From a17364104b7a16190c2ef3958efd36463ff1c48f Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 11 Jul 2022 12:52:06 +0200
Subject: [PATCH] refactor: Follina patterns

---
 .../proc_creation_win_sdiagnhost_susp_child.yml              | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml
index 5cc19de91..c4b5c52b6 100644
--- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml
+++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml
@@ -6,7 +6,10 @@ author: Nextron Systems
 references:
   - https://twitter.com/nao_sec/status/1530196847679401984
   - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
+  - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
+  - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
 date: 2022/06/01
+modified: 2022/07/11
 tags:
   - attack.defense_evasion
   - attack.t1036
@@ -24,6 +27,8 @@ detection:
       - '\cscript.exe'
       - '\wscript.exe'
       - '\taskkill.exe'
+      - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
+      - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
   condition: selection
 falsepositives:
   - Unknown