From ea1b2ae59f2ec4f554a505ee2315a726ca4e6dac Mon Sep 17 00:00:00 2001
From: Aidan Bracher <adbracher@outlook.com>
Date: Sat, 18 Jul 2020 02:30:53 +0100
Subject: [PATCH] Updated invoke_phantom with sub-technique mapping

---
 rules/windows/process_access/sysmon_invoke_phantom.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index c90377b16..fd32409c6 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -9,6 +9,7 @@ references:
     - https://twitter.com/timbmsft/status/900724491076214784
 tags:
     - attack.t1089
+    - attck.t1562.001
     - attack.defense_evasion
 logsource:
     category: process_access