From c7c4130c044acba78e6107eae4e03083453ee563 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 17 Dec 2021 12:31:08 +0100
Subject: [PATCH] Update sysmon_alternate_powershell_hosts_pipe.yml

---
 .../sysmon_alternate_powershell_hosts_pipe.yml             | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
index 7bfba45ee..d36011ef3 100644
--- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
+++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g
 references:
   - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
 date: 2019/09/12
-modified: 2021/12/03
+modified: 2021/12/17
 logsource:
   product: windows
   category: pipe_created
@@ -18,9 +18,10 @@ detection:
       - '\powershell.exe'
       - '\powershell_ise.exe'
       - '\WINDOWS\System32\sdiagnhost.exe'
+      - '\WINDOWS\System32\wsmprovhost.exe'
   filter2:
-    Image:
-  condition: selection and not filter1 and not filter2
+    Image: null
+  condition: selection and not 1 of filter*
 fields:
   - ComputerName
   - User