From c69613696f0a985f2e2ba10f23e718fd92c06939 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 7 Feb 2022 21:24:21 +0100
Subject: [PATCH] fix: FP noticed with Aurora

---
 .../sysmon_raw_disk_access_using_illegitimate_tools.yml          | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index e621b0eab..6887d2919 100644
--- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -51,6 +51,7 @@ detection:
             - 'C:\Windows\System32\SrTasks.exe'
             - 'C:\Windows\System32\dllhost.exe'
             - 'C:\Windows\System32\DeviceCensus.exe'
+            - 'C:\Windows\UUS\amd64\MoUsoCoreWorker.exe'
     filter_system:
         Image: 'System'
     filter_Keybase: