From 7c9be6da32ecb4e1cf276ad3259595cf3f9154c0 Mon Sep 17 00:00:00 2001
From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com>
Date: Thu, 9 Sep 2021 21:24:05 -0600
Subject: [PATCH] Resolved more issues from last commit as per comments

Added the following fixes to text inside the rule:
date
attack.defense_evasion
added custome id
---
 ...itor_LOLBins_Process_Creations_by_Office_applications.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml
index 896585ff3..70e697925 100644
--- a/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml
+++ b/rules/windows/sysmon/Monitor_LOLBins_Process_Creations_by_Office_applications.yml
@@ -1,4 +1,5 @@
 title: LOLBins Process Created With Office Application
+id: 7ce4d5ba-11e6-11ec-82a8-0242ac130003
 description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. 
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
@@ -9,9 +10,9 @@ tags:
     - attack.t1047
     - attack.t1218.010
     - attack.execution
-    - attack.defence_evasion
+    - attack.defense_evasion
 status: experimental
-Date: 2021/08/23
+date: 2021/08/23
 logsource:
   product: Windows
   category: process_creation