fix: more FP reductions

rkondracki · Nov 9, 2019 · 8cc16d2 · 8cc16d2
1 parent 038f205
commit 8cc16d2
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
@@ -26,5 +26,5 @@ detection:
     condition: selection and 1 of keywords or selection2
 falsepositives:
     - Unknown (data set is too small; further testing needed)
-level: high
+level: medium
 
diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml
@@ -1,6 +1,6 @@
 title: Suspicious Userinit Child Process
 status: experimental
-description: Detects the creation of a process from Windows task manager
+description: Detects a suspicious child process of userinit
 references: 
     - https://twitter.com/SBousseaden/status/1139811587760562176
 author: Florian Roth (rule), Samir Bousseaden (idea)
@@ -11,14 +11,14 @@ logsource:
 detection:
     selection:
         ParentImage: '*\userinit.exe'
-    filter:
-        CommandLine:
-            - '*\explorer.exe*'
-            - '*\\netlogon\\*'
-    condition: selection and not filter
+    filter1:
+        CommandLine: '*\\netlogon\\*'
+    filter2:
+        Image: '*\explorer.exe'
+    condition: selection and not filter1 and not filter2
 fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
     - Administrative scripts
-level: high
+level: medium