From b478f24985e9aa77340775a67dccbf5a767287ee Mon Sep 17 00:00:00 2001
From: Kevin Branch <kevin@branchnetconsulting.com>
Date: Mon, 5 Jun 2023 12:57:52 -0400
Subject: [PATCH] Update
 proc_creation_win_persistence_userinitmprlogonscript.yml

When logging into Windows Core, userinit.exe normalls calls PowerShell.exe without parameters to bring up a PowerShell window.
---
 .../proc_creation_win_persistence_userinitmprlogonscript.yml    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml b/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
index 4f73b26b8..d67130e75 100644
--- a/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
+++ b/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
@@ -23,6 +23,8 @@ detection:
             - 'netlogon*.bat'
             - 'UsrLogon.cmd'
             - 'C:\WINDOWS\Explorer.EXE'
+        - CommandLine:
+            - 'PowerShell.exe'
         - Image|endswith:
             - '\explorer.exe'
             - '\proquota.exe'