Add proc_creation_win_parent_run_itself

Open frack113 opened this issue 11 months ago • 1 comments

Summary of the Pull Request

In many sandbox result , malicious executable run itself . The new process is launch suspended but this information did exist in the process_creation logsource.

Changelog

new: Executable Run Itself

Example Log Event

As I dig sandbox I get no log another one https://app.any.run/tasks/54200f3c-8172-493c-b574-005e66b2c20c

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

$frack113 avatar$ Feb 04 '25 18:02 frack113

Can you please add more context in the description of why is this important or suspicious and what could it mean.

Feb 04 '25 20:02 nasbench