From 47fa1dff54f291dcbbc5d660b34a62c99e91cd50 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Sun, 22 Jan 2023 23:41:56 +0100
Subject: [PATCH] fix: fp with iissetup

---
 .../proc_creation_win_iis_appcmd_susp_module_install.yml        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml
index bb110c4d2..f26e06957 100644
--- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml
+++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml
@@ -25,6 +25,8 @@ detection:
         CommandLine|contains:
             - '/name:'
             - '-name:'
+    filter_iis_setup:
+        ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
     condition: all of selection_*
 falsepositives:
     - Unknown as it may vary from organisation to organisation how admins use to install IIS modules