From 80b588d7fc2f656b5b8a171d8772a7205a71fe68 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 6 Feb 2023 12:48:45 +0100
Subject: [PATCH] fix: FP with wermgr in WinSXS

---
 .../windows/process_creation/proc_creation_win_susp_wermgr.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml
index cbff1f31f..ff0222ff4 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/binderlabs/DirCreate2System
 author: Florian Roth
 date: 2022/10/14
-modified: 2022/12/04
+modified: 2023/02/06
 logsource:
     category: process_creation
     product: windows
@@ -31,6 +31,7 @@ detection:
         Image|contains:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
     condition: 1 of selection_susp* or (selection_img and not filter_img_location)
 falsepositives:
     - Unknown