From 1e404cde34539f2a875b844dfeb1a058f0d2d4f2 Mon Sep 17 00:00:00 2001
From: Eric <26614684+MakoWish@users.noreply.github.com>
Date: Mon, 12 Jun 2023 13:15:47 -0600
Subject: [PATCH] [Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to
 query exceptions (#2831)

* Add Ssms.exe to query exceptions

* Changed updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 rules/windows/execution_suspicious_powershell_imgload.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml
index 5b129a442..7ae99c30c 100644
--- a/rules/windows/execution_suspicious_powershell_imgload.toml
+++ b/rules/windows/execution_suspicious_powershell_imgload.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/06/06"
 
 [rule]
 author = ["Elastic"]
@@ -139,6 +139,7 @@ not process.executable regex~ """C:\\Program Files( \(x86\))?\\*\.exe""" and
     "SPCAF.Client.exe",
     "SPCAF.SettingsEditor.exe",
     "SQLPS.exe",
+    "Ssms.exe",
     "telemetryservice.exe",
     "UMWorkerProcess.exe",
     "w3wp.exe",