From 353fde10a08bd306e27eecbec3521f21406f5ca9 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 16 Aug 2022 16:32:24 +0200
Subject: [PATCH] [Deprecate Rule] Suspicious Process from Conhost (#2222)

only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit d3420e338667ebc9fac9bb2c2053508f37a8c737)
---
 .../defense_evasion_code_injection_conhost.toml              | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename rules/{windows => _deprecated}/defense_evasion_code_injection_conhost.toml (98%)

diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/_deprecated/defense_evasion_code_injection_conhost.toml
similarity index 98%
rename from rules/windows/defense_evasion_code_injection_conhost.toml
rename to rules/_deprecated/defense_evasion_code_injection_conhost.toml
index 94157ed4c..816c14e53 100644
--- a/rules/windows/defense_evasion_code_injection_conhost.toml
+++ b/rules/_deprecated/defense_evasion_code_injection_conhost.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/31"
-maturity = "production"
-updated_date = "2022/05/21"
+deprecation_date = "2022/08/03"
+maturity = "deprecated"
+updated_date = "2022/08/03"
 
 [rule]
 author = ["Elastic"]