Merge pull request #3420 from phantinuss/master

FPs found in Testing

rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml

@@ -11,7 +11,7 @@ tags:
     - attack.t1218
 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
 date: 2019/11/12
-modified: 2022/07/20
+modified: 2022/08/23
 logsource:
     category: process_creation
     product: windows
@@ -32,6 +32,9 @@ detection:
         - CommandLine|contains|all:
             - 'C:\Users\'
             - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe'
+        - CommandLine|contains|all:
+            - 'C:\Users\'
+            - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"'
     condition: all of selection* and not 1 of filter*
 falsepositives:
     - 1Clipboard

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml

@@ -117,6 +117,12 @@ detection:
     filter_ctfmon:
         Image: 'C:\Windows\system32\userinit.exe'
         Details: 'ctfmon.exe /n'
+    filter_AVG:
+        Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\'
+        Details:
+            - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
+            - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
+            - '{472083B0-C522-11CF-8763-00608CC02F24}'
     condition: all of current_version_* and not 1 of filter_*
 fields:
     - SecurityID