From d7bc30587f6f275dbc156e4e97f0f9c125b2f92c Mon Sep 17 00:00:00 2001
From: zydyka <58555429+zydyka@users.noreply.github.com>
Date: Fri, 30 Dec 2022 09:00:57 +0500
Subject: [PATCH] Update proc_creation_win_sysmon_exploitation.yml

---
 .../process_creation/proc_creation_win_sysmon_exploitation.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
index 93c142377..debf1fcea 100644
--- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml
@@ -8,7 +8,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth
 date: 2022/11/10
-modified: 2022/12/15
+modified: 2022/12/30
 tag:
     - attack.privilege_escalation
     - attack.t1068
@@ -23,6 +23,7 @@ detection:
             - '\Sysmon64.exe'
     filter:
         - Image:
+            - 'C:\Windows\Sysmon.exe'
             - 'C:\Windows\Sysmon64.exe'
             - 'C:\Windows\System32\conhost.exe'
             - 'wevtutil.exe'