From 286941cb8ea9c23bccec283540aa26a54aea7e71 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Sat, 23 Jul 2022 11:22:27 -0400
Subject: [PATCH] [Rule Tuning] Attempt to Unload Elastic Endpoint Security
 Kernel Extension (#2134)

* add subtechnique T1547/006/
---
 ..._evasion_unload_endpointsecurity_kext.toml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
index 7d4fe892b..e4ec41277 100644
--- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
+++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/05"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/21/07"
 
 [rule]
 author = ["Elastic"]
@@ -41,4 +41,21 @@ reference = "https://attack.mitre.org/techniques/T1562/001/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1547"
+name = "Boot or Logon Autostart Execution"
+reference = "https://attack.mitre.org/techniques/T1547/"
+[[rule.threat.technique.subtechnique]]
+id = "T1547.006"
+name = "Kernel Modules and Extensions"
+reference = "https://attack.mitre.org/techniques/T1547/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"