From 3b8282c221593259a19815c76e52440bc46e064a Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Wed, 15 Sep 2021 16:21:30 +0200
Subject: [PATCH] fix detection

---
 ...calation_via_service_registry_permissions.yml} | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)
 rename rules/windows/{registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml => process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml} (81%)

diff --git a/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml
similarity index 81%
rename from rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
rename to rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml
index 48f0533b..683811e1 100755
--- a/rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml
+++ b/rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml
@@ -14,16 +14,17 @@ date: 2019/10/26
 modified: 2020/09/06
 logsource:
     product: windows
-    category: registry_event
+    category: process_creation
 detection:
     selection:
-        
         IntegrityLevel: 'Medium'
-        TargetObject|contains: '\services\'
-        TargetObject|endswith:
-            - '\ImagePath'
-            - '\FailureCommand'
-            - '\Parameters\ServiceDll'
+        CommandLine|contains|all:
+            - ControlSet
+            - services
+        CommandLine|contains:
+            - \ImagePath
+            - \FailureCommand
+            - \ServiceDll
     condition: selection
 falsepositives:
     - Unknown