From 3faac9729d14bf44a7fe6a69fc65817e377ca3c8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 4 May 2022 11:33:12 +0200
Subject: [PATCH] fix: FP with Zoom

---
 .../registry_set_creation_service_uncommon_folder.yml  | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
index c7ef1e67c..f6d347f93 100644
--- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
+++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
@@ -3,6 +3,7 @@ id: 277dc340-0540-42e7-8efb-5ff460045e07
 description: Detect the creation of a service with a service binary located in a uncommon directory 
 status: experimental
 date: 2022/05/02
+modified: 2022/05/04
 author: Florian Roth
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
@@ -29,7 +30,14 @@ detection:
         Details|contains:
             - '\AppData\Local\'
             - '\AppData\Roaming\'
-    condition: 1 of selection_*
+    filter:
+        - Image|contains: 
+            - '\AppData\Roaming\Zoom\'
+            - '\AppData\Local\Zoom\'
+        - Details|contains: 
+            - '\AppData\Roaming\Zoom\'
+            - '\AppData\Local\Zoom\'
+    condition: 1 of selection_* and not filter
 falsepositives:
     - Unknown
 level: medium