From 6187cfdfd6d2f7ff199beb6e08fd2234a8e8eb0e Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 14 Jul 2022 19:41:52 +0000
Subject: [PATCH] False positive when amazon workspaces is running and doing
 its weird little things

---
 .../proc_creation_win_susp_powershell_sub_processes.yml   | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml
index 8d8d30925..aa91bde96 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml
@@ -2,8 +2,9 @@ title: Suspicious PowerShell Sub Processes
 id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
 description: Detects suspicious sub processes spawned by PowerShell
 status: experimental
-author: Florian Roth
+author: Florian Roth, Tim Shelton
 date: 2022/04/26
+modified: 2022/07/14
 references:
     - https://twitter.com/ankit_anubhav/status/1518835408502620162
 logsource:
@@ -28,7 +29,10 @@ detection:
             - '\rundll32.exe'
             - '\forfiles.exe'
             - '\scriptrunner.exe'
-    condition: selection
+    falsepositive:
+        ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
+        CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
+    condition: selection and not falsepositive
 falsepositives:
     - Unknown
 level: high