From ff88a7e17753da918e6165ab2af1b99d5349b565 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 28 Aug 2022 19:33:49 +0200
Subject: [PATCH] fix: FP with VSCode extensions

---
 .../proc_creation_win_susp_missing_spaces.yml                 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml
index 85466c5e7..55e05ebf2 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml
@@ -7,6 +7,7 @@ references:
     - https://twitter.com/cyb3rops/status/1562072617552678912
     - https://ss64.com/nt/cmd.html
 date: 2022/08/23
+modified: 2022/08/28
 tags:
     - attack.execution
     - attack.t1059.001
@@ -46,6 +47,9 @@ detection:
             - 'cmd /c '
             - 'cmd.exe /k '
             - 'cmd /k '
+    filter_falsepositives:
+        - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
+        - CommandLine|endswith: 'cmd.exe/c .'
     condition: 1 of selection* and not 1 of filter*
 falsepositives:
     - Unknown