Merge pull request #4337 from phantinuss/master

fix: FP found in-the-wild

rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml

@@ -9,7 +9,7 @@ references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2023/07/05
+modified: 2023/07/13
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -30,6 +30,9 @@ detection:
             - '\spoolsv.exe'
             - '\wordpad.exe'
             - '\write.exe'
+    filter_optional_spoolsv:
+        SourceImage: 'C:\Windows\System32\csrss.exe'
+        TargetImage: 'C:\Windows\System32\spoolsv.exe'
     filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
     filter_optional_aurora_2:
@@ -47,10 +50,10 @@ detection:
         StartFunction:
             - 'LoadLibraryW'
             - 'FreeLibrary'
-    filter_main_spoolsv:
-        SourceImage: 'C:\Windows\System32\csrss.exe'
-        TargetImage: 'C:\Windows\System32\spoolsv.exe'
-    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+    filter_optional_winzip:
+        SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe'
+        TargetImage: 'C:\Windows\explorer.exe'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high