Update T1093_Process_Hollowing.txt

heyibrahimkhan · web-flow · commit 115cb99b1394 · 2020-11-06T06:39:47.000+05:00
"and" instead of "or"
diff --git a/detections/T1093_Process_Hollowing.txt b/detections/T1093_Process_Hollowing.txt
@@ -55,7 +55,7 @@ Sysmon
         )
     ) or (
         process_path contains "userinit.exe" and (
-            process_parent_command_line !contains "dwm.exe" or 
+            process_parent_command_line !contains "dwm.exe" and 
             process_parent_command_line !contains "winlogon.exe"
         )
     )

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ Sysmon`
`55`	`55`	`)`
`56`	`56`	`) or (`
`57`	`57`	`process_path contains "userinit.exe" and (`
`58`		`- process_parent_command_line !contains "dwm.exe" or`
	`58`	`+ process_parent_command_line !contains "dwm.exe" and`
`59`	`59`	`process_parent_command_line !contains "winlogon.exe"`
`60`	`60`	`)`
`61`	`61`	`)`