From dbb054777aef25c526df5d40e20e96ea9a37a2e4 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Sat, 28 Nov 2020 12:02:16 +0100
Subject: [PATCH] Update win_plugx_susp_exe_locations.yml

---
 .../win_plugx_susp_exe_locations.yml               | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
index 2f7c1cd98..ffc3f0ac4 100644
--- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
+++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml
@@ -7,6 +7,7 @@ references:
     - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
 author: Florian Roth
 date: 2017/06/12
+modified: 2020/11/28
 tags:
     - attack.s0013
     - attack.defense_evasion
@@ -85,7 +86,18 @@ detection:
             - '\Windows Kit'
             - '\Windows Resource Kit\'
             - '\Microsoft.NET\'
-    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
+    condition: ( selection_cammute and not filter_cammute ) or 
+               ( selection_chrome_frame and not filter_chrome_frame ) or 
+               ( selection_devemu and not filter_devemu ) or 
+               ( selection_gadget and not filter_gadget ) or 
+               ( selection_hcc and not filter_hcc ) or 
+               ( selection_hkcmd and not filter_hkcmd ) or 
+               ( selection_mc and not filter_mc ) or 
+               ( selection_msmpeng and not filter_msmpeng ) or 
+               ( selection_msseces and not filter_msseces ) or 
+               ( selection_oinfo and not filter_oinfo ) or 
+               ( selection_oleview and not filter_oleview ) or 
+               ( selection_rc and not filter_rc )
 fields:
     - CommandLine
     - ParentCommandLine