From 8506dcaec8961896beac8f8b1c71ad7161d0d044 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 14 Feb 2023 23:34:14 +0100
Subject: [PATCH] feat: add related field

---
 .../process_creation/proc_creation_win_wmic_recon_service.yml  | 3 +++
 .../proc_creation_win_wmic_recon_unquoted_service_search.yml   | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
index dc0a3aee5..5923ab0e3 100644
--- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
+++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
@@ -1,5 +1,8 @@
 title: Service Reconnaissance Via Wmic.EXE
 id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
+related:
+    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6
+      type: similar
 status: experimental
 description: |
     An adversary might use WMI to check if a certain Remote Service is running on a remote device.
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml
index 96ef6cab4..45d72267b 100644
--- a/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml
+++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml
@@ -3,6 +3,8 @@ id: 68bcd73b-37ef-49cb-95fc-edc809730be6
 related:
     - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
       type: similar
+    - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
+      type: similar
 status: experimental
 description: Detects known wmi recon method to look for unquoted service paths using wmic. Often used by pentesters and attackers enumeration scripts
 references: