From ca58e92d528952210cd598dba3d264e35aafb4b6 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 12 Oct 2022 16:59:25 +0200
Subject: [PATCH] fix: FP found in testing environment

---
 .../image_load/image_load_susp_dll_load_system_process.yml  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
index ebc4aecc5..bd92a5672 100644
--- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 date: 2022/07/17
-modified: 2022/09/29
+modified: 2022/10/12
 tags:
     - attack.defense_evasion
     - attack.t1070
@@ -33,6 +33,10 @@ detection:
         # Sometimes the DLL gets loaded from %temp%
         Image: 'C:\Windows\System32\cleanmgr.exe'
         ImageLoaded|endswith: '\ssshim.dll'
+    filter_mscorsvw:
+        Image|startswith: 'C:\Windows\Microsoft.NET\Framework\v'
+        Image|endswith: '\mscorsvw.exe'
+        ImageLoaded|contains: '\AppData\Local\Temp\'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown