From 79f6b200cc6f7f67a25d723e1b54b1a4a005cd7e Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 16 Jul 2022 19:54:16 +0200
Subject: [PATCH 1/2] Add csrstub.exe

---
 .../proc_creation_win_susp_16bit_application.yml         | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
index a212e029d..07f7af483 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
@@ -4,15 +4,20 @@ status: experimental
 description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
 author: frack113
 references:
-    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
     - https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
+    - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7
+    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
+    - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
 date: 2022/07/16
+modified: 2022/04/16
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        Image|endswith: '\ntvdm.exe'
+        Image|endswith: 
+            - '\ntvdm.exe'
+            - '\csrstub.exe'
     condition: selection
 falsepositives:
     - Legitimate use 

From f161f6d051d9b84a4df2ab55f43ac9803631fc59 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 16 Jul 2022 20:56:13 +0200
Subject: [PATCH 2/2] Fix modified

---
 .../proc_creation_win_susp_16bit_application.yml                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
index 07f7af483..af19982e2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml
@@ -9,7 +9,7 @@ references:
     - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
     - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
 date: 2022/07/16
-modified: 2022/04/16
+modified: 2022/07/16
 logsource:
     category: process_creation
     product: windows