From b4bce46c656e4bf20fbe8560fbb24bf0cf9e7c86 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Tue, 28 Jun 2022 17:25:50 +0200
Subject: [PATCH] fix: technically filter THOR checking for BlueKeep vuln

---
 .../windows/builtin/security/win_rdp_reverse_tunnel.yml  | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml
index ea9d2f012..0c2b8efb5 100644
--- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml
+++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml
@@ -7,7 +7,7 @@ references:
     - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
 author: Samir Bousseaden
 date: 2019/02/16
-modified: 2021/07/06
+modified: 2022/06/29
 tags:
     - attack.defense_evasion
     - attack.command_and_control
@@ -32,8 +32,11 @@ detection:
         SourceAddress:
             - '127.*'
             - '::1'
-    condition: selection and ( sourceRDP or destinationRDP )
+    filter_thor:  # checking BlueKeep vulnerability
+        Application|endswith:
+            - '\thor.exe'
+            - '\thor64.exe'
+    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
 falsepositives:
     - Programs that connect locally to the RDP port
-    - THOR APT scanner (checking BlueKeep vulnerability)
 level: high