From 0feefdc75168f03ef500b660da1a7a5c27ca2f2a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 12 Feb 2022 10:17:27 +0100
Subject: [PATCH] Update win_pc_susp_run_folder.yml

---
 rules/windows/process_creation/win_pc_susp_run_folder.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_pc_susp_run_folder.yml b/rules/windows/process_creation/win_pc_susp_run_folder.yml
index 19c324660..b316906ea 100644
--- a/rules/windows/process_creation/win_pc_susp_run_folder.yml
+++ b/rules/windows/process_creation/win_pc_susp_run_folder.yml
@@ -1,7 +1,7 @@
-title: Start From a Suspicious Folder
+title: Process Start From Suspicious Folder
 id: dca91cfd-d7ab-4c66-8da7-ee57d487b35b
 status: experimental
-description: Start from Desktop or temp folder
+description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files
 references:
     - Malware sandbox results
 author: frack113
@@ -14,6 +14,7 @@ detection:
         Image|contains:
             - '\Desktop\'
             - '\Temp\'
+            - '\Temporary Internet'
     condition: image
 falsepositives:
     - unknown