From 7679d057061ba0cb40a0a7a91c4aaf8c46d797fb Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 20 Dec 2022 13:23:32 +0100
Subject: [PATCH] fix: fp found in testing exchange server

---
 .../process_access_win_shellcode_inject_msf_empire.yml     | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
index f590e937f..d0d078105 100644
--- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
+++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
 author: Bhabesh Raj
 date: 2022/03/11
-modified: 2022/12/15
+modified: 2022/12/20
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -57,6 +57,11 @@ detection:
         SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
         SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
         TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
+    filter_wmiprvese:
+        SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
+        TargetImage: 'C:\Windows\system32\lsass.exe'
+        CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll'
+        CallTrace|contains: '\System.ni.dll+'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown