From 7b435afa4dfb5466effd1bcaa6c18b378fb7771e Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Sat, 11 Feb 2023 23:04:18 +0500
Subject: [PATCH] feat: add missing `OriginalFileName` field

---
 .../process_creation/proc_creation_win_hktl_koadic.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml b/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml
index 5f136938b..1e1dde1af 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml
@@ -8,7 +8,7 @@ references:
     - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
 author: wagga, Jonhnathan Ribeiro, oscd.community
 date: 2020/01/12
-modified: 2023/02/04
+modified: 2023/02/11
 tags:
     - attack.execution
     - attack.t1059.003
@@ -18,13 +18,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\cmd.exe'
+    selection_img:
+        - Image|endswith: '\cmd.exe'
+        - OriginalFileName: 'Cmd.Exe'
+    selection_cli:
         CommandLine|contains|all:
             - '/q'
             - '/c'
             - 'chcp'
-    condition: selection
+    condition: all of selection_*
 fields:
     - CommandLine
     - ParentCommandLine