From 8a529a14c09eb2f12bfeddcb7ba4a27d046f0883 Mon Sep 17 00:00:00 2001
From: Veramine <jness@veramine.com>
Date: Wed, 14 Dec 2022 02:08:30 -0800
Subject: [PATCH 1/3] Add System to list of built-in Windows processes with no
 extension

---
 .../process_creation/proc_creation_win_susp_image_missing.yml   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
index 035bc209d..749b17f76 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
@@ -23,10 +23,12 @@ detection:
             - ''
     filter_4688:
         - Image:
+            - 'System'
             - 'Registry'
             - 'MemCompression'
             - 'vmmem'
         - CommandLine:
+            - 'System'
             - 'Registry'
             - 'MemCompression'
             - 'vmmem'

From 6540ca0ed97665e5e396ef839756aba6d7fb865b Mon Sep 17 00:00:00 2001
From: Veramine <jness@veramine.com>
Date: Wed, 14 Dec 2022 02:13:53 -0800
Subject: [PATCH 2/3] Update modified date

---
 .../process_creation/proc_creation_win_susp_image_missing.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
index 749b17f76..56b118c9d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
@@ -6,7 +6,7 @@ references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 author: Max Altgelt
 date: 2021/12/09
-modified: 2022/09/20
+modified: 2022/12/14
 tags:
     - attack.defense_evasion
 logsource:

From a6a41eae8f3d63c2d38961426540be9adb36fb56 Mon Sep 17 00:00:00 2001
From: Veramine <jness@veramine.com>
Date: Wed, 14 Dec 2022 02:25:21 -0800
Subject: [PATCH 3/3] Removed System from CommandLine

---
 .../process_creation/proc_creation_win_susp_image_missing.yml    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
index 56b118c9d..fa68132c9 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml
@@ -28,7 +28,6 @@ detection:
             - 'MemCompression'
             - 'vmmem'
         - CommandLine:
-            - 'System'
             - 'Registry'
             - 'MemCompression'
             - 'vmmem'