From 448c86587fd89faefeaf5d95270a3e4a37ab2ef3 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sat, 23 Oct 2021 13:29:16 -0500
Subject: [PATCH] Update process_creation_stordiag_execution.yml

---
 .../process_creation_stordiag_execution.yml   | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/rules/windows/process_creation_stordiag_execution.yml b/rules/windows/process_creation_stordiag_execution.yml
index 84a6fc4a9..8820ff983 100644
--- a/rules/windows/process_creation_stordiag_execution.yml
+++ b/rules/windows/process_creation_stordiag_execution.yml
@@ -14,16 +14,17 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
-        Image|endswith: '\schtasks.exe'
+   selection:
         ParentImage|endswith: '\stordiag.exe'
-    selection2:
-        Image|endswith: '\systeminfo.exe'
-        ParentImage|endswith: '\stordiag.exe'
-    selection3:
-        Image|endswith: '\fltmc.exe'
-        ParentImage|endswith: '\stordiag.exe'
-    condition: selection1 or selection2 or selection3
+        Image|endswith:
+           - '\schtasks.exe'
+           - '\systeminfo.exe'
+           - '\fltmc.exe'
+    filter:
+        ParentImage|startwith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
+           - c:\windows\system32\
+           - c:\windows\syswow64\
+  condition: selection and not filter
 falsepositives:
     - Legitimate usage of stordiag.exe.
 level: high