diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml index 485eb508e..2e1eceaa5 100644 --- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml @@ -1,5 +1,5 @@ title: Uncommon AppX Package Locations -id: 5cdeaf3d-1489-477c-95ab-c318559fc051 +id: c977cb50-3dff-4a9f-b873-9290f56132f1 status: experimental description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations references: @@ -25,10 +25,11 @@ detection: - 'C:\Windows\PrintDialog\' - 'C:\Windows\ImmersiveControlPanel\' - 'x-windowsupdate://' - - 'file:///C:/Program%20Files%20(x86)/' - - 'file:///C:/Program%20Files%20/' + - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/' filter_specific: - Path|contains: 'https://statics.teams.cdn.office.net/' + Path|contains: + - 'https://statics.teams.cdn.office.net/' + - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml index f4c5c4fa4..684de8c71 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -32,7 +32,9 @@ detection: - 'RemoteSigned' - 'Unrestricted' filter_svchost: - Image: 'C:\Windows\system32\svchost.exe' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' condition: selection and not 1 of filter_* falsepositives: - Unknown