From 3a40ea79d3d7e0ba87c406a4dbea0b59cbca4052 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 22 Feb 2022 08:52:51 +0100
Subject: [PATCH] fix: FPs noticed with Aurora

---
 rules/windows/file_event/sysmon_creation_system_file.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml
index f0e95974b..e3bcec0fd 100755
--- a/rules/windows/file_event/sysmon_creation_system_file.yml
+++ b/rules/windows/file_event/sysmon_creation_system_file.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in a suspicious folder
 author: Sander Wiebing, Tim Shelton
 date: 2020/05/26
-modified: 2022/02/07
+modified: 2022/02/22
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -47,7 +47,9 @@ detection:
             - 'C:\Windows\winsxs\'
             - 'C:\Windows\WinSxS\'
             - '\SystemRoot\System32\'
-        Image|endswith: '\Windows\System32\dism.exe'
+        Image|endswith: 
+            - '\Windows\System32\dism.exe'
+            - '\TiWorker.exe'
     filter2:
         TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
         Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'