From f91e0faceaa41d83bbda4a8a7063864171d7de68 Mon Sep 17 00:00:00 2001
From: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Date: Tue, 1 Jun 2021 09:29:09 -0400
Subject: [PATCH] Update privilege_escalation_persistence_phantom_dll.toml
 (#1228)

(cherry picked from commit 6626cbb943e4cfbd0c026483ee2206cc25f5e2f8)
---
 .../windows/privilege_escalation_persistence_phantom_dll.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
index 3bfe6d913..507434ce2 100644
--- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml
+++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/27"
 
 [rule]
 author = ["Elastic"]
@@ -49,7 +49,7 @@ library where dll.name :
   "windowsperformancerecordercontrol.dll",
   "diagtrack_win.dll"
   ) and 
-not (dll.code_signature.subject_name : "Microsoft Windows" and dll.code_signature.status : "trusted")
+not (dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation") and dll.code_signature.status : "trusted")
 '''