Update sysmon_cmstp_com_object_access.yml

Edit tule logic for `and` instead of `or
2018-10-09 19:03:30 -05:00
parent 182781229c
commit ffbb968fcd
1 changed files with 3 additions and 6 deletions
@@ -19,15 +19,12 @@ detection:
    # CMSTP Spawning Child Process
    selection1:
        EventID: 1
-        ParentCommandLine:
-            - '*\DllHost.exe'
-            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
+        ParentCommandLine: '*\DllHost.exe'
    selection2:
-        EventID: 1
        ParentCommandLine:
-            - '*\DllHost.exe'
+            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225
-    condition: 1 of them
+    condition: selection1 and selection2
 fields:
    - CommandLine
    - ParentCommandLine