From 953e25b4ecb0036bee551c94ab6723cdb9d023f3 Mon Sep 17 00:00:00 2001
From: Daniel Koifman <daniel.koifman@cardinalops.com>
Date: Thu, 5 Dec 2024 16:22:05 +0200
Subject: [PATCH 1/2] Update proc_creation_win_susp_service_tamper.yml

---
 .../proc_creation_win_susp_service_tamper.yml                 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
index d363c1c4fb9..fbd6bb64280 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
@@ -22,6 +22,7 @@ modified: 2024-10-21
 tags:
     - attack.defense-evasion
     - attack.t1489
+    - attack.t1562.001
 logsource:
     category: process_creation
     product: windows
@@ -148,6 +149,7 @@ detection:
             - 'mfewc'
             - 'MMS'
             - 'mozyprobackup'
+            - 'mpssvc'
             - 'MSComplianceAudit'
             - 'MSDTC'
             - 'MsDtsServer'
@@ -235,6 +237,7 @@ detection:
             - 'swi_service'
             - 'swi_update'
             - 'Symantec'
+            - 'sysmon'
             - 'TeamViewer'
             - 'Telemetryserver'
             - 'ThreatLockerService'
@@ -277,6 +280,7 @@ detection:
             - 'WRSVC'
             - 'wsbexchange'
             - 'WSearch'
+            - 'wscsvc'
             - 'Zoolz 2 Service'
     condition: all of selection_*
 falsepositives:

From 8941d75afcc12bd6c91b94474b9ee0e92cf2953c Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 14 Dec 2024 08:26:55 +0100
Subject: [PATCH 2/2] Update proc_creation_win_susp_service_tamper.yml

---
 .../process_creation/proc_creation_win_susp_service_tamper.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
index fbd6bb64280..9462db7dd7b 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
@@ -18,7 +18,7 @@ references:
     - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
 date: 2022-09-01
-modified: 2024-10-21
+modified: 2024-12-14
 tags:
     - attack.defense-evasion
     - attack.t1489