From f71dc4153199ae63a4d94b3fbbfe62962fcb2156 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 28 Aug 2019 09:00:43 +0200
Subject: [PATCH] rule: extended csc rule

---
 rules/windows/process_creation/win_susp_csc_folder.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
index 332229af2..e783d5182 100644
--- a/rules/windows/process_creation/win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -15,7 +15,9 @@ logsource:
 detection:
     selection:
         Image: '*\csc.exe'
-        CommandLine: '*\AppData\*'
+        CommandLine: 
+            - '*\AppData\*'
+            - '*\Windows\Temp\*'
     condition: selection
 falsepositives:
     - Unkown