From 4f3e3166d38a0cff3fea26ab108fa71bb0ca2a29 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 26 Feb 2020 09:33:55 +0100
Subject: [PATCH] fixing false positives

---
 .../win_copying_sensitive_files_with_credential_data.yml    | 6 +++---
 rules/windows/sysmon/sysmon_suspicious_remote_thread.yml    | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
index 4b3adbbbf..f7b43d2da 100644
--- a/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
+++ b/rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
@@ -21,13 +21,13 @@ detection:
         - Image|endswith: '\esentutl.exe'
           CommandLine|contains:
             - 'vss'
-            - '/m'
-            - '/y'
+            - ' /m '
+            - ' /y '
         - CommandLine|contains:
             - '\windows\ntds\ntds.dit'
             - '\config\sam'
             - '\config\security'
-            - '\config\system'
+            - '\config\system '  # space needed to avoid false positives with \config\systemprofile\
             - '\repair\sam'
             - '\repair\system'
             - '\repair\security'
diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
index c940f99f4..8d1519e4b 100644
--- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
@@ -59,7 +59,7 @@ detection:
             - '\schtasks.exe'
             - '\smartscreen.exe'
             - '\spoolsv.exe'
-            - '\taskhost.exe'
+            # - '\taskhost.exe'  # disabled due to false positives
             - '\tstheme.exe'
             - '\userinit.exe'
             - '\vssadmin.exe'