From 6b2bf871c2e1593b2fd3caa651a257dbe2c94693 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 21 Jun 2023 09:52:01 +0200
Subject: [PATCH] fix: false positives with missing Image field

---
 .../proc_creation_win_userinit_uncommon_child_processes.yml   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml
index d5967a44e..d55f1e293 100644
--- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml
+++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml
@@ -10,7 +10,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
 author: Tom Ueltschi (@c_APT_ure), Tim Shelton
 date: 2019/01/12
-modified: 2023/01/31
+modified: 2023/06/21
 tags:
     - attack.t1037.001
     - attack.persistence
@@ -36,6 +36,8 @@ detection:
             - 'C:\Windows\SysWOW64\proquota.exe'
     filter_optional_citrix:
         Image|endswith: '\Citrix\System32\icast.exe'
+    filter_optional_image_null:
+        Image: null
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.