From 2c8a4d1e3cbf705efa7f1317ce82137cf5d45c58 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 14 Aug 2025 14:09:46 +0200
Subject: [PATCH] Merge PR #5583 from @Neo23x0 - Fix `Windows Binaries Write
 Suspicious Extensions`

fix: Windows Binaries Write Suspicious Extensions - Add filter for PowerShell files created by svchost in the Clipchamp folder.
---
 .../file_event_win_shell_write_susp_files_extensions.yml   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
index f568846fa..0c68b7242 100644
--- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
+++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
@@ -9,7 +9,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-12
-modified: 2024-04-15
+modified: 2025-08-05
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -64,6 +64,11 @@ detection:
         TargetFilename|endswith:
             - '.ps1'
             - '.bat'
+    filter_main_clipchamp:
+        Image: 'C:\Windows\system32\svchost.exe'
+        TargetFilename|contains|all:
+            - 'C:\Program Files\WindowsApps\Clipchamp'
+            - '.ps1'
     condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown