wmiprvse subprocess: add fallback check on username instead of only logonid

This commit is contained in:
ecco 2020-02-24 09:25:20 -05:00
parent 91d1586b97
commit 3247d5692a

View File

@ -17,7 +17,8 @@ detection:
selection:
ParentImage|endswith: '\WmiPrvSe.exe'
filter:
LogonId: '0x3e7'
- LogonId: '0x3e7' # LUID 999 for SYSTEM
- Username: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
condition: selection and not filter
falsepositives:
- Unknown