From c43969770e9a6bc4b30b29212e2ea58a5a90b09c Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Wed, 22 Jan 2025 14:47:03 -0500
Subject: [PATCH] Prepend IMPHASH to hash values

---
 .../proc_creation_win_renamed_dctask64.yml             | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml
index f8d82f84a49..e851300f40c 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/gN3mes1s/status/1222095371175911424
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2020-01-28
-modified: 2024-04-22
+modified: 2025-01-22
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -23,10 +23,10 @@ logsource:
 detection:
     selection:
         Hashes|contains:
-            - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash
-            - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash
-            - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash
-            - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash
+            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
+            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
+            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
+            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
     filter_main_legit_name:
         Image|endswith: '\dctask64.exe'
     condition: selection and not 1 of filter_main_*