From cbe1b66b87155f615cbce50cc949c3e45c3bb167 Mon Sep 17 00:00:00 2001
From: Nic <nicpenning@gmail.com>
Date: Wed, 10 Feb 2021 11:53:04 -0600
Subject: [PATCH] [Rule Tuning] Exclude Windows Error Reporting & Printer
 Driver (#929)

---
 rules/windows/defense_evasion_code_injection_conhost.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml
index a88fe9ea9..a7551a9e9 100644
--- a/rules/windows/defense_evasion_code_injection_conhost.toml
+++ b/rules/windows/defense_evasion_code_injection_conhost.toml
@@ -23,7 +23,8 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.parent.name:conhost.exe
+  process.parent.name:conhost.exe and 
+  not process.executable:("C:\Windows\splwow64.exe" or "C:\Windows\System32\WerFault.exe" or "C:\\Windows\System32\conhost.exe")
 '''
 
 
@@ -39,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1055/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-