From d75ea35295b6ad4f97f15f502606dd891db3931a Mon Sep 17 00:00:00 2001
From: Karneades <karneades@protonmail.com>
Date: Thu, 18 Apr 2019 21:51:27 +0200
Subject: [PATCH] Restrict whitelist filter in system exe anomaly rule

---
 rules/windows/process_creation/win_system_exe_anomaly.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 222dda114..1332419c9 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -26,8 +26,8 @@ detection:
             - '*\conhost.exe'
     filter:
         Image:
-            - '*\System32\\*'
-            - '*\SysWow64\\*'
+            - 'C:\Windows\System32\\*'
+            - 'C:\Windows\SysWow64\\*'
     condition: selection and not filter
 falsepositives:
     - Exotic software