From d00e1073ee71ace06ef1ea291cee41167f4b2423 Mon Sep 17 00:00:00 2001
From: Kirill Kiryanov <kkiryanov@ptsecurity.com>
Date: Thu, 8 Oct 2020 22:49:52 +0300
Subject: [PATCH] Revert "Created rule win_susp_presentationhost_execution.yml"

This reverts commit a38c0218765a89f5d18eadd49639c72a5d25d944.
---
 .../win_susp_presentationhost_execution.yml   | 25 -------------------
 1 file changed, 25 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_susp_presentationhost_execution.yml

diff --git a/rules/windows/process_creation/win_susp_presentationhost_execution.yml b/rules/windows/process_creation/win_susp_presentationhost_execution.yml
deleted file mode 100644
index f8cd768b0..000000000
--- a/rules/windows/process_creation/win_susp_presentationhost_execution.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Application Whitelisting Bypass via PresentationHost.exe
-id: d149a338-ae47-408e-a8ff-9064220c0b34
-description: Detects defence evasion attempt via PresentationHost.exe to run malicious .xbap file
-status: experimental
-references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Presentationhost.yml
-    - https://medium.com/tsscyber/applocker-bypass-presentationhost-exe-8c87b2354cd4
-    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
-author: Kirill Kiryanov, oscd.community
-date: 2020/10/08
-tags:
-    - attack.defense_evasion
-    - attack.t1218
-    - attack.execution      
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\presentationhost.exe'
-        CommandLine|contains: '.xbap'
-    condition: selection
-level: medium
-falsepositives:
-    - Unknown