From 89e1f491b34d3026918e9aec89fa8a52fcd441e7 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 19 Dec 2021 19:43:37 +0100
Subject: [PATCH] refactor: add accepteula to flags

---
 rules/windows/process_creation/win_susp_psloglist.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_psloglist.yml b/rules/windows/process_creation/win_susp_psloglist.yml
index c9da73f66..01fe56869 100644
--- a/rules/windows/process_creation/win_susp_psloglist.yml
+++ b/rules/windows/process_creation/win_susp_psloglist.yml
@@ -31,10 +31,11 @@ detection:
           - '/x'
           - '-s'
           - '/s'
-    eventlog:
-        CommandLine|contains:
-          - 'security'
-    condition: (1 of selection*) or (flags and eventlog)
+    other:
+        CommandLine|contains|all: 
+            - 'security'
+            - 'accepteula'
+    condition: (1 of selection*) or (flags and other)
 falsepositives:
     - Another tool that uses the command line switches of PsLogList
     - Legitimate use of PsLogList by an administrator