From de517ba8a217d0eae0efdfc0b229124b7f0291d8 Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Tue, 27 Sep 2022 13:21:48 +0500
Subject: [PATCH] Update proc_creation_win_uac_bypass_icmluautil.yml

---
 .../proc_creation_win_uac_bypass_icmluautil.yml                | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml
index db964e3ad..69665e04b 100644
--- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml
+++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml
@@ -3,6 +3,7 @@ id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
 description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
 author: Florian Roth
 date: 2022/09/13
+modified: 2022/09/27
 status: experimental
 references:
     - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
@@ -15,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\dllhost.exe'
+        ParentImage|endswith: '\dllhost.exe'
         ParentCommandLine: 
             - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
             - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'