Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Samirbous · w0rk3r · web-flow · commit aedd499fdc5b · 2025-09-01T15:10:59.000+01:00
Co-authored-by: Jonhnathan &lt;26856693+w0rk3r@users.noreply.github.com&gt;
diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
@@ -93,7 +93,7 @@ sequence by process.entity_id with maxspan=1m
  not (?process.code_signature.subject_name : ("Bruno Software Inc", "Proton AG", "Axis Communications AB", "Citrix Systems, Inc.", "NSUS Limited", "Action1 Corporation", "Solarwinds Worldwide, LLC") and
       ?process.code_signature.trusted == true) and
  not (?process.pe.original_file_name in ("dxsetup.exe", "MofCompiler.exe", "ShellApp.exe") and
-      ?process.code_signature.subject_name == "Microsoft Corporation" and ?process.code_signature.trusted == true) and
+      ?process.code_signature.subject_name : "Microsoft Corporation" and ?process.code_signature.trusted == true) and
  not ?process.hash.sha256 in ("cfaef8c711db04d6c4a4381c66ac21b9e234e57febedb77fedc9316898b214bc",
                               "2f26f37cce780ca76f0dbac0de233f4c8d84c31b3f37380b9d5faacc3ee2d03e",
                               "7d9c691bfbf3beb78919dfd940fa6d325c3437425d5b0371df39aef6accf858d")
