From b2cdb92b11dbffae56d702bc3e488f659d882b90 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 15 Mar 2022 18:05:42 +0100
Subject: [PATCH] fix: FPs with THOR

---
 .../sysmon_raw_disk_access_using_illegitimate_tools.yml      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index c9a292133..6011077e3 100644
--- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -4,7 +4,7 @@ description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 status: test
 date: 2019/10/22
-modified: 2022/02/21
+modified: 2022/03/15
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -49,6 +49,9 @@ detection:
             - 'C:\Users\'
             - '\AppData\'
             - '\Microsoft\'
+    filter_nextron:
+        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
+        Image|endswith: '\thor.exe'
     filter_startmenu_xphost:
         Image|startswith: 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost'
         Image|endswith: '\StartMenuExperienceHost.exe'