From b47900fbee2fd5ce1e6d1af0efb7b0d0be57dc62 Mon Sep 17 00:00:00 2001
From: Karneades <karneades@protonmail.com>
Date: Sun, 21 Apr 2019 17:40:52 +0200
Subject: [PATCH] Add default path to filter for explorer in exe anomaly rule

---
 rules/windows/process_creation/win_system_exe_anomaly.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 30295b0a0..a3899bf31 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -33,6 +33,7 @@ detection:
         Image:
             - 'C:\Windows\System32\\*'
             - 'C:\Windows\SysWow64\\*'
+            - 'C:\Windows\explorer.exe'
     condition: selection and not filter
 falsepositives:
     - Exotic software