From 191ec931cd272649110272ab4e07e52ecc427e70 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Mon, 8 Apr 2024 09:20:37 +0200
Subject: [PATCH] fix: FP with chocolatey shimgen tool

---
 .../proc_creation_win_csc_susp_dynamic_compilation.yml      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml
index 3770cb5619f..e0b20b59acc 100644
--- a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml
+++ b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml
@@ -10,7 +10,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
 author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
 date: 2019/08/24
-modified: 2023/10/27
+modified: 2024/04/08
 tags:
     - attack.defense_evasion
     - attack.t1027.004
@@ -52,7 +52,9 @@ detection:
     filter_main_w3p:
         ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
     filter_optional_chocolatey:
-        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
+        ParentImage: # Chocolatey https://chocolatey.org/
+            - 'C:\ProgramData\chocolatey\choco.exe'
+            - 'C:\ProgramData\chocolatey\tools\shimgen.exe'
     filter_optional_defender:
         ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
     filter_optional_ansible: