From cd63ce23ff062bd66147e61f74fe7701bcfcbc1d Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 13 Dec 2021 11:44:29 +0100
Subject: [PATCH] fix: FP with proc creation Image non .exe suffix

---
 .../process_creation/process_creation_susp_non_exe_image.yml    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
index e82e0d7b2..215af360d 100644
--- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
+++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
 author: Max Altgelt
 date: 2021/12/09
+modified: 2021/12/13
 references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 tags:
@@ -16,6 +17,7 @@ detection:
         Image|endswith: '.exe'
     filter:
         Image: null
+        Image|startswith: 'C:\Windows\Installer\MSI'
     condition: not image_exe and not filter
 falsepositives:
     - unknown