Merge PR #5583 from @Neo23x0 - Fix Windows Binaries Write Suspicious Extensions

fix: Windows Binaries Write Suspicious Extensions - Add filter for PowerShell files created by svchost in the Clipchamp folder.
2025-08-14 14:09:46 +02:00
parent c71512aa86
commit 2c8a4d1e3c
1 changed files with 6 additions and 1 deletions
@@ -9,7 +9,7 @@ references:
    - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-12
-modified: 2024-04-15
+modified: 2025-08-05
 tags:
    - attack.defense-evasion
    - attack.t1036
@@ -64,6 +64,11 @@ detection:
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
+    filter_main_clipchamp:
+        Image: 'C:\Windows\system32\svchost.exe'
+        TargetFilename|contains|all:
+            - 'C:\Program Files\WindowsApps\Clipchamp'
+            - '.ps1'
    condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown