From 3bb741af669186f0e78f21fb72f69322bcdba694 Mon Sep 17 00:00:00 2001
From: Veramine <jness@veramine.com>
Date: Wed, 21 Dec 2022 23:41:39 -0800
Subject: [PATCH] Remove Windows 10 volume control false positive

https://superuser.com/questions/1175267/what-is-this-rundll32-instance-running
---
 .../proc_creation_win_rundll32_parent_explorer.yml           | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
index f1b485722..67faacd00 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
@@ -7,7 +7,7 @@ references:
     - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: CD_ROM_
 date: 2022/05/21
-modified: 2022/12/15
+modified: 2022/12/21
 tags:
     - attack.defense_evasion
 logsource:
@@ -18,7 +18,8 @@ detection:
         Image|endswith: '\rundll32.exe'
         ParentImage|endswith: '\explorer.exe'
     filter:
-        CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
+        - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
+        - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control
     condition: selection and not filter
 fields:
     - Image