From c3785d6dc78eee19d43c52f0224492876734cf90 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 5 Nov 2020 16:44:33 +0100
Subject: [PATCH] rule: FPs with WmiPrvSE rule

---
 .../process_creation/win_wmiprvse_spawning_process.yml     | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
index fcabfdb70..aafe963ea 100644
--- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
+++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
 description: Detects wmiprvse spawning processes
 status: experimental
 date: 2019/08/15
-modified: 2019/11/10
+modified: 2020/11/05
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md
@@ -19,7 +19,10 @@ detection:
     filter:
         - LogonId: '0x3e7'  # LUID 999 for SYSTEM
         - User: 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
+        - Image|endswith: 
+            - '\WmiPrvSE.exe'
+            - '\WerFault.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown
-level: critical
+level: high