From de5166cc657d12f7dc59236b515b12b35367bb64 Mon Sep 17 00:00:00 2001
From: veritasr3x <mmatchen@gmail.com>
Date: Tue, 4 Nov 2025 08:47:34 +0100
Subject: [PATCH 1/3] Resolves Issue #5279

---
 rules/windows/command_and_control_common_webservices.toml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
index 2491d16d57b..638989c843f 100644
--- a/rules/windows/command_and_control_common_webservices.toml
+++ b/rules/windows/command_and_control_common_webservices.toml
@@ -353,6 +353,14 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+id = "T1090"
+name = "Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/"
+[[rule.threat.technique.subtechnique]]
+id = "T1090.002"
+name = "External Proxy"
+reference = "https://attack.mitre.org/techniques/T1090/002/"
+[[rule.threat.technique]]
 id = "T1567"
 name = "Exfiltration Over Web Service"
 reference = "https://attack.mitre.org/techniques/T1567/"

From 3f571c5442febeb25e82b528717ba1a8e91dfb68 Mon Sep 17 00:00:00 2001
From: veritasr3x <mmatchen@gmail.com>
Date: Tue, 4 Nov 2025 19:05:37 +0100
Subject: [PATCH 2/3] Corrected the "updated_date" value

---
 rules/windows/command_and_control_common_webservices.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
index 638989c843f..df685b2d24c 100644
--- a/rules/windows/command_and_control_common_webservices.toml
+++ b/rules/windows/command_and_control_common_webservices.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/09/04"
+updated_date = "2025/11/04"
 
 [transform]
 [[transform.investigate]]

From 40aeddc90266c6470673d4372653a411abafc9d4 Mon Sep 17 00:00:00 2001
From: veritasr3x <mmatchen@gmail.com>
Date: Wed, 5 Nov 2025 07:46:33 +0100
Subject: [PATCH 3/3] Put the technique and sub-technique in the correct
 location

---
 .../command_and_control_common_webservices.toml  | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
index df685b2d24c..89cc18353e2 100644
--- a/rules/windows/command_and_control_common_webservices.toml
+++ b/rules/windows/command_and_control_common_webservices.toml
@@ -344,14 +344,6 @@ id = "T1568.002"
 name = "Domain Generation Algorithms"
 reference = "https://attack.mitre.org/techniques/T1568/002/"
 
-
-
-[rule.threat.tactic]
-id = "TA0011"
-name = "Command and Control"
-reference = "https://attack.mitre.org/tactics/TA0011/"
-[[rule.threat]]
-framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1090"
 name = "Proxy"
@@ -360,6 +352,14 @@ reference = "https://attack.mitre.org/techniques/T1090/"
 id = "T1090.002"
 name = "External Proxy"
 reference = "https://attack.mitre.org/techniques/T1090/002/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1567"
 name = "Exfiltration Over Web Service"