Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules

chore: update ATT&CK tagging for multiple rules
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

deprecated/windows/proc_creation_win_wuauclt_execution.yml

@@ -9,7 +9,7 @@ date: 2020/10/17
 modified: 2023/11/11
 tags:
     - attack.command_and_control
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1105
     - attack.t1218
 logsource:

rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml

@@ -12,7 +12,7 @@ author: '@41thexplorer'
 date: 2018/11/20
 modified: 2023/02/20
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218.011
     - detection.emerging_threats
 logsource:

rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml

@@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems), @41thexplorer
 date: 2018/11/20
 modified: 2023/03/08
 tags:
+    - attack.defense_evasion
     - attack.execution
     - attack.t1218.011
     - detection.emerging_threats

rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -11,7 +11,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
 date: 2023/05/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.emerging_threats
 logsource:

rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml

@@ -19,8 +19,9 @@ references:
 author: Harjot Singh @cyb3rjy0t
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
+    - attack.execution
     - detection.threat_hunting
 logsource:
     category: process_creation

rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml

@@ -21,8 +21,9 @@ author: Ivan Dyachkov, oscd.community
 date: 2020/10/07
 modified: 2023/09/14
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
+    - attack.execution
     - detection.threat_hunting
 logsource:
     category: process_creation

rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml

@@ -13,7 +13,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.threat_hunting
 logsource:

rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml

@@ -15,7 +15,7 @@ references:
 author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/10/17
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.threat_hunting
 logsource:

rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml

@@ -13,7 +13,7 @@ references:
 author: Andreas Braathen (mnemonic.io)
 date: 2023/10/17
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.threat_hunting
 logsource:

rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml

@@ -8,7 +8,7 @@ author: Stamatis Chatzimangou
 date: 2022/10/23
 modified: 2022/10/23
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - attack.t1218.007
 logsource:

rules/windows/file/file_event/file_event_win_sed_file_creation.yml

@@ -15,7 +15,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: file_event

rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml

@@ -16,7 +16,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     product: windows

rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml

@@ -8,7 +8,7 @@ author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
 modified: 2024/02/17
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - attack.command_and_control
     - attack.t1105

rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml

@@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
 modified: 2023/05/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml

@@ -22,7 +22,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml

@@ -24,7 +24,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml

@@ -22,7 +22,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml

@@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/20
 modified: 2023/02/04
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml

@@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/20
 modified: 2023/02/04
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml

@@ -9,7 +9,7 @@ author: Bhabesh Raj, X__Junior (Nextron Systems)
 date: 2021/07/30
 modified: 2023/11/02
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml

@@ -12,7 +12,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml

@@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community
 date: 2020/10/18
 modified: 2023/02/04
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml

@@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community
 date: 2020/10/18
 modified: 2021/11/27
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml

@@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
 modified: 2023/04/11
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation

rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml

@@ -12,6 +12,7 @@ author: 'Agro (@agro_sev) oscd.community'
 date: 2020/10/13
 modified: 2021/11/27
 tags:
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation