From bd1d4825a36b8a34f05bde97ad4e5c2f79ff51f8 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 8 Feb 2023 16:53:54 +0100
Subject: [PATCH] fix: FP found in prod environment

Also seen in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
---
 ...reation_win_wmi_backdoor_exchange_transport_agent.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
index 6c5a5daf9..2fae2a4af 100644
--- a/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
+++ b/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/cglyer/status/1182391019633029120
 author: Florian Roth (Nextron Systems)
 date: 2019/10/11
-modified: 2022/03/18
+modified: 2023/02/08
 tags:
     - attack.persistence
     - attack.t1546.003
@@ -17,9 +17,12 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\EdgeTransport.exe'
-    filter:
+    filter_conhost:
         Image: 'C:\Windows\System32\conhost.exe'
-    condition: selection and not filter
+    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
+        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
+        Image|endswith: '\Bin\OleConverter.exe'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: critical