From 38e9b64fd626be8d70a57997828fd1ff5dd1567e Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 1 Aug 2022 18:01:31 +0200
Subject: [PATCH] [Rule Tuning] Process Termination followed by Deletion
 (#2206)

Excluded some FPs by process.executable and file.path.

(cherry picked from commit 91896db453ad63aad3b38a566b5720b86615b472)
---
 ...sion_process_termination_followed_by_deletion.toml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
index 7665c2078..616887007 100644
--- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
+++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/08/01"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,14 @@ sequence by host.id with maxspan=5s
     process.code_signature.trusted == false and
     not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe")
    ] by process.executable
-   [file where event.type == "deletion" and file.extension : ("exe", "scr", "com")] by file.path
+   [file where event.type == "deletion" and file.extension : ("exe", "scr", "com") and
+    not process.executable :
+             ("?:\\Program Files\\*.exe",
+              "?:\\Program Files (x86)\\*.exe",
+              "?:\\Windows\\System32\\svchost.exe",
+              "?:\\Windows\\System32\\drvinst.exe") and
+    not file.path : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe")
+   ] by file.path
 '''