Merge pull request #3186 from redsand/fp_scm_db_mgmt_by_services.exe

False positive filtering out of behavior by services.exe which is exp…

rules/windows/builtin/security/win_scm_database_privileged_operation.yml

@@ -2,11 +2,11 @@ title: SCM Database Privileged Operation
 id: dae8171c-5ec6-4396-b210-8466585b53e9
 status: test
 description: Detects non-system users performing privileged operation os the SCM database
-author: Roberto Rodriguez @Cyb3rWard0g
+author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 references:
   - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
 date: 2019/08/15
-modified: 2022/06/18
+modified: 2022/06/30
 logsource:
   product: windows
   service: security
@@ -18,6 +18,7 @@ detection:
     PrivilegeList: 'SeTakeOwnershipPrivilege'
   filter:
     SubjectLogonId: '0x3e4'
+    ProcessName|endswith: ':\Windows\System32\services.exe'
   condition: selection and not filter
 falsepositives:
   - Unknown