From f970d28f10b1e7906593265055bb6a804142ee4e Mon Sep 17 00:00:00 2001
From: ecco <none@none.com>
Date: Sat, 23 May 2020 15:06:15 -0400
Subject: [PATCH 1/2] add more false positives

---
 rules/windows/sysmon/sysmon_wmi_module_load.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml
index 5b3eca687..2c302532f 100644
--- a/rules/windows/sysmon/sysmon_wmi_module_load.yml
+++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml
@@ -32,6 +32,8 @@ detection:
             - '\WmiAPsrv.exe'
             - '\svchost.exe'
             - '\DeviceCensus.exe'
+            - '\CompatTelRunner.exe'
+            - '\sdiagnhost.exe'
     condition: selection and not filter
 fields:
     - ComputerName

From 7037e77569e062b85f335ef3c9d04b2d392b5214 Mon Sep 17 00:00:00 2001
From: ecco <none@none.com>
Date: Mon, 25 May 2020 04:50:22 -0400
Subject: [PATCH 2/2] add more FP

---
 rules/windows/sysmon/sysmon_wmi_module_load.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml
index 2c302532f..8c660f19e 100644
--- a/rules/windows/sysmon/sysmon_wmi_module_load.yml
+++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml
@@ -34,6 +34,7 @@ detection:
             - '\DeviceCensus.exe'
             - '\CompatTelRunner.exe'
             - '\sdiagnhost.exe'
+            - '\SIHClient.exe'
     condition: selection and not filter
 fields:
     - ComputerName