From bdf44be077e341ab436d26110ba8e90c8a51109a Mon Sep 17 00:00:00 2001
From: vburov <vasebur@gmail.com>
Date: Fri, 22 Feb 2019 22:46:57 +0300
Subject: [PATCH 1/2] Update win_susp_process_creations.yml

---
 rules/windows/builtin/win_susp_process_creations.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml
index 91da05841..dbc2a7705 100644
--- a/rules/windows/builtin/win_susp_process_creations.yml
+++ b/rules/windows/builtin/win_susp_process_creations.yml
@@ -14,6 +14,7 @@ references:
     - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
     - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
     - https://twitter.com/vector_sec/status/896049052642533376
+    - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
 author: Florian Roth
 modified: 2018/12/11
 detection:
@@ -134,3 +135,6 @@ detection:
             - '*AddInProcess*'
             # NotPowershell (nps) attack
             # - '*msbuild*'  # too many false positives
+            # Keyloggers and Password-Stealers abusing NirSoft tools(Limitless Logger, Predator Pain, HawkEye Keylogger, iSpy Keylogger, KeyBase Keylogger)
+            - '* /stext *'
+            - '* /scomma *'

From 5c63ef17d29a12fe7634df57aa982dbf98204222 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Fri, 22 Feb 2019 21:15:03 +0100
Subject: [PATCH 2/2] Added further NirSoft tool parameters

---
 rules/windows/builtin/win_susp_process_creations.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml
index dbc2a7705..3dfd6c0ab 100644
--- a/rules/windows/builtin/win_susp_process_creations.yml
+++ b/rules/windows/builtin/win_susp_process_creations.yml
@@ -138,3 +138,8 @@ detection:
             # Keyloggers and Password-Stealers abusing NirSoft tools(Limitless Logger, Predator Pain, HawkEye Keylogger, iSpy Keylogger, KeyBase Keylogger)
             - '* /stext *'
             - '* /scomma *'
+            - '* /stab *'
+            - '* /stabular *'
+            - '* /shtml *'
+            - '* /sverhtml *'
+            - '* /sxml *'