From 210f123b47b79da5073272ba1360b9e8a31f5c60 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 18 Sep 2020 14:30:53 -0500
Subject: [PATCH] title adjustment

---
 Persistence.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Persistence.md b/Persistence.md
index 05033b0..7f8a219 100644
--- a/Persistence.md
+++ b/Persistence.md
@@ -46,7 +46,7 @@ The below query will find and remote content downloads from DesktopImgDownldr or
 (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.exe") AND ( TgtProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)" OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe" AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not In ("services.exe","smss.exe","wininit.exe")
 ```
 
-### T1176 Browser Extensions
+### T1176 Browser Extension Installation
 Atomics: [T1176](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md)
 
 This query takes a lazy approach to detecting the staging of xpi or crx extension packages for installation within Chrome and Firefox based browsers. Unsure how to filter our extension updates without excluding too much.