From c7a3834070c57d9a3ee0d03d364a29c626b1083d Mon Sep 17 00:00:00 2001
From: megan201296 <megansroddie@gmail.com>
Date: Mon, 11 Apr 2022 10:56:03 -0500
Subject: [PATCH] Change ATT&CK technique

Per source reference, the ADS rule is T1564.004 BUT copying/downloading files is T1105 (hwich in turn is C&C, not defense evasion"
---
 .../process_creation/proc_creation_win_lolbas_extrac32.yml    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml
index 2239e1ca9..30df2ca7f 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml
@@ -5,8 +5,8 @@ description: Download or Copy file with Extrac32
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
 tags:
-    - attack.defense_evasion
-    - attack.t1564.004 
+    - attack.command_and_control
+    - attack.t1105
 author: frack113
 date: 2021/11/26
 logsource: