diff --git a/etc/attack-v7.2.json.gz b/etc/attack-v7.2.json.gz deleted file mode 100644 index 1baa382e0..000000000 Binary files a/etc/attack-v7.2.json.gz and /dev/null differ diff --git a/etc/attack-v9.0.json.gz b/etc/attack-v9.0.json.gz new file mode 100644 index 000000000..d43de5e7b Binary files /dev/null and b/etc/attack-v9.0.json.gz differ diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 0cd63a9ac..908bb8c94 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.007" -name = "JavaScript/JScript" +name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index fa74f1325..cec0ff93d 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" [[rule.threat.technique.subtechnique]] id = "T1546.004" -name = ".bash_profile and .bashrc" +name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index e45eea4b4..0dfe418b0 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.006" -name = "LD_PRELOAD" +name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" diff --git a/rules/macos/execution_installer_spawned_network_event.toml b/rules/macos/execution_installer_spawned_network_event.toml index b8619ec89..669bd030f 100644 --- a/rules/macos/execution_installer_spawned_network_event.toml +++ b/rules/macos/execution_installer_spawned_network_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/02/23" maturity = "production" -updated_date = "2021/05/26" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -51,7 +51,7 @@ name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.007" -name = "JavaScript/JScript" +name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index aab4f74da..49948d687 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -48,7 +48,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" @@ -65,7 +65,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index dceba59e9..dbb88d659 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index da36a8f37..041c14d4a 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 6094055d0..faaa1e07d 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index bc5f3c309..96aa7295c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index ee8a98597..ddc8635cb 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index bf1950bba..e3d957cdc 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ name = "Abuse Elevation Control Mechanism" [[rule.threat.technique.subtechnique]] id = "T1548.002" reference = "https://attack.mitre.org/techniques/T1548/002/" -name = "Bypass User Access Control" +name = "Bypass User Account Control" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 0da5f10d2..98e91c897 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 8967eb4b7..744bb4122 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index 7d531a654..bc9b37269 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/03/03" +updated_date = "2021/08/03" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.002" -name = "Bypass User Access Control" +name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/"