fix: new FP filter for RAS TSplus

phantinuss · Jan 18, 2024 · 658f5c5 · 658f5c5
1 parent 72e511a
commit 658f5c5
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml
@@ -6,7 +6,7 @@ references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
 author: Markus Neis
 date: 2019/05/15
-modified: 2023/04/20
+modified: 2024/01/18
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -61,6 +61,10 @@ detection:
         Image|endswith: '\Ranger\SentinelRanger.exe'
     filter_optional_firefox:
         Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
+    fiter_optional_tsplus:  # Some RAS
+        Image|endswith:
+            - ':\Program Files\TSplus\Java\bin\HTML5service.exe'
+            - ':\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
     filter_optional_null:
         Image: null
     filter_optional_empty: