From 7d3d819ea58174f008b0ce6cbf80b622fc3fe7e2 Mon Sep 17 00:00:00 2001
From: Tareq AlKhatib <talkhatib@palantir.com>
Date: Sun, 24 Feb 2019 10:29:58 +0300
Subject: [PATCH] Added a detection path through process spawn

---
 rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml b/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
index 70adbad0b..58a0af220 100644
--- a/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml
@@ -9,10 +9,13 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection:
+    selection1:
         EventID: 13
         TargetObject: '*\EulaAccepted'
-    condition: selection
+    selection2:
+        EventID: 1
+        CommandLine: '* -accepteula*'
+    condition: selection1 or selection2
 falsepositives:
     - Legitimate use of SysInternals tools
     - Programs that use the same Registry Key