From df48b60cb47e9ca868ae4e7703f227500b6ad5da Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Thu, 3 Mar 2022 13:15:46 +0100
Subject: [PATCH] fix: FP with Datev SQL Server

---
 .../proc_creation_win_susp_shell_spawn_from_mssql.yml      | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml
index 8217e0459..6f54a977e 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml
@@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from MSSQL process, this might be si
 status: experimental
 author: FPT.EagleEye Team, wagga
 date: 2020/12/11
-modified: 2021/06/27
+modified: 2022/03/03
 tags:
     - attack.t1505.003
     - attack.t1190
@@ -23,5 +23,10 @@ detection:
             - '\bash.exe'
             - '\powershell.exe'
             - '\bitsadmin.exe'
+    filter_datev:
+        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
+        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
+        Image: 'C:\Windows\System32\cmd.exe'
+        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
     condition: selection
 level: critical