Скорректирован префикс всех правил, для возможности подгрузки пакетов…

… как системного контента
Security-Experts-Community · Feb 27, 2024 · 2958a6f · 2958a6f
1 parent 147e367
commit 2958a6f
Show file tree

Hide file tree

Showing 71 changed files with 71 additions and 71 deletions.
diff --git a/common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml b/common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml
@@ -8,4 +8,4 @@ Args: {}
 Tags:
     - event
     - normalized
-ObjectId: LOC-RF-35030
+ObjectId: SEC-RF-35030
diff --git a/common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml b/common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml
@@ -14,4 +14,4 @@ Args:
 Tags:
     - system
     - process
-ObjectId: LOC-RF-35031
+ObjectId: SEC-RF-35031
diff --git a/packages/open_vulnerabilities/correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml b/packages/open_vulnerabilities/correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml
@@ -17,7 +17,7 @@ ExpertContext:
         - https://github.com/b1tg/CVE-2023-38831-winrar-exploit
     Usecases:
         - WinRAR до версии 6.23 позволяет злоумышленникам выполнять произвольный код, когда пользователь пытается просмотреть безопасный файл в ZIP-архиве.
-ObjectId: ESC-CR-204012915
+ObjectId: SEC-CR-204012915
 ContentRelations:
     Implements:
         ATTACK:

diff --git a/...ulnerabilities/correlation_rules/CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml b/...ulnerabilities/correlation_rules/CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml
@@ -13,7 +13,7 @@ ExpertContext:
         - https://nvd.nist.gov/vuln/detail/CVE-2023-42793
         - https://github.com/H454NSec/CVE-2023-42793
         - https://exploit-notes.hdks.org/exploit/web/teamcity-pentesting/
-ObjectId: LOC-CR-723173698
+ObjectId: SEC-CR-723173698
 ContentRelations:
     Implements:
         ATTACK:

diff --git a/...s/open_vulnerabilities/enrichment_rules/Teamcity_Get_TokenName_and_Username/metainfo.yaml b/...s/open_vulnerabilities/enrichment_rules/Teamcity_Get_TokenName_and_Username/metainfo.yaml
@@ -8,4 +8,4 @@ ExpertContext:
         - Sergey Scherbakov
     Usecases:
         - Раскладывает по полям имя/id УЗ и имя токена из запроса на токен к REST API TeamCity
-ObjectId: LOC-ER-892365548
+ObjectId: SEC-ER-892365548
diff --git a/...s/eventlog/Common/Security/4794_Attempt_was_made_to_set_DSRM_admin_password/metainfo.yaml b/...s/eventlog/Common/Security/4794_Attempt_was_made_to_set_DSRM_admin_password/metainfo.yaml
@@ -1,7 +1,7 @@
 EventDescriptions:
     - Criteria: id = "4794_Attempt_was_made_to_set_DSRM_admin_password"
       LocalizationId: 4794_Attempt_was_made_to_set_DSRM_admin_password_1
-ObjectId: LOC-NF-115213330
+ObjectId: SEC-NF-115213330
 ExpertContext:
     Created: 11.06.2023
     Updated: 11.06.2023
diff --git a/...TerminalServices_RemoteConnectionManager/1149_User_authentication_succeeded/metainfo.yaml b/...TerminalServices_RemoteConnectionManager/1149_User_authentication_succeeded/metainfo.yaml
@@ -6,4 +6,4 @@ ExpertContext:
     Updated: 05.06.2023
     KnowledgeHolders:
         - "@artemcun"
-ObjectId: LOC-NF-186348571
+ObjectId: SEC-NF-186348571
diff --git a/packages/windows_open_package/_meta/metainfo.yaml b/packages/windows_open_package/_meta/metainfo.yaml
@@ -1,2 +1,2 @@
-ObjectId: LOC-PKG-471366245
+ObjectId: SEC-PKG-471366245
 Version: 1.0.0
diff --git a/...ackage/correlation_rules/mitre_attck_comm_and_ctrl/IIS_RDP_or_SMB_Tunneling/metainfo.yaml b/...ackage/correlation_rules/mitre_attck_comm_and_ctrl/IIS_RDP_or_SMB_Tunneling/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-887361710
+ObjectId: SEC-CR-887361710
 ContentAutoName: IIS_RDP_or_SMB_Tunneling
 ExpertContext:
     Created: 12.06.2023

diff --git a/...dows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml b/...dows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-143879217
+ObjectId: SEC-CR-143879217
 ContentAutoName: RDP_Tunneling
 ExpertContext:
     Created: 05.06.2023

diff --git a/...kage/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/metainfo.yaml b/...kage/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-382727157
+ObjectId: SEC-CR-382727157
 ContentAutoName: RDP_Tunneling_via_SSH_5156
 ExpertContext:
     Created: 13.06.2023

diff --git a/...relation_rules/mitre_attck_cred_access/An_attempt_was_made_to_lsass_process/metainfo.yaml b/...relation_rules/mitre_attck_cred_access/An_attempt_was_made_to_lsass_process/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-31343766
+ObjectId: SEC-CR-31343766
 ContentAutoName: An_attempt_was_made_to_lsass_process
 ExpertContext:
     Created: 12.06.2023

diff --git a/...ge/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/metainfo.yaml b/...ge/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-105581934
+ObjectId: SEC-CR-105581934
 ContentAutoName: Chrome_firefox_opera_cred_read
 ExpertContext:
     Created: 04.06.2023

diff --git a/...rrelation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml b/...rrelation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-179311440
+ObjectId: SEC-CR-179311440
 ContentAutoName: Credentials_MiniDumpWriteDump_Lsass
 ExpertContext:
     Created: 07.06.2023

diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-176126000
+ObjectId: SEC-CR-176126000
 ContentAutoName: DCSync
 EventDescriptions:
     - Criteria: correlation_name = "DCSync"

diff --git a/...age/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/metainfo.yaml b/...age/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-128949563
+ObjectId: SEC-CR-128949563
 ContentAutoName: Dump_lsass_via_process_access
 ExpertContext:
     Created: 09.06.2023

diff --git a/...ows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml b/...ows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: ESC-CR-156832011
+ObjectId: SEC-CR-156832011
 ContentAutoName: KeePass_CredDump
 ExpertContext:
     Created: 05.06.2023

diff --git a/...age/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/metainfo.yaml b/...age/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-198578044
+ObjectId: SEC-CR-198578044
 ContentAutoName: Keepass_Key_Dump_Via_KeeThief
 ExpertContext:
     Created: 06.06.2023

diff --git a/...pen_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml b/...pen_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml
@@ -14,7 +14,7 @@ ExpertContext:
         - Vulnerability scanners, misconfigured systems, remote administration tools, VPN terminators, multiuser systems like Citrix server farms
     Improvements:
         - Add events a lot of failure 4668 before correlation rule kerberos_pwd_spraying_4771 and add events success event 4688
-ObjectId: LOC-CR-155929458
+ObjectId: SEC-CR-155929458
 EventDescriptions:
     - Criteria: correlation_name = "Kerberos_pwd_spraying"
       LocalizationId: corrname_kerberos_pwd_spraying

diff --git a/...ndows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml b/...ndows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-194813648
+ObjectId: SEC-CR-194813648
 ContentAutoName: LSASS_ProcDump
 ExpertContext:
     Created: 03.06.2023

diff --git a/...ges/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/metainfo.yaml b/...ges/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/metainfo.yaml
@@ -15,7 +15,7 @@ ExpertContext:
         - Provider: Microsoft-Windows-Sysmon
           EventID:
               - 1
-ObjectId: LOC-CR-121752854
+ObjectId: SEC-CR-121752854
 EventDescriptions:
     - Criteria: correlation_name = "Mimikatz"
       LocalizationId: corrname_Mimikatz

diff --git a/...relation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml b/...relation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-420314424
+ObjectId: SEC-CR-420314424
 ContentAutoName: Mimikatz_Memssp_Default_Log_Detected
 ExpertContext:
     Created: 05.06.2023

diff --git a/...ckage/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/metainfo.yaml b/...ckage/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-726341693
+ObjectId: SEC-CR-726341693
 ContentAutoName: PPL_Bypass_via_PPLDump_Tool
 ExpertContext:
     Created: 14.06.2023

diff --git a/...mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/metainfo.yaml b/...mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-133323320
+ObjectId: SEC-CR-133323320
 ContentAutoName: Phishing_windows_credentials_powershell_scriptblock
 ExpertContext:
     Created: 17.06.2023

diff --git a/...en_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/metainfo.yaml b/...en_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-131630298
+ObjectId: SEC-CR-131630298
 ContentAutoName: Remote_registry_access
 ExpertContext:
     Created: 13.06.2023

diff --git a/...elation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/metainfo.yaml b/...elation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-469916719
+ObjectId: SEC-CR-469916719
 ContentAutoName: Change_powershell_policy_registry
 ExpertContext:
     Created: 10.06.2023

diff --git a/...pen_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml b/...pen_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml
@@ -1,5 +1,5 @@
 Name: Tasks_actions
-ObjectId: LOC-CR-284318162
+ObjectId: SEC-CR-284318162
 ContentAutoName: Tasks_actions
 ExpertContext:
     Created: 01.06.2023

diff --git a/..._open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml b/..._open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-202536688
+ObjectId: SEC-CR-202536688
 ContentAutoName: DCShadow_Attack
 ExpertContext:
     Created: 01.06.2023

diff --git a/...e/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/metainfo.yaml b/...e/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-277281147
+ObjectId: SEC-CR-277281147
 ContentAutoName: Detect_Fake_ComputerAccount
 ExpertContext:
     Created: 04.06.2023

diff --git a/...ion_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml b/...ion_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-100869373
+ObjectId: SEC-CR-100869373
 ContentAutoName: Detect_hiding_files_via_attrib_cmdlet
 ExpertContext:
     Created: 16.06.2023

diff --git a/...age/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/metainfo.yaml b/...age/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-450661205
+ObjectId: SEC-CR-450661205
 ContentAutoName: Detect_lolbin_pcalua_exec
 ExpertContext:
     Created: 18.06.2023

diff --git a/...ion_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml b/...ion_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-120990365
+ObjectId: SEC-CR-120990365
 ContentAutoName: ImageLoad_from_Network_Share_to_LSASS
 ExpertContext:
     Created: 12.06.2023

diff --git a/...en_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/metainfo.yaml b/...en_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: ESC-CR-706374286
+ObjectId: SEC-CR-706374286
 ContentAutoName: ParentPid_Spoofing
 ExpertContext:
     Created: 05.06.2023

diff --git a/..._open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml b/..._open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-913584083
+ObjectId: SEC-CR-913584083
 ContentAutoName: Portforward_netsh
 ExpertContext:
     Created: 03.06.2023

diff --git a/...ackage/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/metainfo.yaml b/...ackage/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-496129294
+ObjectId: SEC-CR-496129294
 ContentAutoName: RDP_settings_tampering
 ExpertContext:
     Created: 09.06.2023

diff --git a/...tion_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/metainfo.yaml b/...tion_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-420817287
+ObjectId: SEC-CR-420817287
 ContentAutoName: ReverseShell_created_via_PEInjection
 ExpertContext:
     Created: 06.06.2023

diff --git a/...ge/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/metainfo.yaml b/...ge/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: ESC-CR-195011447
+ObjectId: SEC-CR-195011447
 ContentAutoName: Subrule_ParentPid_Spoofing
 ExpertContext:
     Created: 05.06.2023

diff --git a/..._open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml b/..._open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-162042829
+ObjectId: SEC-CR-162042829
 ContentAutoName: Suspend_prpcess
 ExpertContext:
     Created: 09.06.2023

diff --git a/...correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/metainfo.yaml b/...correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: ESC-CR-205336157
+ObjectId: SEC-CR-205336157
 ContentAutoName: Suspicious_Explorer_Injection
 ExpertContext:
     Created: 05.06.2023

diff --git a/...ges/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/metainfo.yaml b/...ges/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-224304134
+ObjectId: SEC-CR-224304134
 ContentAutoName: Bloodhound
 ExpertContext:
     Created: 02.06.2023

diff --git a/...package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/metainfo.yaml b/...package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-125559457
+ObjectId: SEC-CR-125559457
 ContentAutoName: Enumeration_Users_In_Groups
 ExpertContext:
     Created: 12.06.2023

diff --git a/.../correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/metainfo.yaml b/.../correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-949509640
+ObjectId: SEC-CR-949509640
 ContentAutoName: Local_Groups_Enumeration_Discovery
 ExpertContext:
     Created: 03.06.2023

diff --git a/...ation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml b/...ation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-192895047
+ObjectId: SEC-CR-192895047
 ContentAutoName: Detect_execution_imageload_wuauclt_lolbas
 ExpertContext:
     Created: 07.06.2023

diff --git a/...s_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/metainfo.yaml b/...s_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/metainfo.yaml
@@ -18,7 +18,7 @@ ExpertContext:
           EventID:
               - 4103
               - 4104
-ObjectId: LOC-CR-152436010
+ObjectId: SEC-CR-152436010
 EventDescriptions:
     - Criteria: correlation_name = "Schtasks_Commandline"
       LocalizationId: corrname_Schtasks_Commandline

diff --git a/.../windows_open_package/correlation_rules/mitre_attck_execution/SharpNoPSExec/metainfo.yaml b/.../windows_open_package/correlation_rules/mitre_attck_execution/SharpNoPSExec/metainfo.yaml
@@ -16,7 +16,7 @@ ExpertContext:
               - 4657
     Usecases:
         - Атакующие могут модифицировать путь к исполняемому файлу существующей службы Windows для запуска ВПО (например с помощью SharpNoPSExec)
-ObjectId: LOC-CR-249739163
+ObjectId: SEC-CR-249739163
 ContentRelations:
     Implements:
         ATTACK:

diff --git a/...kage/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/metainfo.yaml b/...kage/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-109694263
+ObjectId: SEC-CR-109694263
 ContentAutoName: Start_process_as_vshadow_child
 ExpertContext:
     Created: 05.06.2023

diff --git a/...package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/metainfo.yaml b/...package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-109592014
+ObjectId: SEC-CR-109592014
 ContentAutoName: VSSVC_service_state_changed
 ExpertContext:
     Created: 05.06.2023

diff --git a/...dows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml b/...dows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: ESC-CR-205452331
+ObjectId: SEC-CR-205452331
 ContentAutoName: XP_Cmdshell_Usage
 ExpertContext:
     Created: 05.06.2023

diff --git a/...ows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/metainfo.yaml b/...ows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/metainfo.yaml
@@ -12,7 +12,7 @@ ExpertContext:
         - Provider: Microsoft-Windows-Sysmon
           EventID:
               - 1
-ObjectId: LOC-CR-655783268
+ObjectId: SEC-CR-655783268
 EventDescriptions:
     - Criteria: correlation_name = "ProxyNotShell" and src.ip = src.host
       LocalizationId: corrname_ProxyNotShell

diff --git a/..._open_package/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml b/..._open_package/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-485903980
+ObjectId: SEC-CR-485903980
 ContentAutoName: Detect_MSHTA_LethalHTA
 ExpertContext:
     Created: 10.06.2023

diff --git a/...ge/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/metainfo.yaml b/...ge/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-173716752
+ObjectId: SEC-CR-173716752
 ContentAutoName: Impacket_WMIExec_Command_Executed
 ExpertContext:
     Created: 14.06.2023

diff --git a/...indows_open_package/correlation_rules/mitre_attck_lat_move/Smbexec_activity/metainfo.yaml b/...indows_open_package/correlation_rules/mitre_attck_lat_move/Smbexec_activity/metainfo.yaml
@@ -28,7 +28,7 @@ ExpertContext:
               - 5145
     Usecases:
         - Атакующие могут использовать инструменты удаленного администрирования для выполнения горизонтального перемещения по сети жертвы
-ObjectId: LOC-CR-186456257
+ObjectId: SEC-CR-186456257
 ContentRelations:
     Implements:
         ATTACK:

diff --git a/..._open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/metainfo.yaml b/..._open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-128702970
+ObjectId: SEC-CR-128702970
 ContentAutoName: Change_wmi_subscription
 ExpertContext:
     Created: 03.06.2023

diff --git a/...n_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/metainfo.yaml b/...n_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-176508511
+ObjectId: SEC-CR-176508511
 ContentAutoName: Create_hidden_local_account
 ExpertContext:
     Created: 08.06.2023

diff --git a/...rrelation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/metainfo.yaml b/...rrelation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-157328435
+ObjectId: SEC-CR-157328435
 ContentAutoName: Create_persist_via_Hidden_Run_key_value
 ExpertContext:
     Created: 12.06.2023

diff --git a/...kage/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/metainfo.yaml b/...kage/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-58748064
+ObjectId: SEC-CR-58748064
 ContentAutoName: Create_persist_via_WinlogonShell
 ExpertContext:
     Created: 02.06.2023

diff --git a/...ules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/metainfo.yaml b/...ules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-384735839
+ObjectId: SEC-CR-384735839
 ContentAutoName: DCSync_prepare_Add_replicatation_rights_to_Account
 ExpertContext:
     Created: 08.06.2023

diff --git a/...ws_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml b/...ws_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml
@@ -1,5 +1,5 @@
 Updated: 26.12.2022
-ObjectId: LOC-CR-142614850
+ObjectId: SEC-CR-142614850
 ContentAutoName: DSRM_Password_Changed
 ExpertContext:
     Created: 11.06.2023

diff --git a/...ation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/metainfo.yaml b/...ation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/metainfo.yaml
@@ -1,4 +1,4 @@
-ObjectId: LOC-CR-823326244
+ObjectId: SEC-CR-823326244
 ContentAutoName: Use_persist_Start_process_via_WinlogonShell
 ExpertContext:
     Created: 02.06.2023
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,4 +14,4 @@ Args: @@
     Tags:
         - system
         - process
-    ObjectId: LOC-RF-35031
+    ObjectId: SEC-RF-35031