From d0b2e2cbba696c9ca47f8f3d5ce7c4eb52cbb087 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 11 Jan 2023 23:47:12 +0100
Subject: [PATCH] fix: more fp and duplicate id

---
 .../appxdeployment_server_uncommon_package_locations.yml | 9 +++++----
 .../registry_set_powershell_execution_policy.yml         | 4 +++-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml
index 485eb508e..2e1eceaa5 100644
--- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml
+++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml
@@ -1,5 +1,5 @@
 title: Uncommon AppX Package Locations
-id: 5cdeaf3d-1489-477c-95ab-c318559fc051
+id: c977cb50-3dff-4a9f-b873-9290f56132f1
 status: experimental
 description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 references:
@@ -25,10 +25,11 @@ detection:
             - 'C:\Windows\PrintDialog\'
             - 'C:\Windows\ImmersiveControlPanel\'
             - 'x-windowsupdate://'
-            - 'file:///C:/Program%20Files%20(x86)/'
-            - 'file:///C:/Program%20Files%20/'
+            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
     filter_specific:
-        Path|contains: 'https://statics.teams.cdn.office.net/'
+        Path|contains:
+            - 'https://statics.teams.cdn.office.net/'
+            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml
index f4c5c4fa4..684de8c71 100644
--- a/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml
+++ b/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml
@@ -32,7 +32,9 @@ detection:
             - 'RemoteSigned'
             - 'Unrestricted'
     filter_svchost:
-        Image: 'C:\Windows\system32\svchost.exe'
+        Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown