From cb5c19d696f047bede4cfbe1ec59427b49092bbc Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Sat, 3 Dec 2022 09:35:34 +0100
Subject: [PATCH] fix: FPs found in testing env (#3743)

---
 .../proc_creation_win_run_executable_invalid_extension.yml   | 5 ++++-
 .../proc_creation_win_susp_parent_of_conhost.yml             | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml
index 7009302df..b5243e4bc 100644
--- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)
 date: 2022/01/13
-modified: 2022/07/27
+modified: 2022/12/02
 logsource:
     category: process_creation
     product: windows
@@ -32,6 +32,9 @@ detection:
         ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\'
     filter_localserver_fp:
         CommandLine|contains: ' -localserver '
+    filter_mcafee:
+        - ParentCommandLine|startswith: 'C:\Windows\system32\rundll32.exe" "C:\Program Files\McAfee\MSC\mcmscins.dll",DllUninstallFunction '
+        - CommandLine|startswith: 'C:\Windows\system32\rundll32.exe" /uninstall /longpath "C:\Program Files\McAfee\MSC\mscrem.inf'
     condition: selection and not 1 of filter*
 fields:
     - Image
diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
index ee024ae05..03e60f2b4 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml
@@ -6,7 +6,7 @@ references:
     - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 author: Tim Rauch
 date: 2022/09/28
-modified: 2022/11/29
+modified: 2022/12/02
 tags:
     - attack.execution
     - attack.t1059
@@ -36,7 +36,9 @@ detection:
         ParentCommandLine|contains:
             - '-k apphost -s AppHostSvc'
             - '-k imgsvc'
+            - '-k localService -p -s RemoteRegistry'
             - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
+            - '-k NetSvcs -p -s NcaSvc'
             - '-k netsvcs -p -s NetSetupSvc'
             - '-k netsvcs -p -s wlidsvc'
             - '-k NetworkService -p -s DoSvc'