From db3ebaf97c4326bac8fe2efea66acd798c704b0e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 23 Dec 2021 08:27:44 +0100
Subject: [PATCH] refactor: added curl.exe to the list

---
 .../process_creation_susp_shell_spawn_by_java.yml              | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
index cdd6211d3..def2ed4c0 100644
--- a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
+++ b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
@@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from Java host process (e.g. log4j e
 status: experimental
 author: Andreas Hunkeler (@Karneades), Florian Roth
 date: 2021/12/17
-modified: 2021/12/18
+modified: 2021/12/22
 tags:
     - attack.initial_access
     - attack.persistence
@@ -35,6 +35,7 @@ detection:
             - '\scriptrunner.exe'
             - '\mftrace.exe'
             - '\AppVLP.exe'
+            - '\curl.exe'
     condition: selection
 falsepositives:
     - Legitimate calls to system binaries