From b9a91bb0647652aecb185ce11ba833cb96f0e495 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Thu, 16 Oct 2025 09:19:23 +0545 Subject: [PATCH] Merge PR #5690 from @swachchhanda000 - fix: wsl fp on system execution anomaly detection fix: System File Execution Location Anomaly - add filter for wsl fps --- .../proc_creation_win_susp_system_exe_anomaly.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 6e4393fa9..1f84ceebe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -12,7 +12,7 @@ references: - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2017-11-27 -modified: 2025-10-07 +modified: 2025-10-13 tags: - attack.defense-evasion - attack.t1036 @@ -91,8 +91,14 @@ detection: - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview' - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store Image|endswith: '\pwsh.exe' - filter_main_wsl_windowsapps: - Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux' + filter_main_wsl_programfiles: + Image|startswith: + - 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux' + - 'C:\Program Files\WSL\' + Image|endswith: '\wsl.exe' + filter_main_wsl_appdata: + Image|startswith: C:\Users\' + Image|contains: '\AppData\Local\Microsoft\WindowsApps\' Image|endswith: '\wsl.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: