diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index 0b5991536..62073f74c 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -130,7 +130,8 @@ "T1522": "T1552.005", "T1527": "T1550.001", "T1536": "T1578.004", - "T1547.011": "T1647" + "T1547.011": "T1647", + "T1574.002": "T1574.001" }, - "saved_date": "Mon Dec 9 14:04:15 2024" + "saved_date": "Mon May 5 18:11:43 2025" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v16.1.0.json.gz b/detection_rules/etc/attack-v16.1.0.json.gz deleted file mode 100644 index e54564e9c..000000000 Binary files a/detection_rules/etc/attack-v16.1.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v17.0.0.json.gz b/detection_rules/etc/attack-v17.0.0.json.gz new file mode 100644 index 000000000..6a6a9d2d9 Binary files /dev/null and b/detection_rules/etc/attack-v17.0.0.json.gz differ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 6dfb708f4..d1de8b728 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.0.0.json.gz b/detection_rules/etc/beats_schemas/v9.0.0.json.gz index af3ed2049..e712fb421 100644 Binary files a/detection_rules/etc/beats_schemas/v9.0.0.json.gz and b/detection_rules/etc/beats_schemas/v9.0.0.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 112dc50a3..509115dda 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 2a5f6db2b..7dd28b516 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index c74a7ec3c..d14f74fb6 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index df4159cdd..d74ca16df 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 9df569a99..8bf5455ad 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index cc9db3ad9..c4d0b157f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 6985f13c8..751d5622f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index f3640a9f1..ff4331cd7 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 4ec167829..23b5921d3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index fc47f2252..0f7a10863 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 33f47f389..08c90435c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index b12191c5a..139055e22 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 6cdb906fd..2beec6357 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index feabc7383..8d70fa4f8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 22063834b..7e85a3476 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index e61edfa2c..883504467 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index b626429f1..7b3ee4bdf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index cd9730ef1..b9b0b99b6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 3b87f5edf..5a56c930a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 95adfb78d..caa153725 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index 02d3c71bc..ac01b41ff 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 9d104f3ae..478bc914f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index d4c89804c..c6b09961c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index e393907d8..f2366aea4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index c9b9575d1..d051c53ea 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 3aeb7b579..5f9edd89d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 1ed55b9d3..43a73eb54 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 97c51daff..d77c3110a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 72e5a9c2f..5cca4b3f2 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 4a562b1ae..d3a3f21e1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 30457da4c..5a660b3eb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 461024cc3..3e03fbf7c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 31c2cb743..d4f90c6d2 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 88a248a98..931ff028c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index 5d37050c9..a44c17483 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 0eb0ae831..3ab675d76 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 5c594b449..0d5debb92 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 76b23916b..bcf868307 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 9350a5743..2b1d19b9e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 0decb7b7b..14729fba5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 235703e4d..4e01548e3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 099c6bfdf..f32ef1112 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 3499755a9..bc50c401c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 6647e1428..7c41025d4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index f429412d7..b0eda9c62 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 5c307f784..7d9f9f055 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 634c97709..79aaa24a5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index 8927220fe..37a6d7045 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index b271414ff..84e1e5c02 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 6c010231f..edc80a218 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index d2e8da922..3c53cc029 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index ac2625343..a344b9aaf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 17a3c1ce8..64b38733c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index b71823784..db6a989e4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 26f93a774..5e9e904fb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 869807302..5fc1f3f1c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index 241958640..88dc5a9b8 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index 9e7da101a..1e4331310 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz new file mode 100644 index 000000000..b4edfb07d Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz new file mode 100644 index 000000000..d7f9f8a0b Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz index d4a373921..6ea0e599f 100644 Binary files a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index dd75165f8..656192376 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 1c6db5e9b..c21a4076e 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index a5140ae15..43a2b5926 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -126,10 +126,10 @@ "9.0.0": beats: "9.0.0" - ecs: "9.0.0-rc1" + ecs: "9.0.0" endgame: "8.4.0" "9.1.0": beats: "9.0.0" - ecs: "9.0.0-rc1" + ecs: "9.0.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 94ec5b9cc..14ce262b8 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -189,7 +189,8 @@ def find_least_compatible_version(package: str, integration: str, # returns latest major version that is least compatible for version, manifest in OrderedDict(sorted(major_integration_manifests.items(), key=lambda x: Version.parse(x[0]))).items(): - compatible_versions = re.sub(r"\>|\<|\=|\^", "", manifest["conditions"]["kibana"]["version"]).split(" || ") + compatible_versions = re.sub(r"\>|\<|\=|\^|\~", "", + manifest["conditions"]["kibana"]["version"]).split(" || ") for kibana_ver in compatible_versions: kibana_ver = Version.parse(kibana_ver) # check versions have the same major @@ -222,7 +223,7 @@ def find_latest_compatible_version(package: str, integration: str, if not version_requirement: raise ValueError(f"Manifest for {package}:{integration} version {version} is missing conditions.") - compatible_versions = re.sub(r"\>|\<|\=|\^", "", version_requirement).split(" || ") + compatible_versions = re.sub(r"\>|\<|\=|\^|\~", "", version_requirement).split(" || ") if not compatible_versions: raise ValueError(f"Manifest for {package}:{integration} version {version} is missing compatible versions") diff --git a/pyproject.toml b/pyproject.toml index 68574c483..41c5d39db 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.2.0" +version = "1.2.1" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index fab30b229..9815afe35 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -142,7 +142,7 @@ reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" [[rule.threat.technique]] diff --git a/rules/linux/defense_evasion_prctl_process_name_tampering.toml b/rules/linux/defense_evasion_prctl_process_name_tampering.toml index 5e5ccb5c2..78132ea66 100644 --- a/rules/linux/defense_evasion_prctl_process_name_tampering.toml +++ b/rules/linux/defense_evasion_prctl_process_name_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/09" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -112,7 +112,7 @@ reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 9237b08e9..1df9ba7d1 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -108,7 +108,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index ab0619ad0..e4bccb44a 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -107,7 +107,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 3c16ae240..bdb785082 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -110,7 +110,7 @@ VNC allows remote control of systems, facilitating maintenance and resource shar framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1219" -name = "Remote Access Software" +name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index df3de74ab..99c927ca9 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -111,7 +111,7 @@ VNC is a tool that allows remote control of computers, often used by administrat framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1219" -name = "Remote Access Software" +name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 7df227a7d..c737537f1 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -282,7 +282,7 @@ host.os.type: "windows" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1219" -name = "Remote Access Software" +name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 274f09412..8ae791c89 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -109,7 +109,7 @@ process where host.os.type == "windows" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1219" -name = "Remote Access Software" +name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 925a6eb18..d21bb941d 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -131,7 +131,7 @@ reference = "https://attack.mitre.org/techniques/T1105/" [[rule.threat.technique]] id = "T1219" -name = "Remote Access Software" +name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" diff --git a/rules/windows/command_and_control_tunnel_vscode.toml b/rules/windows/command_and_control_tunnel_vscode.toml index 991ae1f84..d885bbb71 100644 --- a/rules/windows/command_and_control_tunnel_vscode.toml +++ b/rules/windows/command_and_control_tunnel_vscode.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -94,7 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1219" -name = "Remote Access Software" +name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 33b194d55..eda22dc27 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -164,7 +164,7 @@ name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.001" -name = "DLL Search Order Hijacking" +name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index 149d52717..7476990c1 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -269,7 +269,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 94f438353..65c26340f 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -131,7 +131,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index f75dd62ad..e90c1453f 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -182,7 +182,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 659a6260d..7b4668fa8 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -115,7 +115,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml index 4ec3e5ee0..51b8213c1 100644 --- a/rules/windows/defense_evasion_masquerading_business_apps_installer.toml +++ b/rules/windows/defense_evasion_masquerading_business_apps_installer.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -215,7 +215,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_masquerading_communication_apps.toml b/rules/windows/defense_evasion_masquerading_communication_apps.toml index 9ea0e913d..0151f7c19 100644 --- a/rules/windows/defense_evasion_masquerading_communication_apps.toml +++ b/rules/windows/defense_evasion_masquerading_communication_apps.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -141,7 +141,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 2a4129e82..65a85d4b6 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -128,7 +128,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 736a8830f..c55b7553c 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -119,7 +119,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index e9adbf559..3c3739992 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -135,7 +135,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 2fd614a2b..4434bc6b5 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -193,7 +193,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 655aa605b..7fc627c8c 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -127,7 +127,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index ba3b72eec..2b11f8ec9 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -259,7 +259,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 92c0ecf70..2139d0912 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -101,7 +101,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.003" -name = "Rename System Utilities" +name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 6a2a027a9..5f3a422b4 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -100,7 +100,7 @@ file where host.os.type == "windows" and event.type : "creation" and framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1176" -name = "Browser Extensions" +name = "Software Extensions" reference = "https://attack.mitre.org/techniques/T1176/" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index cd692fd1c..84b326796 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -185,7 +185,7 @@ name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.001" -name = "DLL Search Order Hijacking" +name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 43a347532..8752086e4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/05/05" [transform] [[transform.osquery]] @@ -157,7 +157,7 @@ name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 68d23e228..810da1470 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -89,7 +89,7 @@ name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.001" -name = "DLL Search Order Hijacking" +name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] diff --git a/rules_building_block/defense_evasion_masquerading_browsers.toml b/rules_building_block/defense_evasion_masquerading_browsers.toml index ab41a92f3..cb67a25bd 100644 --- a/rules_building_block/defense_evasion_masquerading_browsers.toml +++ b/rules_building_block/defense_evasion_masquerading_browsers.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/10" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -180,7 +180,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml index 63f9383bb..a05035ab8 100644 --- a/rules_building_block/defense_evasion_masquerading_vlc_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_vlc_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/05/05" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index f64458b81..99e8191af 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/05/05" [rule] author = ["Elastic"] @@ -119,7 +119,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" @@ -129,7 +129,7 @@ name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.001" -name = "DLL Search Order Hijacking" +name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 96aa94f81..884c45780 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/05/05" [rule] author = ["Elastic"] @@ -93,7 +93,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml index 90c03a8a6..a081138d5 100644 --- a/rules_building_block/defense_evasion_outlook_suspicious_child.toml +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/10" +updated_date = "2025/05/05" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ reference = "https://attack.mitre.org/techniques/T1036/001/" [[rule.threat.technique.subtechnique]] id = "T1036.005" -name = "Match Legitimate Name or Location" +name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/"