From 1c789bd0807993e8ab8db9aad3d17152557d669a Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 17 Dec 2021 09:20:21 +0100
Subject: [PATCH] fix: FP in Aviar installer

---
 .../process_creation_susp_non_exe_image.yml              | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
index 40798a9ef..505621821 100644
--- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
+++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
 author: Max Altgelt
 date: 2021/12/09
-modified: 2021/12/14
+modified: 2021/12/17
 references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 tags:
@@ -16,9 +16,10 @@ detection:
     image_exe:
         Image|endswith: '.exe'
     filter:
-        Image: null
-        Image|startswith: 'C:\Windows\Installer\MSI'
-    condition: not image_exe and not 1 of filter
+        - Image: null
+        - Image|startswith: 'C:\Windows\Installer\MSI'
+        - ParentImage|startswith: 'C:\ProgramData\Avira\'
+    condition: not image_exe and not filter
 falsepositives:
     - unknown
 level: high