From d4d694b4dac4fc1c4acb02b167b16e6fcbee5bae Mon Sep 17 00:00:00 2001
From: Ryan Plas <ryan.plas@stage2sec.com>
Date: Tue, 10 Nov 2020 10:01:47 -0500
Subject: [PATCH] Logic fix for sysmon_non_priv_program_files_move

---
 .../file_event/sysmon_non_priv_program_files_move.yml        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
index 51af9b500..b7440b4b6 100644
--- a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
+++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml
@@ -21,10 +21,11 @@ detection:
         - TargetFilename|contains:
             - '\Program Files\'
             - '\Program Files (x86)\'
-        - TargetFilename|startswith: '\Windows\'
+    windows:
+        TargetFilename|startswith: '\Windows\'
     temp:
         TargetFilename|contains: 'temp'
-    condition: integrity and (program_files or temp)
+    condition: integrity and (program_files or windows and not temp)
 falsepositives:
     - Unknown
 level: medium