From 9f3672fdc02e4526b2413b3e0b52e33e117d7c72 Mon Sep 17 00:00:00 2001
From: GelosSnake <omri@profero.io>
Date: Sun, 29 Dec 2019 18:01:19 +0200
Subject: [PATCH] Update win_system_exe_anomaly.yml

Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
---
 rules/windows/process_creation/win_system_exe_anomaly.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml
index 8dbfd06d..18d0b704 100644
--- a/rules/windows/process_creation/win_system_exe_anomaly.yml
+++ b/rules/windows/process_creation/win_system_exe_anomaly.yml
@@ -29,13 +29,14 @@ detection:
             - '*\lsm.exe'
             - '*\winlogon.exe'
             - '*\explorer.exe'
-            - '*\taskhost.exe' 
+            - '*\taskhost.exe'
     filter:
         Image:
             - 'C:\Windows\System32\\*'
             - 'C:\Windows\SysWow64\\*'
             - 'C:\Windows\explorer.exe'
             - 'C:\Windows\winsxs\\*'
+             - '\SystemRoot\System32\\*'
     condition: selection and not filter
 falsepositives:
     - Exotic software