From 44013e25c8f7b0185ac5a47a4c6a6d00bf080699 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 18 Aug 2021 17:26:57 +0200
Subject: [PATCH 1/2] fix: FPs with WMIADAP.exe

---
 rules/windows/image_load/sysmon_wmi_module_load.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
index 9203768fe..e500bb6f3 100755
--- a/rules/windows/image_load/sysmon_wmi_module_load.yml
+++ b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -37,6 +37,7 @@ detection:
             - '\ngentask.exe'  # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
             - '\windows\system32\taskhostw.exe'  # c:\windows\system32\taskhostw.exe
             - '\windows\system32\MoUsoCoreWorker.exe'  # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
+            - '\windows\system32\wbem\WMIADAP.exe'  # https://github.com/SigmaHQ/sigma/issues/1871
     condition: selection and not filter
 fields:
     - ComputerName

From 768855e6d6702cddab0abf621dbb539d6ce96378 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 18 Aug 2021 18:17:53 +0200
Subject: [PATCH 2/2] update modified after FP fix

---
 rules/windows/image_load/sysmon_wmi_module_load.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml
index e500bb6f3..57d3ade28 100755
--- a/rules/windows/image_load/sysmon_wmi_module_load.yml
+++ b/rules/windows/image_load/sysmon_wmi_module_load.yml
@@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 description: Detects non wmiprvse loading WMI modules
 status: experimental
 date: 2019/08/10
-modified: 2021/06/15
+modified: 2021/08/18
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html