From df4b8eadbfee954a7eba615696cd91970a5ba554 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Tue, 9 Aug 2022 18:34:53 +0200
Subject: [PATCH] fix: FP in testing

---
 .../proc_creation_win_dll_sideload_defender.yml               | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml
index 41c4d86e2..3cc1c0336 100644
--- a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml
+++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml
@@ -6,6 +6,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
 author: Bhabesh Raj
 date: 2022/08/01
+modified: 2022/08/09
 tags:
     - attack.defense_evasion
     - attack.t1574.002
@@ -13,12 +14,13 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection: 
+    selection:
         Image|endswith: '\MpCmdRun.exe'
     legit_path:
         Image|startswith: # MpCmdRun resides in two locations
           - 'C:\Program Files\Windows Defender\'
           - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+          - 'C:\Windows\winsxs\x86_security-malware-windows-defender_'  # found on Win7 i386
     condition: selection and not legit_path
 falsepositives:
     - Unknown