From 02ed1ffd471a59d228f153c844dc00ffa6c28474 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 20:15:29 +0000
Subject: [PATCH] Sigma Rule Update (2024-11-14  20:15:22) (#772)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
---
 .../proc_creation_win_susp_system_user_anomaly.yml         | 7 +++++--
 .../proc_creation_win_susp_system_user_anomaly.yml         | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index e2c5bc7db..a90c45829 100644
--- a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -10,7 +10,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021-12-20
-modified: 2024-07-22
+modified: 2024-11-11
 tags:
     - attack.credential-access
     - attack.defense-evasion
@@ -80,7 +80,10 @@ detection:
               - MiniDump    # Process dumping method apart from procdump
               - 'net user '
     filter_main_ping:
-        CommandLine|contains: ping 127.0.0.1 -n
+        CommandLine|contains|all:
+            - ping
+            - 127.0.0.1
+            - ' -n '
     filter_vs:
         ParentCommandLine|contains: \DismFoDInstall.cmd
         NewProcessName|endswith: \PING.EXE
diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
index 7f10efcfd..6f27e68cf 100644
--- a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
+++ b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -10,7 +10,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021-12-20
-modified: 2024-07-22
+modified: 2024-11-11
 tags:
     - attack.credential-access
     - attack.defense-evasion
@@ -81,7 +81,10 @@ detection:
               - MiniDump    # Process dumping method apart from procdump
               - 'net user '
     filter_main_ping:
-        CommandLine|contains: ping 127.0.0.1 -n
+        CommandLine|contains|all:
+            - ping
+            - 127.0.0.1
+            - ' -n '
     filter_vs:
         Image|endswith: \PING.EXE
         ParentCommandLine|contains: \DismFoDInstall.cmd