From 0bbb679e38cdf553db2829d06cb859fe9b6ce2be Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 12 Sep 2022 13:29:51 +0200
Subject: [PATCH] fix: FPs with veam backup shell

---
 .../proc_creation_win_ntfs_short_name_path_use_cli.yml         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml
index 76b3888e5..6fe080f91 100644
--- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml
+++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml
@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/08/12
+modified: 2022/09/12
 logsource:
     category: process_creation
     product: windows
@@ -27,6 +27,7 @@ detection:
         - ParentImage|endswith:
             - '\WebEx\WebexHost.exe'
             - '\thor\thor64.exe'
+            - '\veam.backup.shell.exe'
     condition: selection and not filter
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.