From 2e224baa9459ea07e7c44e10447dd13b9efd3a75 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 8 Nov 2022 12:49:53 +0100
Subject: [PATCH] Update file_event_win_creation_system_file.yml

---
 .../file/file_event/file_event_win_creation_system_file.yml      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml
index 8f83b47bd..f5559d598 100755
--- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml
+++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml
@@ -113,6 +113,7 @@ detection:
     filter8:
         # This filter handles system processes who are updated/installed using misexec.
         Image: C:\WINDOWS\system32\msiexec.exe
+        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
         TargetFilename: C:\Program Files\PowerShell\7\pwsh.exe
     condition: selection and not 1 of filter*
 fields: