From c0138d5ced517d8bd9beb4b79d99df8d8744ead8 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 23 Jul 2021 10:39:41 +0200
Subject: [PATCH] add additional filename pattern to HiveNightmare rule

---
 rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml
index 869295a32..46461579e 100644
--- a/rules/windows/file_event/win_hivenightmare_file_exports.yml
+++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml
@@ -7,6 +7,7 @@ date: 2020/07/23
 references:
     - https://github.com/GossiTheDog/HiveNightmare
     - https://github.com/FireFart/hivenightmare/
+    - https://github.com/WiredPulse/Invoke-HiveNightmare
 logsource:
     product: windows
     category: file_event
@@ -20,6 +21,7 @@ detection:
             - '\hive_sam_'  # Go version
             - '\SAM-2021-'  # C++ version
             - '\SAM-2022-'  # C++ version
+            - '\SAM-haxx'   # Early C++ versions
             - '\Sam.save'   # PowerShell version
     condition: selection
 fields: