From c902dbf1a1af78d621cc5f0b1e9167fc8c2d34e0 Mon Sep 17 00:00:00 2001
From: pyllyukko <pyllyukko@maimed.org>
Date: Fri, 6 May 2022 11:45:58 +0300
Subject: [PATCH] Add application_execution tag to certain Amcache entries

---
 data/tag_windows.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/tag_windows.txt b/data/tag_windows.txt
index 4f2adfaa26..0a06d2eb25 100644
--- a/data/tag_windows.txt
+++ b/data/tag_windows.txt
@@ -11,6 +11,7 @@ application_execution
   data_type is 'windows:registry:mrulistex' AND entries contains '.exe'
   data_type is 'windows:registry:userassist' AND value_name contains '.exe'
   data_type is 'windows:tasks:job'
+  parser is 'winreg/amcache' AND data_type is 'windows:registry:key_value' AND values contains 'BundleManifestPath'
 
 # Tags Windows application installation events.
 application_install