From 757ef5c67c5a40fa57794cd445c0e734c62b7954 Mon Sep 17 00:00:00 2001
From: David Sarkisyan <281478990+srkyn@users.noreply.github.com>
Date: Fri, 22 May 2026 11:33:09 -0400
Subject: [PATCH 1/2] Fix regsvr32 typo in ADS process detection

---
 .../windows_alternate_datastream___process_execution.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml
index 1cb8d9ddb3..01b8479975 100644
--- a/detections/endpoint/windows_alternate_datastream___process_execution.yml
+++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml
@@ -26,7 +26,7 @@ search: |-
         "powershell.exe",
         "pwsh.exe",
         "regini.exe",
-        "regscr32.exe",
+        "regsvr32.exe",
         "rundll32.exe",
         "sc.exe",
         "wmic.exe",

From 22aebf796563c9ce5d1184b36c65fe6213a1682e Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <nbencher@cisco.com>
Date: Thu, 4 Jun 2026 12:15:16 +0100
Subject: [PATCH 2/2] Update
 windows_alternate_datastream___process_execution.yml

---
 .../windows_alternate_datastream___process_execution.yml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml
index 9cc5856497..6616c0ce08 100644
--- a/detections/endpoint/windows_alternate_datastream___process_execution.yml
+++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml
@@ -1,8 +1,8 @@
 name: Windows Alternate DataStream - Process Execution
 id: 30c32c5c-41fe-45db-84fe-275e4320da3f
-version: 12
+version: 13
 creation_date: '2024-01-10'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: Steven Dick
 status: production
 type: TTP