Update detect-office-products-spawning-wmic.md

tali-ash · web-flow · commit b4f67640758c · 2020-07-22T19:22:56.000+03:00
diff --git a/Execution/detect-office-products-spawning-wmic.md b/Execution/detect-office-products-spawning-wmic.md
@@ -10,7 +10,7 @@ The following query detects when Microsoft Office software spawns an instance of
 
 ```Kusto
 ​​// Office products spawning WMI
-ProcessCreationEvents
+DeviceProcessEvents
 | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe")
 and FileName =~"wmic.exe"
 ```
@@ -39,4 +39,4 @@ This query can be used to detect the following attack techniques and tactics ([s
 
 ## Contributor info
 
-**Contributor:** Microsoft Threat Protection team
+**Contributor:** Microsoft Threat Protection team
