Bump contentctl.yml to 5.20.0 (#3829)

* chore: bump contentctl.yml to 5.20.0

* move removed detections

---------

Co-authored-by: research bot <[email protected]>

Author: patel-bhavin

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.19.0
+  version: 5.20.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

…ted/curl_download_and_bash_execution.yml …ons/curl_download_and_bash_execution.ymldetections/deprecated/curl_download_and_bash_execution.yml renamed to removed/detections/curl_download_and_bash_execution.yml detections/deprecated/curl_download_and_bash_execution.yml renamed to removed/detections/curl_download_and_bash_execution.yml

@@ -3,7 +3,7 @@ id: 900bc324-59f3-11ec-9fb4-acde48001122
 version: 10
 date: '2025-10-16'
 author: Michael Haag, Splunk, DipsyTipsy
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects the use of curl on Linux or MacOS systems
   to download a file from a remote source and pipe it directly to bash for execution.

…deprecated/linux_java_spawning_shell.yml …detections/linux_java_spawning_shell.ymldetections/deprecated/linux_java_spawning_shell.yml renamed to removed/detections/linux_java_spawning_shell.yml detections/deprecated/linux_java_spawning_shell.yml renamed to removed/detections/linux_java_spawning_shell.yml

@@ -3,7 +3,7 @@ id: 7b09db8a-5c20-11ec-9945-acde48001122
 version: 10
 date: '2025-10-25'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects instances where Java, or Tomcat
   processes spawn a Linux shell, which may indicate exploitation attempts, such as

…tions/deprecated/w3wp_spawning_shell.yml …moved/detections/w3wp_spawning_shell.ymldetections/deprecated/w3wp_spawning_shell.yml renamed to removed/detections/w3wp_spawning_shell.yml detections/deprecated/w3wp_spawning_shell.yml renamed to removed/detections/w3wp_spawning_shell.yml

@@ -3,7 +3,7 @@ id: 0f03423c-7c6a-11eb-bc47-acde48001122
 version: 11
 date: '2025-10-16'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic identifies instances where a shell (PowerShell.exe
   or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages

…ted/wget_download_and_bash_execution.yml …ons/wget_download_and_bash_execution.ymldetections/deprecated/wget_download_and_bash_execution.yml renamed to removed/detections/wget_download_and_bash_execution.yml detections/deprecated/wget_download_and_bash_execution.yml renamed to removed/detections/wget_download_and_bash_execution.yml

@@ -3,7 +3,7 @@ id: 35682718-5a85-11ec-b8f7-acde48001122
 version: 10
 date: '2025-10-16'
 author: Michael Haag, Splunk, DipsyTipsy
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects the use of wget on Windows, Linux or MacOS
   to download a file from a remote source and pipe it to bash. This detection leverages

…ed/windows_default_rdp_file_creation.yml …ns/windows_default_rdp_file_creation.ymldetections/deprecated/windows_default_rdp_file_creation.yml renamed to removed/detections/windows_default_rdp_file_creation.yml detections/deprecated/windows_default_rdp_file_creation.yml renamed to removed/detections/windows_default_rdp_file_creation.yml

@@ -3,7 +3,7 @@ id: 00ab0805-4b0f-489f-8eda-ee3de5ed5b1c
 version: 2
 date: '2025-10-27'
 author: Teoderick Contreras, Splunk
-status: deprecated
+status: removed
 type: Anomaly
 description: This detection monitors the creation or modification of the Default.rdp file, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions.
 data_source:

…recated/windows_java_spawning_shells.yml …ections/windows_java_spawning_shells.ymldetections/deprecated/windows_java_spawning_shells.yml renamed to removed/detections/windows_java_spawning_shells.yml detections/deprecated/windows_java_spawning_shells.yml renamed to removed/detections/windows_java_spawning_shells.yml

@@ -3,7 +3,7 @@ id: 28c81306-5c47-11ec-bfea-acde48001122
 version: 12
 date: '2025-10-25'
 author: Michael Haag, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic identifies instances where java.exe or w3wp.exe
   spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages

…prsve_lolbas_execution_process_spawn.yml …prsve_lolbas_execution_process_spawn.ymldetections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml renamed to removed/detections/wmiprsve_lolbas_execution_process_spawn.yml detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml renamed to removed/detections/wmiprsve_lolbas_execution_process_spawn.yml

@@ -3,7 +3,7 @@ id: 95a455f0-4c04-11ec-b8ac-3e22fbd008af
 version: 7
 date: '2025-10-21'
 author: Mauricio Velazco, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution
   process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing