From 3681b8cb56144248ed57afdb31ce748d01190a0b Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Tue, 26 May 2020 13:56:51 +0200
Subject: [PATCH] Extended Windows processes

---
 rules/windows/process_creation/win_system_exe_anomaly.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index da2422704..809970e8b 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -30,6 +30,13 @@ detection:
             - '*\winlogon.exe'
             - '*\explorer.exe'
             - '*\taskhost.exe'
+            - '*\Taskmgr.exe'
+            - '*\sihost.exe'
+            - '*\RuntimeBroker.exe'
+            - '*\smartscreen.exe'
+            - '*\dllhost.exe'
+            - '*\audiodg.exe'
+            - '*\wlanext.exe'
     filter:
         Image:
             - 'C:\Windows\System32\\*'