From 9a3fc4f543557eff2ee5be3d237cf324ace3968e Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 24 May 2022 22:31:05 +0000
Subject: [PATCH] FP: System image (driver) restoring files. Valid behavior

---
 .../file_event/file_event_win_webshell_creation_detect.yml  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml
index 59a98326c..94c32cd80 100755
--- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml
+++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml
@@ -2,11 +2,11 @@ title: Windows Webshell Creation
 id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
 status: test
 description: Possible webshell file creation on a static web site
-author: Beyu Denis, oscd.community
+author: Beyu Denis, oscd.community, Tim Shelton
 references:
   - PT ESC rule and personal experience
 date: 2019/10/22
-modified: 2021/11/27
+modified: 2022/05/24
 logsource:
   product: windows
   category: file_event
@@ -34,6 +34,8 @@ detection:
     TargetFilename|contains:
       - '\AppData\Local\Temp\'
       - '\Windows\Temp\'
+    Image:
+      - 'System' # fp : backup/restore from drivers
     # kind of ugly but sigmac seems not to handle double parenthesis "(("
     # we should prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
   condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)