Merge pull request #2977 from phantinuss/master

fix: FPs in prod environment

rules/windows/builtin/system/win_susp_service_installation.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious service installation commands
 author: pH-T
 date: 2022/03/18
-modified: 2022/03/24
+modified: 2022/05/02
 logsource:
   product: windows
   service: system
@@ -35,7 +35,9 @@ detection:
         - ' IAB'  # PowerShell encoded commands
         - ' PAA'  # PowerShell encoded commands
         - ' aQBlAHgA'  # PowerShell encoded commands
-  condition: selection and ( suspicious1 or all of suspicious2* )
+  filter_thor_remote:
+      ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
+  condition: selection and ( suspicious1 or all of suspicious2* ) and not 1 of filter_*
 falsepositives:
   - Unknown
 level: high

rules/windows/builtin/system/win_system_defender_disabled.yml

@@ -5,7 +5,7 @@ related:
       type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/11/22
+modified: 2022/05/02
 author: Ján Trenčanský, frack113
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -21,11 +21,12 @@ detection:
     Selection:
         EventID: 7036
         Provider_Name: 'Service Control Manager'
-        param1: 
+        param1:
             - 'Windows Defender Antivirus Service'
             - 'Service antivirus Microsoft Defender' #French OS
         param2: 'stopped'
     condition: Selection
 falsepositives:
     - Administrator actions
-level: high
+    - Auto updates of Windows Defender causes restarts
+level: low