From f0c89239d3dcdf660dce4d87508e1f5024f5f907 Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Sat, 23 Feb 2019 17:45:08 +0300
Subject: [PATCH 1/2] Added some unusual paths.

---
 rules/windows/builtin/win_susp_run_locations.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml
index 8426baa32..ce007a6e3 100644
--- a/rules/windows/builtin/win_susp_run_locations.yml
+++ b/rules/windows/builtin/win_susp_run_locations.yml
@@ -15,6 +15,14 @@ detection:
             - '*:\SystemVolumeInformation\\*'
             - '%windir%\Tasks\\*'
             - '%systemroot%\debug\\*'
+            - '%windir%\fonts\\*'
+            - '%windir%\help\\*'
+            - '%windir%\drivers\\*'
+            - '%windir%\addins\\*'
+            - '%windir%\cursors\\*'
+            - '%temp%\\*'
+            - '%windir%\system32\tasks\\*'
+            
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment

From 121e21960eae0e114b5e10ce9f9545ba0a4e4d5a Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas.patzke2@thyssenkrupp.com>
Date: Thu, 9 May 2019 23:09:22 +0200
Subject: [PATCH 2/2] Rule changes

* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
---
 .../win_susp_run_locations.yml                | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml
index 74e7965d3..e325b6c86 100644
--- a/rules/windows/process_creation/win_susp_run_locations.yml
+++ b/rules/windows/process_creation/win_susp_run_locations.yml
@@ -13,18 +13,17 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
+        Image:
             - '*:\RECYCLER\\*'
             - '*:\SystemVolumeInformation\\*'
-            - '%windir%\Tasks\\*'
-            - '%systemroot%\debug\\*'
-            - '%windir%\fonts\\*'
-            - '%windir%\help\\*'
-            - '%windir%\drivers\\*'
-            - '%windir%\addins\\*'
-            - '%windir%\cursors\\*'
-            - '%temp%\\*'
-            - '%windir%\system32\tasks\\*'
+            - 'C:\\Windows\\Tasks\\*'
+            - 'C:\\Windows\\debug\\*'
+            - 'C:\\Windows\\fonts\\*'
+            - 'C:\\Windows\\help\\*'
+            - 'C:\\Windows\\drivers\\*'
+            - 'C:\\Windows\\addins\\*'
+            - 'C:\\Windows\\cursors\\*'
+            - 'C:\\Windows\\system32\tasks\\*'
             
     condition: selection
 falsepositives: