Closed 247arjun closed 3 years ago
Good call, patch submitted. Explorer is a trickier one and could be in the process tree. Without going to the extent of checking the authenticode I've used a combination of path and integrity level for the two logic branches.
wininit.exe
andwinlogon.exe
run atSYSTEM
IL (not Medium/Low that the current user is), so it will also be a good idea to check if the suspect process, if named any of the allowed processes, is running with the expected IL of these known allowed processes.