From a6edb7cfcfc1a69da325ff025938e422ac734b61 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 17 Mar 2022 19:37:42 -0300
Subject: [PATCH] Update defense_evasion_posh_process_injection.toml (#1838)

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 rules/windows/defense_evasion_posh_process_injection.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml
index 4614cdc82..a217ff2cc 100644
--- a/rules/windows/defense_evasion_posh_process_injection.toml
+++ b/rules/windows/defense_evasion_posh_process_injection.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/14"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/15"
 
 [rule]
 author = ["Elastic"]
@@ -83,7 +83,7 @@ event.category:process and
    (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or
       LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
    (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
-      SuspendThread or ResumeThread)
+      SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
   )
 '''