Merge pull request #1 from securepeacock/securepeacock-patch-2

Update proc_creation_win_susp_netsh_command.yml

rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml

@@ -4,21 +4,28 @@ status: experimental
 description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
-author: frack113
+author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2021/12/07
+modified: 2022/05/11
 logsource:
     category: process_creation
     product: windows
 detection:
-    network_cmd:
+    network_cmd1:
         CommandLine|contains|all:
             - 'netsh '
+            - 'show '
+    network_cmd2:
+        CommandLine|contains:
             - 'advfirewall '
             - 'firewall '
-            - 'show '
+    network_cmd3:
+          CommandLine|contains:
+            - 'config '
+            - 'state '
             - 'rule '
             - 'name=all'
-    condition: network_cmd
+    condition: network_cmd1 and network_cmd2 and network_cmd3
 falsepositives:
     - Administrator, hotline ask to user
 level: low