From 3de0679d5ac61819e625186077e65e4981c19bbd Mon Sep 17 00:00:00 2001
From: Andreas Hunkeler <karneades@protonmail.com>
Date: Thu, 24 Jun 2021 11:22:41 +0200
Subject: [PATCH] Add fp note to PortProxy rules

---
 rules/windows/process_creation/win_netsh_port_fwd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml
index 3ea432aeb..41751f51d 100644
--- a/rules/windows/process_creation/win_netsh_port_fwd.yml
+++ b/rules/windows/process_creation/win_netsh_port_fwd.yml
@@ -34,4 +34,5 @@ detection:
     condition: selection1 or selection2
 falsepositives:
     - Legitimate administration
+    - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
 level: medium