From f7319989e45dc914e3a2525bee2ab35d53a242df Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 28 Oct 2022 08:47:01 +0200
Subject: [PATCH] fix: new FP with Avast

---
 .../code_integrity/win_codeintegrity_attempted_dll_load.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
index c612ee58b..a5b698ad2 100644
--- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -6,7 +6,7 @@ status: experimental
 references:
     - https://twitter.com/SBousseaden/status/1483810148602814466
 date: 2022/01/20
-modified: 2022/10/27
+modified: 2022/10/28
 tags:
     - attack.execution
 logsource:
@@ -72,7 +72,9 @@ detection:
         FileNameBuffer|endswith:
             - '\Program Files\Avast Software\Avast\aswAMSI.dll'
             - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
-        ProcessNameBuffer|endswith: '\Windows\System32\SIHClient.exe'
+        ProcessNameBuffer|endswith:
+            - '\Windows\System32\SIHClient.exe'
+            - '\Windows\System32\svchost.exe'
         RequestedPolicy: 12
         ValidatedPolicy: 1
     condition: selection and not 1 of filter_*