Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Samirbous · w0rk3r · web-flow · commit ee823b637c89 · 2025-09-01T15:10:40.000+01:00
Co-authored-by: Jonhnathan &lt;26856693+w0rk3r@users.noreply.github.com&gt;
diff --git a/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml b/rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
@@ -90,7 +90,7 @@ sequence by process.entity_id with maxspan=1m
          "C:\\Windows\\System32\\wevtutil.exe",
          "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") and
  not (process.name : ("rundll32.exe", "regsvr32.exe", "powershell.exe", "regasm.exe", "wscript.exe") and process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and
- not (?process.code_signature.subject_name in ("Bruno Software Inc", "Proton AG", "Axis Communications AB", "Citrix Systems, Inc.", "NSUS Limited", "Action1 Corporation", "Solarwinds Worldwide, LLC") and
+ not (?process.code_signature.subject_name : ("Bruno Software Inc", "Proton AG", "Axis Communications AB", "Citrix Systems, Inc.", "NSUS Limited", "Action1 Corporation", "Solarwinds Worldwide, LLC") and
       ?process.code_signature.trusted == true) and
  not (?process.pe.original_file_name in ("dxsetup.exe", "MofCompiler.exe", "ShellApp.exe") and
       ?process.code_signature.subject_name == "Microsoft Corporation" and ?process.code_signature.trusted == true) and
