From b986a99be10160df110f5bfeb6780a3769e1dce1 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Mon, 7 Mar 2022 16:43:32 +0100
Subject: [PATCH] fix: FPs

---
 .../process_creation/proc_creation_win_dinjector.yml   | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_dinjector.yml b/rules/windows/process_creation/proc_creation_win_dinjector.yml
index 208b2b5b1..929306f10 100644
--- a/rules/windows/process_creation/proc_creation_win_dinjector.yml
+++ b/rules/windows/process_creation/proc_creation_win_dinjector.yml
@@ -1,11 +1,12 @@
 title: DInject PowerShell Cradle CommandLine Flags
 id: d78b5d61-187d-44b6-bf02-93486a80de5a
-status: experimental
+status: test
 description: Detects the use of the Dinject PowerShell cradle based on the specific flags
 author: Florian Roth
 references:
     - https://github.com/snovvcrash/DInjector
 date: 2021/12/07
+modified: 2022/03/07
 tags:
     - attack.defense_evasion
     - attack.t1055
@@ -17,7 +18,12 @@ detection:
         CommandLine|contains:
             - ' /am51'
             - ' /password'
-    condition: selection
+    filter_fps:
+        - CommandLine|contains: ' /PASSWORDCHG'  # net user
+        - ParentImage:
+            - 'C:\Program Files\CEETIS\CEETIS_IDE.exe'  # CEETIS from WEETECH
+            - 'C:\Program Files (x86)\CEETIS\CEETIS_IDE.exe'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unlikely
 level: critical
\ No newline at end of file