Mitre updates

.github/workflows/appinspect.yml

@@ -22,7 +22,7 @@ jobs:
           echo "- Contentctl version - $(cat requirements.txt)"
           pip install -r requirements.txt
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
-          git clone --depth=1 --single-branch --branch="ATT&CK-v18.1" https://github.com/mitre/cti external_repos/cti
+          git clone --depth=1 --single-branch --branch="master" https://github.com/mitre-attack/attack-stix-data external_repos/cti
 
       - name: Running appinspect with enrichments
         env:

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
           echo "- Contentctl version - $(cat requirements.txt)"
           pip install -r requirements.txt
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
-          git clone --depth=1 --single-branch --branch="ATT&CK-v18.1" https://github.com/mitre/cti external_repos/cti
+          git clone --depth=1 --single-branch --branch="master" https://github.com/mitre-attack/attack-stix-data external_repos/cti
 
       - name: Running build with enrichments
         run: |

detections/application/cisco_asa___core_syslog_message_volume_drop.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Core Syslog Message Volume Drop
 id: 4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4
-version: 3
-date: '2025-10-13'
+version: 4
+date: '2026-05-04'
 author: Bhavin Patel, Micheal Haag, Splunk
 status: production
 type: Hunting
@@ -47,7 +47,7 @@ tags:
         - ArcaneDoor
     asset_type: Network
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Disabled via CLI
 id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
-version: 6
-date: '2026-04-15'
+version: 7
+date: '2026-05-04'
 author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -72,7 +72,7 @@ tags:
         - Suspicious Cisco Adaptive Security Appliance Activity
     asset_type: Network
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/cisco_asa___logging_filters_configuration_tampering.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Filters Configuration Tampering
 id: b87b48a8-6d1a-4280-9cf1-16a950dbf901
-version: 4
-date: '2026-04-15'
+version: 5
+date: '2026-05-04'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -83,7 +83,7 @@ tags:
         - Suspicious Cisco Adaptive Security Appliance Activity
     asset_type: Network
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/cisco_asa___logging_message_suppression.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Message Suppression
 id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f
-version: 4
-date: '2026-04-15'
+version: 5
+date: '2026-05-04'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -69,7 +69,7 @@ tags:
         - ArcaneDoor
     asset_type: Network
     mitre_attack_id:
-        - T1562.002
+        - T1685.001
         - T1070
     product:
         - Splunk Enterprise

detections/application/esxi_audit_tampering.yml

@@ -1,7 +1,7 @@
 name: ESXi Audit Tampering
 id: c48a155b-2861-417a-813c-220f5272cf01
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -35,7 +35,7 @@ tags:
         - Black Basta Ransomware
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562.003
+        - T1690
         - T1070
     product:
         - Splunk Enterprise

detections/application/esxi_download_errors.yml

@@ -1,7 +1,7 @@
 name: ESXi Download Errors
 id: 515cccd0-c4d8-4427-92d9-8a8f8b5a71dc
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: Anomaly
@@ -34,7 +34,7 @@ tags:
     asset_type: Infrastructure
     mitre_attack_id:
         - T1601.001
-        - T1562.001
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/esxi_encryption_settings_modified.yml

@@ -1,7 +1,7 @@
 name: ESXi Encryption Settings Modified
 id: dbbbe26f-83fe-4ee3-8b77-ccf7fbd416c8
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -33,7 +33,7 @@ tags:
         - Black Basta Ransomware
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/esxi_firewall_disabled.yml

@@ -1,7 +1,7 @@
 name: ESXi Firewall Disabled
 id: e321804c-8eb5-42f2-a843-36b289a6c6b2
-version: 4
-date: '2026-04-15'
+version: 5
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -34,7 +34,7 @@ tags:
         - China-Nexus Threat Activity
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562.004
+        - T1686
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/esxi_lockdown_mode_disabled.yml

@@ -1,7 +1,7 @@
 name: ESXi Lockdown Mode Disabled
 id: 07c0d28a-9a9b-409f-8d4b-65355bd19ead
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -33,7 +33,7 @@ tags:
         - Black Basta Ransomware
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/esxi_loghost_config_tampering.yml

@@ -1,7 +1,7 @@
 name: ESXi Loghost Config Tampering
 id: 64bc2fa3-c493-44b4-8e94-3e5dbf71377e
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -33,7 +33,7 @@ tags:
         - Black Basta Ransomware
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/esxi_syslog_config_change.yml

@@ -1,7 +1,7 @@
 name: ESXi Syslog Config Change
 id: e530beb9-9b8c-4c9b-9776-0a05521ff32d
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -33,7 +33,7 @@ tags:
         - Black Basta Ransomware
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562.003
+        - T1690
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/esxi_vib_acceptance_level_tampering.yml

@@ -1,7 +1,7 @@
 name: ESXi VIB Acceptance Level Tampering
 id: d051d94f-c792-445e-b5d2-0b904f93ac09
-version: 4
-date: '2026-04-15'
+version: 5
+date: '2026-05-04'
 author: Raven Tait, Splunk
 status: production
 type: TTP
@@ -37,7 +37,7 @@ tags:
         - China-Nexus Threat Activity
     asset_type: Infrastructure
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/m365_copilot_agentic_jailbreak_attack.yml

@@ -1,25 +1,29 @@
 name: M365 Copilot Agentic Jailbreak Attack
 id: e5c7b380-19da-42e9-9e53-0af4cd27aee3
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Rod Soto
 status: experimental
 type: Anomaly
 data_source:
     - M365 Exported eDiscovery Prompts
 description: Detects agentic AI jailbreak attempts that try to establish persistent control over M365 Copilot through rule injection, universal triggers, response automation, system overrides, and persona establishment techniques. The detection analyzes the PromptText field for keywords like "from now on," "always respond," "ignore previous," "new rule," "override," and role-playing commands (e.g., "act as," "you are now") that attempt to inject persistent instructions. The search computes risk by counting distinct jailbreak indicators per user session, flagging coordinated manipulation attempts.
 search: >
-    `m365_exported_ediscovery_prompt_logs`
-    | eval user = Sender
-    | eval rule_injection=if(match(Subject_Title, "(?i)(rules|instructions)\s*="), "YES", "NO")
-    | eval universal_trigger=if(match(Subject_Title, "(?i)(every|all).*prompt"), "YES", "NO")
-    | eval response_automation=if(match(Subject_Title, "(?i)(always|automatic).*respond"), "YES", "NO")
-    | eval system_override=if(match(Subject_Title, "(?i)(override|bypass|ignore).*(system|default)"), "YES", "NO")
-    | eval persona_establishment=if(match(Subject_Title, "(?i)(with.*\[.*\]|persona)"), "YES", "NO")
-    | where rule_injection="YES" OR universal_trigger="YES" OR response_automation="YES" OR system_override="YES" OR persona_establishment="YES"
-    | table _time, "Source ID", user, Subject_Title, rule_injection, universal_trigger, response_automation, system_override, persona_establishment, Workload
-    | sort -_time
-    | `m365_copilot_agentic_jailbreak_attack_filter`
+    `m365_exported_ediscovery_prompt_logs` | eval user = Sender | eval
+    rule_injection=if(match(Subject_Title, "(?i)(rules|instructions)\s*="), "YES",
+    "NO") | eval universal_trigger=if(match(Subject_Title,
+    "(?i)(every|all).*prompt"), "YES", "NO") | eval
+    response_automation=if(match(Subject_Title,
+    "(?i)(always|automatic).*respond"), "YES", "NO") | eval
+    system_override=if(match(Subject_Title,
+    "(?i)(override|bypass|ignore).*(system|default)"), "YES", "NO") | eval
+    persona_establishment=if(match(Subject_Title, "(?i)(with.*\[.*\]|persona)"),
+    "YES", "NO") | where rule_injection="YES" OR universal_trigger="YES" OR
+    response_automation="YES" OR system_override="YES" OR
+    persona_establishment="YES" | table _time, "Source ID", user, Subject_Title,
+    rule_injection, universal_trigger, response_automation, system_override,
+    persona_establishment, Workload | sort -_time |
+    `m365_copilot_agentic_jailbreak_attack_filter`
 how_to_implement: To export M365 Copilot prompt logs, navigate to the Microsoft Purview compliance portal (compliance.microsoft.com) and access eDiscovery. Create a new eDiscovery case, add target user accounts or date ranges as data sources, then create a search query targeting M365 Copilot interactions across relevant workloads. Once the search completes, export the results to generate a package containing prompt logs with fields like Subject_Title (prompt text), Sender, timestamps, and workload metadata. Download the exported files using the eDiscovery Export Tool and ingest them into Splunk for security analysis and detection of jailbreak attempts, data exfiltration requests, and policy violations.
 known_false_positives: Legitimate users discussing AI ethics research, security professionals testing system robustness, developers creating training materials for AI safety, or academic discussions about AI limitations and behavioral constraints may trigger false positives.
 references:
@@ -45,7 +49,7 @@ tags:
         - Suspicious Microsoft 365 Copilot Activities
     asset_type: Web Application
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/m365_copilot_impersonation_jailbreak_attack.yml

@@ -1,7 +1,7 @@
 name: M365 Copilot Impersonation Jailbreak Attack
 id: cc26aba8-7f4a-4078-b91a-052d6a53cb13
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-05-04'
 author: Rod Soto
 status: experimental
 type: TTP
@@ -49,7 +49,7 @@ tags:
         - Suspicious Microsoft 365 Copilot Activities
     asset_type: Web Proxy
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security

detections/application/m365_copilot_information_extraction_jailbreak_attack.yml

@@ -1,24 +1,60 @@
 name: M365 Copilot Information Extraction Jailbreak Attack
 id: c0ee37bb-ed43-4632-8e38-060fba80b0b2
-version: 3
-date: '2026-04-15'
+version: 4
+date: '2026-05-04'
 author: Rod Soto
 status: experimental
 type: TTP
 data_source:
     - M365 Exported eDiscovery Prompts
 description: Detects M365 Copilot information extraction jailbreak attacks that attempt to obtain sensitive, classified, or comprehensive data through various social engineering techniques including fictional entity impersonation, bulk data requests, and privacy bypass attempts. The detection searches exported eDiscovery prompt logs for extraction keywords like "transcendent," "tell me everything," "confidential," "dump," "extract," "reveal," and "bypass" in the Subject_Title field, categorizing each attempt by extraction type and assigning severity levels (CRITICAL for classified/proprietary data, HIGH for bulk extraction or privacy bypass). Prompts are further analyzed for compound risk patterns such as "Confidential+Extraction" or "Bulk_Request+Bypass," filtering out low-severity cases to surface the most dangerous attempts to exfiltrate sensitive organizational information through AI manipulation.
 search: >
-    `m365_exported_ediscovery_prompt_logs`
-    | search Subject_Title="*transcendent*" OR Subject_Title="*incorporeal*" OR Subject_Title="*being who*" OR Subject_Title="*tell me everything*" OR Subject_Title="*give me all*" OR Subject_Title="*comprehensive*" OR Subject_Title="*step by step*" OR Subject_Title="*hidden*" OR Subject_Title="*secret*" OR Subject_Title="*confidential*" OR Subject_Title="*classified*" OR Subject_Title="*internal*" OR Subject_Title="*sensitive*" OR Subject_Title="*proprietary*" OR Subject_Title="*dump*" OR Subject_Title="*extract*" OR Subject_Title="*reveal*" OR Subject_Title="*disclose*" OR Subject_Title="*leak*"
-    | eval user = Sender
-    | eval extraction_type=case(match(Subject_Title, "(?i)(transcendent|incorporeal).*being"), "Knowledge_Entity", match(Subject_Title, "(?i)tell.*me.*(everything|all)"), "Everything_Request", match(Subject_Title, "(?i)(give|show|provide).*me.*(all|every)"), "Complete_Data_Request", match(Subject_Title, "(?i)(hidden|secret|confidential|classified)"), "Restricted_Info", match(Subject_Title, "(?i)(comprehensive|complete|full|entire)"), "Complete_Info", match(Subject_Title, "(?i)(dump|extract|scrape).*(data|info|content)"), "Data_Extraction", match(Subject_Title, "(?i)(reveal|disclose|expose|leak)"), "Information_Disclosure", match(Subject_Title, "(?i)(internal|proprietary|sensitive).*information"), "Sensitive_Data_Request", match(Subject_Title, "(?i)step.*by.*step.*(process|procedure|method)"), "Process_Extraction", match(Subject_Title, "(?i)(bypass|ignore).*privacy"), "Privacy_Bypass", match(Subject_Title, "(?i)(access|view|see).*(private|restricted)"), "Unauthorized_Access", 1=1, "Generic_Request")
-    | eval severity=case(match(Subject_Title, "(?i)(transcendent|incorporeal)"), "HIGH", match(Subject_Title, "(?i)tell.*everything"), "HIGH", match(Subject_Title, "(?i)(dump|extract|scrape)"), "HIGH", match(Subject_Title, "(?i)(classified|proprietary|confidential)"), "CRITICAL", match(Subject_Title, "(?i)(hidden|secret|internal|sensitive)"), "MEDIUM", match(Subject_Title, "(?i)(reveal|disclose|leak)"), "MEDIUM", match(Subject_Title, "(?i)(bypass|ignore).*privacy"), "HIGH", 1=1, "LOW")
-    | where severity!="LOW"
-    | eval data_risk_flags=case(match(Subject_Title, "(?i)(classified|confidential|proprietary)") AND match(Subject_Title, "(?i)(dump|extract|scrape)"), "Confidential+Extraction", match(Subject_Title, "(?i)(everything|all|complete)") AND match(Subject_Title, "(?i)(bypass|ignore)"), "Bulk_Request+Bypass", match(Subject_Title, "(?i)(classified|confidential|proprietary)"), "Confidential", match(Subject_Title, "(?i)(dump|extract|scrape)"), "Extraction", match(Subject_Title, "(?i)(everything|all|complete|comprehensive)"), "Bulk_Request", match(Subject_Title, "(?i)(bypass|ignore)"), "Bypass_Attempt", 1=1, "Standard_Request")
-    | table _time, user, Subject_Title, extraction_type, severity, data_risk_flags, Size
-    | sort -severity, -_time
-    | `m365_copilot_information_extraction_jailbreak_attack_filter`
+    `m365_exported_ediscovery_prompt_logs` | search Subject_Title="*transcendent*"
+    OR Subject_Title="*incorporeal*" OR Subject_Title="*being who*" OR
+    Subject_Title="*tell me everything*" OR Subject_Title="*give me all*" OR
+    Subject_Title="*comprehensive*" OR Subject_Title="*step by step*" OR
+    Subject_Title="*hidden*" OR Subject_Title="*secret*" OR
+    Subject_Title="*confidential*" OR Subject_Title="*classified*" OR
+    Subject_Title="*internal*" OR Subject_Title="*sensitive*" OR
+    Subject_Title="*proprietary*" OR Subject_Title="*dump*" OR
+    Subject_Title="*extract*" OR Subject_Title="*reveal*" OR
+    Subject_Title="*disclose*" OR Subject_Title="*leak*" | eval user = Sender |
+    eval extraction_type=case(match(Subject_Title,
+    "(?i)(transcendent|incorporeal).*being"), "Knowledge_Entity",
+    match(Subject_Title, "(?i)tell.*me.*(everything|all)"), "Everything_Request",
+    match(Subject_Title, "(?i)(give|show|provide).*me.*(all|every)"),
+    "Complete_Data_Request", match(Subject_Title,
+    "(?i)(hidden|secret|confidential|classified)"), "Restricted_Info",
+    match(Subject_Title, "(?i)(comprehensive|complete|full|entire)"),
+    "Complete_Info", match(Subject_Title,
+    "(?i)(dump|extract|scrape).*(data|info|content)"), "Data_Extraction",
+    match(Subject_Title, "(?i)(reveal|disclose|expose|leak)"),
+    "Information_Disclosure", match(Subject_Title,
+    "(?i)(internal|proprietary|sensitive).*information"),
+    "Sensitive_Data_Request", match(Subject_Title,
+    "(?i)step.*by.*step.*(process|procedure|method)"), "Process_Extraction",
+    match(Subject_Title, "(?i)(bypass|ignore).*privacy"), "Privacy_Bypass",
+    match(Subject_Title, "(?i)(access|view|see).*(private|restricted)"),
+    "Unauthorized_Access", 1=1, "Generic_Request") | eval
+    severity=case(match(Subject_Title, "(?i)(transcendent|incorporeal)"), "HIGH",
+    match(Subject_Title, "(?i)tell.*everything"), "HIGH", match(Subject_Title,
+    "(?i)(dump|extract|scrape)"), "HIGH", match(Subject_Title,
+    "(?i)(classified|proprietary|confidential)"), "CRITICAL", match(Subject_Title,
+    "(?i)(hidden|secret|internal|sensitive)"), "MEDIUM", match(Subject_Title,
+    "(?i)(reveal|disclose|leak)"), "MEDIUM", match(Subject_Title,
+    "(?i)(bypass|ignore).*privacy"), "HIGH", 1=1, "LOW") | where severity!="LOW" |
+    eval data_risk_flags=case(match(Subject_Title,
+    "(?i)(classified|confidential|proprietary)") AND match(Subject_Title,
+    "(?i)(dump|extract|scrape)"), "Confidential+Extraction", match(Subject_Title,
+    "(?i)(everything|all|complete)") AND match(Subject_Title,
+    "(?i)(bypass|ignore)"), "Bulk_Request+Bypass", match(Subject_Title,
+    "(?i)(classified|confidential|proprietary)"), "Confidential",
+    match(Subject_Title, "(?i)(dump|extract|scrape)"), "Extraction",
+    match(Subject_Title, "(?i)(everything|all|complete|comprehensive)"),
+    "Bulk_Request", match(Subject_Title, "(?i)(bypass|ignore)"), "Bypass_Attempt",
+    1=1, "Standard_Request") | table _time, user, Subject_Title, extraction_type,
+    severity, data_risk_flags, Size | sort -severity, -_time |
+    `m365_copilot_information_extraction_jailbreak_attack_filter`
 how_to_implement: To export M365 Copilot prompt logs, navigate to the Microsoft Purview compliance portal (compliance.microsoft.com) and access eDiscovery. Create a new eDiscovery case, add target user accounts or date ranges as data sources, then create a search query targeting M365 Copilot interactions across relevant workloads. Once the search completes, export the results to generate a package containing prompt logs with fields like Subject_Title (prompt text), Sender, timestamps, and workload metadata. Download the exported files using the eDiscovery Export Tool and ingest them into Splunk for security analysis and detection of jailbreak attempts, data exfiltration requests, and policy violations.
 known_false_positives: Legitimate researchers studying data classification systems, cybersecurity professionals testing information handling policies, compliance officers reviewing data access procedures, journalists researching transparency issues, or employees asking for comprehensive project documentation may trigger false positives.
 references:
@@ -44,7 +80,7 @@ tags:
         - Suspicious Microsoft 365 Copilot Activities
     asset_type: Web Application
     mitre_attack_id:
-        - T1562
+        - T1685
     product:
         - Splunk Enterprise
         - Splunk Enterprise Security