From 2bea984f0a8afa2f9311bc3f4874ab4bf9074faf Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 20 Jul 2022 12:53:24 +0200
Subject: [PATCH] fix: FPs with Rundll32 rule

---
 .../proc_creation_win_susp_rundll32_activity.yml            | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml
index 9ee1096ec..d64c72d48 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml
@@ -9,7 +9,7 @@ references:
   - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
   - https://twitter.com/nas_bench/status/1433344116071583746
 date: 2019/01/16
-modified: 2022/05/09
+modified: 2022/07/20
 logsource:
   category: process_creation
   product: windows
@@ -72,7 +72,9 @@ detection:
     - CommandLine|contains|all:
       - 'dfshim.dll'
       - 'ShOpenVerbShortcut'
-  condition: selection
+  filter:
+    CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
+  condition: selection and not filter
 falsepositives:
   - False positives depend on scripts and administrative tools used in the monitored environment
 level: medium