From e2f80e5aa84db966e93ea023da3e428d1b439ccf Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 16 Feb 2022 14:59:12 +0100
Subject: [PATCH] fix: exclude msiexec from SysWOW64

---
 .../sysmon_asep_reg_keys_modification_winsock2.yml             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml
index 318b9db59..2df6356c5 100644
--- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml
+++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml
@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/01/13
+modified: 2022/02/16
 logsource:
     category: registry_event
     product: windows
@@ -26,6 +26,7 @@ detection:
     filter:
         - Details: '(Empty)'
         - Image: 'C:\Windows\System32\MsiExec.exe'
+        - Image: 'C:\Windows\syswow64\MsiExec.exe'
     condition: winsock_parameters_base and winsock_parameters and not filter
 fields:
     - SecurityID