Added a detection path through process spawn

2019-02-24 10:29:58 +03:00
parent bdf0dd8e21
commit 7d3d819ea5
1 changed files with 5 additions and 2 deletions
@@ -9,10 +9,13 @@ logsource:
    product: windows
    service: sysmon
 detection:
-    selection:
+    selection1:
        EventID: 13
        TargetObject: '*\EulaAccepted'
-    condition: selection
+    selection2:
+        EventID: 1
+        CommandLine: '* -accepteula*'
+    condition: selection1 or selection2
 falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key