From 6d61a68c290a5043375e537899fa8eeb4b28882f Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 29 Jul 2022 19:45:33 +0200
Subject: [PATCH] [Rule Tuning] Modification of WDigest Security Provider
 (#2201)

excluding svchost.exe running as system (main src of FPs for this use case).
---
 .../credential_access_mod_wdigest_security_provider.toml     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml
index 07217949c..0b5fd0bf9 100644
--- a/rules/windows/credential_access_mod_wdigest_security_provider.toml
+++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/05/09"
+updated_date = "2022/07/29"
 
 [rule]
 author = ["Elastic"]
@@ -93,7 +93,8 @@ query = '''
 registry where event.type : ("creation", "change") and
     registry.path :
         "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"
-    and registry.data.strings : ("1", "0x00000001")
+    and registry.data.strings : ("1", "0x00000001") and
+    not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18")
 '''