From c7eddebe40ddfd0de33afd2adc01eb93420d748a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 3 Sep 2022 09:30:24 +0200
Subject: [PATCH] fix: Msiexec FPs noticed with Aurora

---
 .../image_load/image_load_susp_dll_load_system_process.yml   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
index f683c2f77..90a8dc127 100644
--- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 date: 2022/07/17
-modified: 2022/08/10
+modified: 2022/09/03
 logsource:
     product: windows
     category: image_load
@@ -21,7 +21,8 @@ detection:
             - '\AppData\Local\Temp\'
             - 'C:\PerfLogs\'
     filter:
-        ImageLoaded|contains: '\Program Files'
+        - ImageLoaded|contains: '\Program Files'
+        - Image|endswith: '\msiexec.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown