fix: FP in testing environment

2022-11-23 09:53:35 +01:00
parent 5542c8c9d9
commit 671b60e42f
1 changed files with 4 additions and 3 deletions
@@ -6,7 +6,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 author: Tim Rauch
 date: 2022/09/28
-modified: 2022/11/22
+modified: 2022/11/23
 tags:
    - attack.execution
    - attack.t1059
@@ -36,10 +36,11 @@ detection:
        ParentCommandLine|contains:
            - '-k apphost -s AppHostSvc'
            - '-k imgsvc'
-            - '-k netsvcs -p -s NetSetupSvc'
            - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
-            - '-k wsappx -p -s ClipSVC'
+            - '-k netsvcs -p -s NetSetupSvc'
            - '-k netsvcs -p -s wlidsvc'
+            - '-k wsappx -p -s AppXSvc'
+            - '-k wsappx -p -s ClipSVC'
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
    condition: selection and not filter