Merge branch 'develop' into cisco_slashn

pyth0n1c · web-flow · commit 1411dac82fbe · 2025-04-22T12:11:23.000-07:00
diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml
@@ -1,7 +1,7 @@
 name: MSI Module Loaded by Non-System Binary
 id: ccb98a66-5851-11ec-b91c-acde48001122
-version: 7
-date: '2025-02-10'
+version: 8
+date: '2025-04-22'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -38,7 +38,7 @@ tags:
   cve:
   - CVE-2021-41379
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml
@@ -1,7 +1,7 @@
 name: Msmpeng Application DLL Side Loading
 id: 8bb3f280-dd9b-11eb-84d5-acde48001122
-version: 8
-date: '2025-02-10'
+version: 9
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk, Sanjay Govind
 status: production
 type: TTP
@@ -57,7 +57,7 @@ tags:
   - Revil Ransomware
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml
@@ -1,7 +1,7 @@
 name: Windows DLL Side-Loading In Calc
 id: af01f6db-26ac-440e-8d89-2793e303f137
-version: 7
-date: '2025-04-16'
+version: 8
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -59,7 +59,7 @@ tags:
   - Earth Alux
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
@@ -1,7 +1,7 @@
 name: Windows DLL Side-Loading Process Child Of Calc
 id: 295ca9ed-e97b-4520-90f7-dfb6469902e1
-version: 7
-date: '2025-04-16'
+version: 8
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -66,7 +66,7 @@ tags:
   - Earth Alux
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml
@@ -1,7 +1,7 @@
 name: Windows Known Abused DLL Created
 id: ea91651a-772a-4b02-ac3d-985b364a5f07
-version: 6
-date: '2025-02-10'
+version: 7
+date: '2025-04-22'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -79,7 +79,6 @@ tags:
   asset_type: Endpoint
   mitre_attack_id:
   - T1574.001
-  - T1574.002
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml
@@ -1,7 +1,7 @@
 name: Windows Known Abused DLL Loaded Suspiciously
 id: dd6d1f16-adc0-4e87-9c34-06189516b803
-version: 6
-date: '2025-02-10'
+version: 7
+date: '2025-04-22'
 author: Steven Dick
 status: production
 type: TTP
@@ -65,7 +65,6 @@ tags:
   asset_type: Endpoint
   mitre_attack_id:
   - T1574.001
-  - T1574.002
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml
@@ -1,7 +1,7 @@
 name: Windows Known GraphicalProton Loaded Modules
 id: bf471c94-0324-4b19-a113-d02749b969bc
-version: 8
-date: '2025-04-17'
+version: 9
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -57,7 +57,7 @@ tags:
   - Water Gamayun
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
@@ -1,7 +1,7 @@
 name: Windows Masquerading Explorer As Child Process
 id: 61490da9-52a1-4855-a0c5-28233c88c481
-version: 9
-date: '2025-04-17'
+version: 10
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -68,7 +68,7 @@ tags:
   - Water Gamayun
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml
@@ -1,7 +1,7 @@
 name: Windows SqlWriter SQLDumper DLL Sideload
 id: 2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3
-version: 5
-date: '2024-11-13'
+version: 6
+date: '2025-04-22'
 author: Michael Haag, Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 7
@@ -69,7 +69,7 @@ tags:
   - Midnight Blizzard
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml
@@ -1,7 +1,7 @@
 name: Windows Unsigned DLL Side-Loading
 id: 5a83ce44-8e0f-4786-a775-8249a525c879
-version: 10
-date: '2025-04-16'
+version: 11
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -61,7 +61,7 @@ tags:
   - Earth Alux
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
@@ -1,7 +1,7 @@
 name: Windows Unsigned DLL Side-Loading In Same Process Path
 id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f
-version: 9
-date: '2025-02-26'
+version: 10
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 7
@@ -64,7 +64,7 @@ tags:
   - DarkGate Malware
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
@@ -1,7 +1,7 @@
 name: Windows Unsigned MS DLL Side-Loading
 id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c
-version: 10
-date: '2025-04-16'
+version: 11
+date: '2025-04-22'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon EventID 7
@@ -76,7 +76,7 @@ tags:
   - Midnight Blizzard
   asset_type: Endpoint
   mitre_attack_id:
-  - T1574.002
+  - T1574.001
   - T1547
   product:
   - Splunk Enterprise
