updating version and removing detections (#3749)

patel-bhavin · web-flow · commit c5413e93f2de · 2025-10-30T10:29:04.000-07:00
diff --git a/contentctl.yml b/contentctl.yml
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.17.0
+  version: 5.18.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
diff --git a/removed/detections/detect_rundll32_application_control_bypass___advpack.yml b/removed/detections/detect_rundll32_application_control_bypass___advpack.yml
@@ -3,7 +3,7 @@ id: 4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8
 version: 12
 date: '2025-10-06'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects the execution of rundll32.exe loading
   advpack.dll or ieadvpack.dll via the LaunchINFSection function. This method is identified
diff --git a/removed/detections/detect_rundll32_application_control_bypass___setupapi.yml b/removed/detections/detect_rundll32_application_control_bypass___setupapi.yml
@@ -3,7 +3,7 @@ id: 61e7b44a-6088-4f26-b788-9a96ba13b37a
 version: 12
 date: '2025-10-06'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects the execution of rundll32.exe loading
   setupapi.dll and iesetupapi.dll via the LaunchINFSection function. This behavior
diff --git a/removed/detections/detect_rundll32_application_control_bypass___syssetup.yml b/removed/detections/detect_rundll32_application_control_bypass___syssetup.yml
@@ -3,7 +3,7 @@ id: 71b9bf37-cde1-45fb-b899-1b0aa6fa1183
 version: 12
 date: '2025-10-06'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects the execution of rundll32.exe loading
   syssetup.dll via the LaunchINFSection function. This method is identified through
diff --git a/removed/detections/windows_change_default_file_association_for_no_file_ext.yml b/removed/detections/windows_change_default_file_association_for_no_file_ext.yml
@@ -3,7 +3,7 @@ id: dbdf52ad-d6a1-4b68-975f-0a10939d8e38
 version: 9
 date: '2025-10-06'
 author: Teoderick Contreras, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects attempts to change the default file association
   for files without an extension to open with Notepad.exe. It leverages data from
diff --git a/removed/detections/windows_set_private_network_profile_via_registry.yml b/removed/detections/windows_set_private_network_profile_via_registry.yml
@@ -3,7 +3,7 @@ id: a277acde-9bfd-4edb-b201-7cfc504003e2
 version: 2
 date: '2025-10-07'
 author: Teoderick Contreras, Splunk
-status: deprecated
+status: removed
 type: Anomaly
 description: The following analytic detects attempts to modify the Windows Registry to change a network profile's category to "Private", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification—especially outside standard IT processes or correlated with persistence mechanisms—can help identify stealthy post-exploitation activity.
 data_source:
