From 658f5c5afa92834086890544fa3edcc612a1aa9b Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Thu, 18 Jan 2024 15:32:33 +0100
Subject: [PATCH] fix: new FP filter for RAS TSplus

---
 ..._connection_win_rdp_outbound_over_non_standard_tools.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml
index d35116b2f46..a2c9b6d0ccb 100644
--- a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml
+++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml
@@ -6,7 +6,7 @@ references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
 author: Markus Neis
 date: 2019/05/15
-modified: 2023/04/20
+modified: 2024/01/18
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -61,6 +61,10 @@ detection:
         Image|endswith: '\Ranger\SentinelRanger.exe'
     filter_optional_firefox:
         Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
+    fiter_optional_tsplus:  # Some RAS
+        Image|endswith:
+            - ':\Program Files\TSplus\Java\bin\HTML5service.exe'
+            - ':\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
     filter_optional_null:
         Image: null
     filter_optional_empty: