Update file_event_win_creation_system_file.yml

2022-11-08 12:49:53 +01:00
parent f9d54c722f
commit 2e224baa94
1 changed files with 1 additions and 0 deletions
@@ -113,6 +113,7 @@ detection:
    filter8:
        # This filter handles system processes who are updated/installed using misexec.
        Image: C:\WINDOWS\system32\msiexec.exe
+        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
        TargetFilename: C:\Program Files\PowerShell\7\pwsh.exe
    condition: selection and not 1 of filter*
 fields: