc2905bcd055e884d97349ec35b2e4429f", + "type": "eql", + "version": 1 + }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "358f978a2e6f3e446c7216cd749cba581f6d777dd924f3883764e299d4ff4945", @@ -8008,6 +8075,12 @@ "type": "query", "version": 108 }, + "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { + "rule_name": "Potential Machine Account Relay Attack via SMB", + "sha256": "6f4aee34c8f0feb976f365d1cd5bdf3e176e9989cd95d28708daeab47a106a7b", + "type": "eql", + "version": 1 + }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", "sha256": "fefd28d4a5e4cbad93ef34c95fce341b58293c0d2c1b4ede0b99b541b64c82bb", @@ -8652,9 +8725,9 @@ }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", - "sha256": "30bd3238b8867d94701c4f3fc502b74298005cad84fef3368f4aa0587900a832", + "sha256": "d9a43f6435dbbafdf88bd9f933023d11a9d1ec0d52465af7e48642ee3d415a75", "type": "esql", - "version": 2 + "version": 3 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.15", @@ -9278,8 +9351,14 @@ }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "6169ac41dcca7234b32135552fcb0db95bab95cce4966d55a5e70618ef4c178e", + "sha256": "a8446f13b0d4ab167367fc332fed02fe68f5ff6e8c0eb79f8fe127986ac00ba4", "type": "esql", + "version": 2 + }, + "f701be14-0a36-4e9a-a851-b3e20ae55f09": { + "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", + "sha256": "023f201f19f55fa32002748bd7a5baf47607e32cd8939b2a67821dce314dd210", + "type": "query", "version": 1 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { @@ -9433,9 +9512,9 @@ }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "sha256": "5049ed89606ac8c5067143066404d7ebf1a25a9bbdebd6935a521f1a126e6ff5", + "sha256": "c5aeb231b7a3abfef05bd0dfb0c916ffaf0d0651cba897293d28fb262959dc58", "type": "esql", - "version": 1 + "version": 2 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index a1462a56d14..c401d07f331 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -85,6 +85,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-aws-sts](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sts.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-systems-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-systems-manager.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-azure-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-activity-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)| @@ -117,8 +118,11 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-github.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-google-cloud-platform](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-cloud-platform.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-google-workspace](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-workspace.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-graph-api-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api-activity-logs.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-graph-api](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-impact](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-impact.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-initial-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-initial-access.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-investigation-guide](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-investigation-guide.json&leave_site_dialog=false&tabs=false)| @@ -155,6 +159,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-privileged-access-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-privileged-access-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-reconnaissance](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-reconnaissance.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-resource-development](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-resource-development.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-risk-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-risk-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-rootkit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-rootkit.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-saas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-saas.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-sentinelone](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sentinelone.json&leave_site_dialog=false&tabs=false)| From fa829688e849200ea0d7cd3cd79110edd9fa782e Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 18 Jun 2025 10:25:51 +0530 Subject: [PATCH 2/2] Update Patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 4fdf0f7e705..e409cc88963 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.2.19" +version = "1.2.20" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"