From 691649d9320dca6fd27d4835b2f94b4c2a969241 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 9 Nov 2022 09:20:45 +0100
Subject: [PATCH 1/2] fix: bcedit downloaded to C:\Windows\SoftwareDistribution

---
 .../file/file_event/file_event_win_creation_system_file.yml    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml
index f5559d598..e7d560dc9 100755
--- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml
+++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
 date: 2020/05/26
-modified: 2022/11/08
+modified: 2022/11/09
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -91,6 +91,7 @@ detection:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
             - 'C:\Windows\WinSxS\'
+            - 'C:\Windows\SoftwareDistribution\'
             - '\SystemRoot\System32\'
         Image|endswith:
             - '\Windows\System32\dism.exe'

From 9136963672eb1b95ddd67f81ba413d8af77ae9bd Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 9 Nov 2022 10:57:57 +0100
Subject: [PATCH 2/2] fix: filter empty ParentImage which might happen as a
 race condition on startup

---
 .../process_creation/proc_creation_win_lolbin_wlrmdr.yml    | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml
index b0cc6e741..3fbfaedfd 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
 author: frack113
 date: 2022/02/16
-modified: 2022/06/02
+modified: 2022/11/09
 tags:
     - attack.defense_evasion
 logsource:
@@ -24,7 +24,9 @@ detection:
             - '-u '
     filter:
         ParentImage: 'C:\Windows\System32\winlogon.exe'
-    condition: selection and not filter
+    filter_null:
+        ParentImage: '-'
+    condition: selection and not 1 of filter*
 falsepositives:
     - Unknown
 level: medium