From 38335b6303f84840cb280ea56373803a0544f34c Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 30 Jun 2022 16:22:42 +0000
Subject: [PATCH] False positive filtering out of behavior by services.exe
 which is expected

---
 .../security/win_scm_database_privileged_operation.yml       | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml
index 1e0d10b2a..ed9b84694 100644
--- a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml
+++ b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml
@@ -2,11 +2,11 @@ title: SCM Database Privileged Operation
 id: dae8171c-5ec6-4396-b210-8466585b53e9
 status: test
 description: Detects non-system users performing privileged operation os the SCM database
-author: Roberto Rodriguez @Cyb3rWard0g
+author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 references:
   - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
 date: 2019/08/15
-modified: 2022/06/18
+modified: 2022/06/30
 logsource:
   product: windows
   service: security
@@ -18,6 +18,7 @@ detection:
     PrivilegeList: 'SeTakeOwnershipPrivilege'
   filter:
     SubjectLogonId: '0x3e4'
+    ProcessName|endswith: ':\Windows\System32\services.exe'
   condition: selection and not filter
 falsepositives:
   - Unknown