alert:
- debug
description: Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
filter:
- query:
    query_string:
      query: (data.win.eventdata.commandLine.keyword:*regsvr32* AND data.win.eventdata.commandLine.keyword:*\ \/s\ \/i\ * AND data.win.eventdata.commandLine.keyword:*\\AppData\\Roaming\\* AND data.win.eventdata.commandLine.keyword:*.ocx*)
index: wazuh-alerts-3.x-*
name: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0_0
priority: 1
realert:
  minutes: 0
type: any