mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
wmiprvse subprocess: add fallback check on username instead of only logonid
This commit is contained in:
parent
91d1586b97
commit
3247d5692a
@ -17,7 +17,8 @@ detection:
|
||||
selection:
|
||||
ParentImage|endswith: '\WmiPrvSe.exe'
|
||||
filter:
|
||||
LogonId: '0x3e7'
|
||||
- LogonId: '0x3e7' # LUID 999 for SYSTEM
|
||||
- Username: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
Loading…
Reference in New Issue
Block a user