From 65cdc9d04d0dbc6dc2cb601394e17f68c73148da Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 20 Aug 2022 09:22:05 +0200
Subject: [PATCH] Update proc_creation_win_lolbin_customshellhost.yml

---
 .../proc_creation_win_lolbin_customshellhost.yml             | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
index 3408ad75c..26106e227 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
@@ -17,7 +17,10 @@ detection:
         - Image|endswith: '\CustomShellHost.exe'
         - OriginalFileName: 'CustomShellHost.exe'
     filter:
-        Image: 'C:\Windows\explorer.exe'
+        - Image: 
+            - 'C:\Windows\explorer.exe'
+            - 'C:\Windows\System32\explorer.exe'
+        - CurrentDirectory|startswith: C:\Windows\System32\
     condition: selection and not filter
 falsepositives:
     - Unknown