From 25dc3e78be37b60fd72f79c8dccef0b51ba8b454 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 22 Feb 2018 16:59:11 +0100
Subject: [PATCH] Lowered severity of rule - prone to false positives

---
 rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml
index 72e8b858e..258254ccf 100644
--- a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml
+++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml
@@ -15,5 +15,5 @@ detection:
         Image: '*\FLTLDR.exe*'
     condition: selection
 falsepositives:
-    - Unknown
-level: critical
+    - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
+level: medium