From 94c2372ac30d30b38c7f81a5df221df3e571494d Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Thu, 4 Apr 2024 09:52:57 +0200
Subject: [PATCH] fix: add optional filter for MS Edge update

---
 ...creation_win_rundll32_uncommon_dll_extension.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
index 8725e532d05..26141b85ef4 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
 date: 2022/01/13
-modified: 2024/02/09
+modified: 2024/04/04
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -49,7 +49,16 @@ detection:
             - ':\Windows\Installer\'
             - '.tmp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_EdgeUpdate:
+        ParentCommandLine|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
+            - '\EDGEMITMP_'
+            - '.tmp\setup.exe'
+            - '--install-archive='
+            - '--previous-version='
+            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: medium