From f46e86fbb11f8394640aea73cd3ac2d7d9288aa3 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 24 Aug 2017 18:26:58 +0200
Subject: [PATCH] WMI persistence modified

---
 rules/windows/other/win_wmi_persistence.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index a86f812b7..1dc3ef984 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -1,6 +1,6 @@
 title: WMI Persistence
 status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10)
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
 author: Florian Roth
 reference: https://twitter.com/mattifestation/status/899646620148539397
 logsource:
@@ -17,3 +17,4 @@ detection:
 falsepositives:
     - Unknown (data set is too small; further testing needed)
 level: high
+