From d5eff9ef6d53a4bf5e65e89a2c1c5bc7d10a6d97 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 22 Nov 2021 13:45:31 +0100
Subject: [PATCH] fix: FP with In-memory PowerShell rule and Visual Studio

---
 rules/windows/image_load/sysmon_in_memory_powershell.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml
index 4e9ffc39c..4ce1cfee4 100755
--- a/rules/windows/image_load/sysmon_in_memory_powershell.yml
+++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml
@@ -39,6 +39,7 @@ detection:
             - '\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe'
             - '\IDE\devenv.exe'
             - '\ServiceHub.VSDetouredHost.exe'
+            - '\ServiceHub.SettingsHost.exe'
        # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
     condition: selection and not filter
 falsepositives: