From b67ffd413a112490d5a78e48e09ca0c1f28b187c Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Wed, 27 Jul 2022 14:49:22 -0400
Subject: [PATCH] [Rule Tuning] Unexpected Child Process of macOS Screensaver
 Engine (#2184)

* add screensaver subtechnique

(cherry picked from commit 3a557503d182c9ef1be84c9a321b17e13c8f75ad)
---
 ...stence_screensaver_engine_unexpected_child_process.toml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
index 134ff9d8c..99009173a 100644
--- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
+++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/05"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/27"
 
 [rule]
 author = ["Elastic"]
@@ -50,6 +50,11 @@ framework = "MITRE ATT&CK"
 id = "T1546"
 name = "Event Triggered Execution"
 reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.002"
+name = "Screensaver"
+reference = "https://attack.mitre.org/techniques/T1546/002/"
+
 
 
 [rule.threat.tactic]