From 07cf7ae5fa300bcbf7b4a61cd92f366c04d8a939 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 28 Oct 2022 16:28:49 +0200
Subject: [PATCH] fix: FP with Code Integrity Attempted DLL Load

---
 .../code_integrity/win_codeintegrity_attempted_dll_load.yml  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
index a5b698ad2..b1932b095 100644
--- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -77,6 +77,11 @@ detection:
             - '\Windows\System32\svchost.exe'
         RequestedPolicy: 12
         ValidatedPolicy: 1
+    filter_gac:
+        FileNameBuffer|endswith: '\stdole.dll'
+        ProcessNameBuffer|endswith: '\mscorsvw.exe'
+        RequestedPolicy: 8
+        ValidatedPolicy: 2
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown