diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index e487cf4e9..c0457fa8f 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Wed Nov 22 10:41:11 2023" + "saved_date": "Fri May 31 17:00:55 2024" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v14.1.0.json.gz b/detection_rules/etc/attack-v14.1.0.json.gz deleted file mode 100644 index 200a06d80..000000000 Binary files a/detection_rules/etc/attack-v14.1.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v15.1.0.json.gz b/detection_rules/etc/attack-v15.1.0.json.gz new file mode 100644 index 000000000..63e35112a Binary files /dev/null and b/detection_rules/etc/attack-v15.1.0.json.gz differ diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 5e7873a45..273f81c59 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Austin Songer"] @@ -48,11 +48,11 @@ event.outcome:success framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" -name = "Domain Policy Modification" +name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.002" -name = "Domain Trust Modification" +name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index a537b35e5..9b31e528a 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -126,7 +126,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index b83bfe38a..4023d557e 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index cfb5fd3b6..27f59a47c 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -118,7 +118,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 7c944c247..cb3637fac 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -126,7 +126,7 @@ reference = "https://attack.mitre.org/techniques/T1574/010/" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 5208f641c..6682a074f 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ file where host.os.type == "windows" and event.type != "deletion" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" -name = "Domain Policy Modification" +name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.001" diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 51ebb21e5..4cc0718d5 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -114,7 +114,7 @@ or framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" -name = "Domain Policy Modification" +name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.001" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index cd65fe208..7908282b0 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -88,7 +88,7 @@ event.code: "5136" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1484" -name = "Domain Policy Modification" +name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.001" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 53ad7a334..0d7899d93 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -121,7 +121,7 @@ reference = "https://attack.mitre.org/techniques/T1053/005/" [[rule.threat.technique]] id = "T1484" -name = "Domain Policy Modification" +name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" [[rule.threat.technique.subtechnique]] id = "T1484.001" diff --git a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml index 0e9ddb9fa..60798ca9d 100644 --- a/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -286,7 +286,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index 05eab7af3..3ad0df054 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -185,7 +185,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index a27d78317..63f9383bb 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index 41bd9f17d..f64458b81 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -147,7 +147,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index bed9eb796..96aa94f81 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] @@ -106,7 +106,7 @@ reference = "https://attack.mitre.org/tactics/TA0005/" framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1554" -name = "Compromise Client Software Binary" +name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/"