Prep main for 9.1 (#4555)

* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version

rules/windows/execution_initial_access_foxmail_exploit.toml

@@ -2,16 +2,13 @@
 creation_date = "2024/08/29"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
-min_stack_version = "8.14.0"
-updated_date = "2025/02/21"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory.
-This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via
-a malicious email.
+Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may
+indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.
 """
 from = "now-9m"
 index = [
@@ -28,32 +25,6 @@ index = [
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Foxmail Exploitation"
-references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"]
-risk_score = 73
-rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa"
-severity = "high"
-tags = [
-    "Domain: Endpoint",
-    "OS: Windows",
-    "Use Case: Threat Detection",
-    "Tactic: Initial Access",
-    "Tactic: Execution",
-    "Data Source: Elastic Defend",
-    "Data Source: Sysmon",
-    "Data Source: Windows Security Event Logs",
-    "Data Source: Elastic Endgame",
-    "Data Source: SentinelOne",
-    "Data Source: Microsoft Defender for Endpoint",
-    "Data Source: Crowdstrike",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "eql"
-
-query = '''
-process where host.os.type == "windows" and event.type == "start" and
- process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
-'''
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -89,6 +60,32 @@ Foxmail, a popular email client, can be exploited by adversaries to gain initial
 - Apply any available security patches or updates to Foxmail and the operating system to mitigate known vulnerabilities and prevent future exploitation.
 - Monitor the network and systems for any signs of lateral movement or additional compromise, using indicators of compromise (IOCs) identified during the investigation.
 - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional actions are required based on the scope and impact of the threat."""
+references = ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"]
+risk_score = 73
+rule_id = "2c6a6acf-0dcb-404d-89fb-6b0327294cfa"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Execution",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Elastic Endgame",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+ process.parent.name : "Foxmail.exe" and process.args : ("?:\\Users\\*\\AppData\\*", "\\\\*")
+'''
 
 
 [[rule.threat]]
@@ -115,3 +112,4 @@ reference = "https://attack.mitre.org/techniques/T1189/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+