merging changes

PrivilegeEscalation.md

@@ -32,7 +32,7 @@ Detects application shimming through sdbinst or registry modification.
 Atomics: [T1548.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md)
 
 Detection of UAC bypass through tampering with Shell Open for .ms-settings or .msc file types.
-`Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\...`
+** Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\... ***
 
 ```
 SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"
@@ -172,7 +172,7 @@ Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/
 Detects malicious changes to screensaver through Registry changes, filtering expected processes.
 
 ```
-RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe"))
+RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe"))
 ```
 
 ### T1547.005 Security Support Provider
@@ -218,4 +218,4 @@ Detects Winlogon Helper Dll changes through Registry MetadataIndicator item, as
 
 ```
 IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell") AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe"
-```
+```