Prepend IMPHASH to hash values

SigmaHQ · Jan 22, 2025 · c439697 · c439697
1 parent bb7786f
commit c439697
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/gN3mes1s/status/1222095371175911424
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2020-01-28
-modified: 2024-04-22
+modified: 2025-01-22
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -23,10 +23,10 @@ logsource:
 detection:
     selection:
         Hashes|contains:
-            - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash
-            - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash
-            - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash
-            - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash
+            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
+            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
+            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
+            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
     filter_main_legit_name:
         Image|endswith: '\dctask64.exe'
     condition: selection and not 1 of filter_main_*