From f0dc10327bf2d931ee7131da72ec5ddec43689f8 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 30 Jun 2023 09:39:47 +0200
Subject: [PATCH 1/3] fix: FP found in-the-wild

---
 .../create_remote_thread_win_uncommon_target_image.yml   | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
index a108acf74..727e0a497 100644
--- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
+++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
@@ -9,7 +9,7 @@ references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2023/05/05
+modified: 2023/06/30
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -30,13 +30,16 @@ detection:
             - '\spoolsv.exe'
             - '\wordpad.exe'
             - '\write.exe'
+    filter_main_spoolsv:
+        SourceImage: 'C:\Windows\System32\csrss.exe'
+        TargetImage: 'C:\Windows\System32\spoolsv.exe'
     filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
     filter_optional_aurora_2:
         SourceImage|contains: 'unknown process'
-    filter_main_spoolsv:
+    filter_optional_csrss_ping:
         SourceImage: 'C:\Windows\System32\csrss.exe'
-        TargetImage: 'C:\Windows\System32\spoolsv.exe'
+        TargetImage: 'C:\Windows\System32\ping.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown

From cede72ad18d7ff199294e5ab5c956f65b48e5194 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 5 Jul 2023 10:31:47 +0200
Subject: [PATCH 2/3] fix: more FPs, found in testing env

---
 .../create_remote_thread_win_uncommon_target_image.yml       | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
index 727e0a497..f1b62ea06 100644
--- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
+++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
@@ -9,7 +9,7 @@ references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2023/06/30
+modified: 2023/07/05
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -40,6 +40,9 @@ detection:
     filter_optional_csrss_ping:
         SourceImage: 'C:\Windows\System32\csrss.exe'
         TargetImage: 'C:\Windows\System32\ping.exe'
+    filter_optional_winzip:
+        SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe'
+        TargetImage: 'C:\Windows\explorer.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown

From a1672f8dbb43a9c72877a54dbdd894c78fdc26fe Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 13 Jul 2023 11:05:00 +0200
Subject: [PATCH 3/3] fix: remove ping filter

---
 .../create_remote_thread_win_uncommon_target_image.yml   | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
index f1b62ea06..a237794fe 100644
--- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
+++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
@@ -9,7 +9,7 @@ references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2023/07/05
+modified: 2023/07/13
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -30,20 +30,17 @@ detection:
             - '\spoolsv.exe'
             - '\wordpad.exe'
             - '\write.exe'
-    filter_main_spoolsv:
+    filter_optional_spoolsv:
         SourceImage: 'C:\Windows\System32\csrss.exe'
         TargetImage: 'C:\Windows\System32\spoolsv.exe'
     filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
     filter_optional_aurora_2:
         SourceImage|contains: 'unknown process'
-    filter_optional_csrss_ping:
-        SourceImage: 'C:\Windows\System32\csrss.exe'
-        TargetImage: 'C:\Windows\System32\ping.exe'
     filter_optional_winzip:
         SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe'
         TargetImage: 'C:\Windows\explorer.exe'
-    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high