From 342ec1c9ccdaaabf9cd8ba1bacd63cb35c68d74e Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 10 Aug 2022 11:23:42 +0200
Subject: [PATCH] fix: FP with wrongly matching folders

---
 .../image_load/image_load_susp_dll_load_system_process.yml  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
index bcc746c2b..f683c2f77 100644
--- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 date: 2022/07/17
-modified: 2022/08/02
+modified: 2022/08/10
 logsource:
     product: windows
     category: image_load
@@ -20,7 +20,9 @@ detection:
             - '\Downloads\'
             - '\AppData\Local\Temp\'
             - 'C:\PerfLogs\'
-    condition: selection
+    filter:
+        ImageLoaded|contains: '\Program Files'
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high