From 671b60e42ffff3eb56f426a2d53daa67c79b4a5b Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 23 Nov 2022 09:53:35 +0100
Subject: [PATCH] fix: FP in testing environment

---
 .../proc_creation_win_susp_parent_of_conhost.yml           | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
index 4fa3403d7..138df7b91 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
@@ -6,7 +6,7 @@ references:
     - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 author: Tim Rauch
 date: 2022/09/28
-modified: 2022/11/22
+modified: 2022/11/23
 tags:
     - attack.execution
     - attack.t1059
@@ -36,10 +36,11 @@ detection:
         ParentCommandLine|contains:
             - '-k apphost -s AppHostSvc'
             - '-k imgsvc'
-            - '-k netsvcs -p -s NetSetupSvc'
             - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
-            - '-k wsappx -p -s ClipSVC'
+            - '-k netsvcs -p -s NetSetupSvc'
             - '-k netsvcs -p -s wlidsvc'
+            - '-k wsappx -p -s AppXSvc'
+            - '-k wsappx -p -s ClipSVC'
             - 'C:\Program Files (x86)\Dropbox\Client\'
             - 'C:\Program Files\Dropbox\Client\'
     condition: selection and not filter