From 7fc53c563e46a05fa9124e6f3d7cb53443b56a62 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 1 Apr 2026 13:55:12 +0200
Subject: [PATCH] Merge PR #5925 from @Neo23x0 - Add filter for nsswitch and
 double extension in icons folder

fix: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation - Add additional path for nsswitch `/usr/share/factory/etc/nsswitch.conf`
fix: Suspicious Double Extension Files - Add a new filter `/usr/share/icons/`

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Thanks: @marius-benthin
---
 .../file_event_lnx_exploit_cve_2025_32463.yml               | 5 ++++-
 .../file_event/file_event_win_susp_double_extension.yml     | 6 ++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml
index de969c7d2..ea07151e6 100644
--- a/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml
+++ b/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml
@@ -10,6 +10,7 @@ references:
     - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
 author: Swachchhanda Shrawn Poudel (Nextron Systems)
 date: 2025-10-02
+modified: 2026-03-31
 tags:
     - attack.privilege-escalation
     - attack.t1068
@@ -22,7 +23,9 @@ detection:
     selection:
         TargetFilename|endswith: '/etc/nsswitch.conf'
     filter_main_legitimate_path:
-        TargetFilename: '/etc/nsswitch.conf'
+        TargetFilename:
+            - '/etc/nsswitch.conf'
+            - '/usr/share/factory/etc/nsswitch.conf'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Backup locations
diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
index 3bd6f6098..53b01bef9 100644
--- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
@@ -17,7 +17,7 @@ references:
     - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2022-06-19
-modified: 2025-07-22
+modified: 2026-03-31
 tags:
     - attack.defense-evasion
     - attack.t1036.007
@@ -59,7 +59,9 @@ detection:
     #     TargetFilename|contains:
     #         - '\AppData\Roaming\Microsoft\Office\Recent\'
     #         - '\AppData\Roaming\Microsoft\Windows\Recent\'
-    condition: 1 of selection_*
+    filter_icons_linux:
+        TargetFilename|startswith: '/usr/share/icons/'
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Unlikely
 level: high