From da9bfd0abccc1de2010f02eac9930dee3042d1bc Mon Sep 17 00:00:00 2001
From: veritasr3x <mmatchen@gmail.com>
Date: Tue, 11 Nov 2025 16:26:14 +0100
Subject: [PATCH] MITRE ATT&CK Sub-Technique Update - Solves Issue #5279
 (#5280)

* Resolves Issue #5279

* Corrected the "updated_date" value

* Put the technique and sub-technique in the correct location

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 .../command_and_control_common_webservices.toml      | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
index 2491d16d5..89cc18353 100644
--- a/rules/windows/command_and_control_common_webservices.toml
+++ b/rules/windows/command_and_control_common_webservices.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/09/04"
+updated_date = "2025/11/04"
 
 [transform]
 [[transform.investigate]]
@@ -344,7 +344,14 @@ id = "T1568.002"
 name = "Domain Generation Algorithms"
 reference = "https://attack.mitre.org/techniques/T1568/002/"
 
-
+[[rule.threat.technique]]
+id = "T1090"
+name = "Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/"
+[[rule.threat.technique.subtechnique]]
+id = "T1090.002"
+name = "External Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/002/"
 
 [rule.threat.tactic]
 id = "TA0011"
@@ -352,6 +359,7 @@ name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1567"
 name = "Exfiltration Over Web Service"