From eba2f3b68fd5ef9fd066c468dd474ca3a3827f4b Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 30 Oct 2021 17:28:07 +0200
Subject: [PATCH] add temp folder

---
 .../windows/registry_event/sysmon_susp_run_key_img_folder.yml  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
index af430e49a..1bbe17aec 100755
--- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
+++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1060 # an old one
     - attack.t1547.001
 date: 2018/08/25
-modified: 2020/09/06
+modified: 2021/10/30
 logsource:
     category: registry_event
     product: windows
@@ -27,6 +27,7 @@ detection:
             - 'C:\Users\Public\'
             - 'C:\Users\Default\'
             - 'C:\Users\Desktop\'
+            - '\AppData\Local\Temp\'
         - Details|startswith:
             - '%Public%\'
             - 'wscript'