From da5ec4e952f93ddf5e665cc764fb862f29a5ea92 Mon Sep 17 00:00:00 2001
From: GlebSukhodolskiy <56804667+GlebSukhodolskiy@users.noreply.github.com>
Date: Wed, 6 Jan 2021 16:50:28 +0300
Subject: [PATCH] Update win_wmi_persistence.yml

Removed sequence of EIDs in Windows Security section.
---
 rules/windows/other/win_wmi_persistence.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index 5ffcb0df8..405e657b8 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -38,13 +38,8 @@ logsource:
     product: windows
     service: security
 detection:
-    network_logon:
-        EventID: 4624
-        LogonType: 3
-    privileges_assigned:
-        EventID: 4672
     wmi_subscription:
         EventID: 4662
         ObjectType: 'WMI Namespace'
         ObjectName|contains: 'subscription'
-    condition: network_logon and privileges_assigned and wmi_subscription
+    condition: wmi_subscription