From 060174e2dd31b15cc2738cdbd6bcbc4071e2b81d Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 19 Dec 2022 18:14:01 +0100
Subject: [PATCH] fix: small fixes

- Added modified date
- Updated DLL sideload version
---
 ...le_event_win_wermgr_local_privilege_escalation.yml |  3 ++-
 .../image_load_side_load_wermgr_comctl32.yml          | 11 +++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml
index 36d4b3f76..cff90f796 100644
--- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml
+++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml
@@ -7,6 +7,7 @@ references:
     - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt
 author: Nasreddine Bencherchali, Subhash P (@pbssubhash)
 date: 2022/12/16
+modified: 2022/12/19
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -16,7 +17,7 @@ logsource:
     product: windows
 detection:
     selection:
-        TargetFilename|startswith: 
+        TargetFilename|startswith:
             - 'C:\Windows\System32\logonUI.exe.local'
             - 'C:\Windows\System32\werFault.exe.local'
             - 'C:\Windows\System32\consent.exe.local'
diff --git a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml
index c1dba7aec..1ed8ae86f 100644
--- a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml
+++ b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml
@@ -4,8 +4,10 @@ status: experimental
 description: Detects potential DLL sideloading using comctl32.dll via "wermgr.exe" to obtain system privileges
 references:
     - https://github.com/binderlabs/DirCreate2System
-author: Nasreddine Bencherchali
+    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt
+author: Nasreddine Bencherchali, Subhash Popuri (@pbssubhash)
 date: 2022/12/16
+modified: 2022/12/19
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -17,7 +19,12 @@ logsource:
     product: windows
 detection:
     selection:
-        ImageLoaded|startswith: 'C:\windows\system32\wermgr.exe.local\'
+        ImageLoaded|startswith:
+            - 'C:\Windows\System32\logonUI.exe.local\'
+            - 'C:\Windows\System32\werFault.exe.local\'
+            - 'C:\Windows\System32\consent.exe.local\'
+            - 'C:\Windows\System32\narrator.exe.local\'
+            - 'C:\windows\system32\wermgr.exe.local\'
         ImageLoaded|endswith: '\comctl32.dll'
     condition: selection
 falsepositives: