From 9c8a649e6ce400f656cbcbcf8d4d21dfddb7d42e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 26 Nov 2021 17:12:33 +0100
Subject: [PATCH] fix: FP with suspicious svchost.exe rule

---
 rules/windows/process_creation/win_susp_svchost.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml
index 39c9ae4cf..12f3a7989 100644
--- a/rules/windows/process_creation/win_susp_svchost.yml
+++ b/rules/windows/process_creation/win_susp_svchost.yml
@@ -8,7 +8,7 @@ tags:
     - attack.t1036      # an old one
 author: Florian Roth
 date: 2017/08/15
-modified: 2020/08/28
+modified: 2021/11/26
 logsource:
     category: process_creation
     product: windows
@@ -22,6 +22,7 @@ detection:
             - '\Mrt.exe'
             - '\rpcnet.exe'
             - '\svchost.exe'
+            - '\ngen.exe'
     filter_null:
         ParentImage: null
     condition: selection and not filter and not filter_null