Update win_susp_service_installation_script.yml

hal308 · Mar 24, 2022 · 37437c7 · 37437c7
1 parent 76710a1
commit 37437c7
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/rules/windows/builtin/system/win_susp_service_installation_script.yml b/rules/windows/builtin/system/win_susp_service_installation_script.yml
@@ -13,14 +13,15 @@ detection:
     Provider_Name: 'Service Control Manager'
     EventID: 7045
   suspicious1:
-    - ImagePath|contains: ' /C '
-    - ImagePath|contains:
+    ImagePath|contains: ' /C '
+  suspicious2:
+    ImagePath|contains:
         - 'powershell'
         - 'wscript'
         - 'cscript'
         - 'mshta'
         - 'rundll32'
-  condition: selection and 1 of suspicious*
+  condition: selection and all of suspicious*
 falsepositives:
   - Unknown
 level: high