From 3f5859bac5c306b67409392d63f521bde3a8663a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 18 Dec 2021 15:40:12 +0100
Subject: [PATCH] fix: exclude *.scr screensavers

---
 .../process_creation/process_creation_susp_non_exe_image.yml  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
index 0cbea9ab4..2fc6c505d 100644
--- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
+++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
 author: Max Altgelt
 date: 2021/12/09
-modified: 2021/12/17
+modified: 2021/12/18
 references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 tags:
@@ -22,6 +22,8 @@ detection:
     filter_avira:
         Image|startswith: 'C:\Windows\Temp\'
         Image|endswith: '\avira_speedup_setup_update.tmp'
+    filter_screensaver:
+        Image|endswith: '.scr'
     condition: not image_exe and not 1 of filter*
 falsepositives:
     - unknown