From a999be283987f3529a62fd1e7eb0d8d70ec588be Mon Sep 17 00:00:00 2001
From: anaszahid <arck.anas@yahoo.com>
Date: Sun, 27 Feb 2022 19:07:28 +0300
Subject: [PATCH] Nothing

Nothing
---
 Execution - Suspicious Proccess | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 Execution - Suspicious Proccess

diff --git a/Execution - Suspicious Proccess b/Execution - Suspicious Proccess
new file mode 100644
index 0000000..9ecb124
--- /dev/null
+++ b/Execution - Suspicious Proccess	
@@ -0,0 +1,23 @@
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    ParentImage|startswith: 'C:\Users\Public\'
+    CommandLine|contains: 
+      - 'powershell'
+      - 'cmd.exe /c '
+      - 'cmd /c '
+      - 'wscript.exe'
+      - 'cscript.exe'
+      - 'bitsadmin'
+      - 'certutil'
+      - 'mshta.exe'
+  condition: selection
+fields:
+  - ComputerName
+  - User
+  - CommandLine
+falsepositives:
+  - Unknown
+level: high