fix: add optional filter for MS Edge update

phantinuss · Apr 4, 2024 · 94c2372 · 94c2372
1 parent 239d86d
commit 94c2372
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
 date: 2022/01/13
-modified: 2024/02/09
+modified: 2024/04/04
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -49,7 +49,16 @@ detection:
             - ':\Windows\Installer\'
             - '.tmp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_EdgeUpdate:
+        ParentCommandLine|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
+            - '\EDGEMITMP_'
+            - '.tmp\setup.exe'
+            - '--install-archive='
+            - '--previous-version='
+            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: medium