Merge PR #5107 from @mgreen27 - Update `Potential Defense Evasion Via…

… Rename Of Highly Relevant Binaries`

update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Add ie4uinit.exe and msxsl.exe to old binary rename rule

rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml

@@ -21,7 +21,7 @@ references:
     - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
 author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
 date: 2019-06-15
-modified: 2023-08-23
+modified: 2024-12-03
 tags:
     - attack.defense-evasion
     - attack.t1036.003
@@ -40,8 +40,10 @@ detection:
               - 'certutil.exe'
               - 'cmstp.exe'
               - 'cscript.exe'
+              - 'IE4UINIT.EXE'
               - 'mshta.exe'
               - 'msiexec.exe'
+              - 'msxsl.exe'
               - 'powershell_ise.exe'
               - 'powershell.exe'
               - 'psexec.c'        # old versions of psexec (2016 seen)
@@ -59,8 +61,10 @@ detection:
             - '\certutil.exe'
             - '\cmstp.exe'
             - '\cscript.exe'
+            - '\ie4uinit.exe'
             - '\mshta.exe'
             - '\msiexec.exe'
+            - '\msxsl.exe'
             - '\powershell_ise.exe'
             - '\powershell.exe'
             - '\psexec.exe'