From 640b86ddaab760fea414664b1f579f47305f5fc9 Mon Sep 17 00:00:00 2001
From: Bert-Janp <bertjanpals@gmail.com>
Date: Mon, 29 Jan 2024 19:54:38 +0100
Subject: [PATCH] Update PRs m4nbat

---
 ...er_abuse conditional_access_trusted_locations.md |  0
 MITRE ATT&CK/Mapping.md                             |  6 ++++--
 README.md                                           | 13 ++++++++-----
 .../TI Feed - ipfs_phishing.md                      |  0
 4 files changed, 12 insertions(+), 7 deletions(-)
 rename {Defender For Endpoint => Azure Active Directory}/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md (100%)
 rename Defender For Endpoint/nf_ttp_t1566-001_ipfs_phishing.md => Threat Hunting/TI Feed - ipfs_phishing.md (100%)

diff --git a/Defender For Endpoint/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md b/Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md
similarity index 100%
rename from Defender For Endpoint/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md
rename to Azure Active Directory/nf_ttp_t1562.001_scattered-spider_abuse conditional_access_trusted_locations.md
diff --git a/MITRE ATT&CK/Mapping.md b/MITRE ATT&CK/Mapping.md
index d7a2d07..c0d480b 100644
--- a/MITRE ATT&CK/Mapping.md	
+++ b/MITRE ATT&CK/Mapping.md	
@@ -9,9 +9,9 @@ This section only includes references to queries that can be mapped in the MITRE
 | --- | --- |
 | Initial Access | 11 |
 | Execution | 4 |
-| Persistence | 9 |
+| Persistence | 10 |
 | Privilege Escalation | 4 |
-| Defense Evasion | 14 |
+| Defense Evasion | 15 |
 | Credential Access | 5 |
 | Discovery | 18 |
 | Lateral Movement | 1 |
@@ -55,6 +55,7 @@ This section only includes references to queries that can be mapped in the MITRE
 | T1078.004 | Valid Accounts: Cloud Accounts | [Cloud Persistence Activity By User AtRisk](../Azure%20Active%20Directory/CloudPersistenceActivityByUserAtRisk.md)|
 | T1137 | Office Application Startup | [ASR Executable Office Content](../Defender%20For%20Endpoint/ASR%20Rules/AsrExecutableOfficeContent.md) |
 | T1505.003 | Server Software Component: Web Shell | [WebShell Detection](../Defender%20For%20Endpoint/WebshellDetection.md) |
+| T1543 | Create or Modify System Process  | [Azure ARC Related Persistence Detection](../Defender%20For%20Endpoint/nf_ttp_t1543_scattered-spider_azure_arc_persistence.md) |
 | T1556 | Modify Authentication Process | [Deletion Conditional Access Policy](../Azure%20Active%20Directory/ConditionalAccess%20-%20DeletePolicy.md) |
 | T1556 | Modify Authentication Process | [Change Conditional Access Policy](../Azure%20Active%20Directory/ConditionalAccess%20-%20ChangePolicy.md) |
 
@@ -84,6 +85,7 @@ This section only includes references to queries that can be mapped in the MITRE
 | T1218.010 | System Binary Proxy Execution: Regsvr32 | [Regsvr32 Started as Office Child](../Defender%20For%20Endpoint/Regsvr32StartedByOfficeApplication.md) |
 | T1553.005 | Subvert Trust Controls: Mark-of-the-Web Bypass | [Hunt for rare ISO files](../Defender%20For%20Endpoint/RareISOFile.md)|
 | T1562.001 | Impair Defenses: Disable or Modify Tools | [Abusing PowerShell to disable Defender components](../Defender%20For%20Endpoint/ttp_t1562-001_disabledefender.md)|
+| T1562.001 | Impair Defenses: Disable or Modify Tools | [Scattered Spider Defense Evasion via Conditional Access Policies Detection](../Azure%20Active%20Directory/nf_ttp_t1562.001_scattered-spider_abuse%20conditional_access_trusted_locations.md) |
 | T1562.010 | Impair Defenses: Downgrade Attack | [Potential Kerberos Encryption Downgrade](../Defender%20For%20Identity/PotentialKerberosEncryptionDowngrade.md) |
 
 ## Credential Access
diff --git a/README.md b/README.md
index d9cdae1..8e47f64 100644
--- a/README.md
+++ b/README.md
@@ -69,11 +69,14 @@ Everyone can submit contributions to this repository via a Pull Request. If you
 ## Top contributors
 | Name | Queries added | GitHub | Twitter | Query Links |
 |------|---------------|--------|---------| ---------|
-|  [Gavin Knapp](https://www.linkedin.com/in/grjk83/)    |    5           |   [@m4nbat](https://github.com/m4nbat)     | [@knappresearchlb](https://twitter.com/knappresearchlb)      | <ul><li>[NetSupport running from unexpected directory (FIN7)](../Defender%20For%20Endpoint/ttp_t1219_netsupportrat_fin7.md)</li>
-| | | |  | <ul><li>[Abusing PowerShell to disable Defender components](../Defender%20For%20Endpoint/ttp_t1562-001_disabledefender.md)</li>| 
-| | | |  | <ul><li>[Suspicious network connection from MSBuild](../Defender%20For%20Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md)</li>| 
-| | | |  | <ul><li>[PowerShell Encoded Command](../Defender%20For%20Endpoint/ttp_t1027-010_powershellEncodedCommand.md)</li>| 
-| | | |  | <ul><li>[PowerShell Launching Scripts From WindowsApps Directory (FIN7)](../Defender%20For%20Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md)</li>| 
+|  [Gavin Knapp](https://www.linkedin.com/in/grjk83/)    |    5           |   [@m4nbat](https://github.com/m4nbat)     | [@knappresearchlb](https://twitter.com/knappresearchlb)      | <ul><li>[NetSupport running from unexpected directory (FIN7)](./Defender%20For%20Endpoint/ttp_t1219_netsupportrat_fin7.md)</li>
+| | | |  | <ul><li>[Abusing PowerShell to disable Defender components](./Defender%20For%20Endpoint/ttp_t1562-001_disabledefender.md)</li>| 
+| | | |  | <ul><li>[Suspicious network connection from MSBuild](./Defender%20For%20Endpoint/ttp_t1127-001_suspNetworkConnMSBuild.md)</li>| 
+| | | |  | <ul><li>[PowerShell Encoded Command](./Defender%20For%20Endpoint/ttp_t1027-010_powershellEncodedCommand.md)</li>| 
+| | | |  | <ul><li>[PowerShell Launching Scripts From WindowsApps Directory (FIN7)](./Defender%20For%20Endpoint/ttp_t1059-001_powershell_windowsappsdir_fin7.md)</li>| 
+| | | |  | <ul><li>[Azure ARC Related Persistence Detection](./Defender%20For%20Endpoint/nf_ttp_t1543_scattered-spider_azure_arc_persistence.md)</li>| 
+| | | |  | <ul><li>[Scattered Spider Defense Evasion via Conditional Access Policies Detection](./Azure%20Active%20Directory/nf_ttp_t1562.001_scattered-spider_abuse%20conditional_access_trusted_locations.md)</li>| 
+| | | |  | <ul><li>[Check for Phishing Emails Using IPFS in Phishing Campaigns](./Threat%20Hunting/TI%20Feed%20-%20ipfs_phishing.md)</li>| 
 |  [Alex Teixeira](https://www.linkedin.com/in/inode/)    |    2           |   [@inodee](https://github.com/inodee)     | [@ateixei](https://twitter.com/ateixei)      | <ul><li>[Rare_Outgoing_IPv4_Connections](./Defender%20For%20Endpoint/Rare_Outgoing_IPv4_Connections.md)</li>
 | | | |  | <ul><li>[Detect Known RAT RMM Process Patterns](./Defender%20For%20Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md)</li>| 
 |  [Babak Mahmoodizadeh](https://www.linkedin.com/in/babak-mhz/)    |    1           |   [@babakmhz](https://github.com/babakmhz)     | -      | <ul><li>[WebShell Detection](./Defender%20For%20Endpoint/WebshellDetection.md)</li> |
diff --git a/Defender For Endpoint/nf_ttp_t1566-001_ipfs_phishing.md b/Threat Hunting/TI Feed - ipfs_phishing.md
similarity index 100%
rename from Defender For Endpoint/nf_ttp_t1566-001_ipfs_phishing.md
rename to Threat Hunting/TI Feed - ipfs_phishing.md