From 038f205f0f88510b503c41336d1f5724e95737d3 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 9 Nov 2019 23:32:53 +0100
Subject: [PATCH] fix: FPs with UserInitMprLogonScript rule

---
 .../sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
index 2453d5214de..64e171ad8ce 100644
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
@@ -15,8 +15,9 @@ detection:
     exec_selection:
         EventID: 1 # Migration to process_creation requires multipart YAML
         ParentImage: '*\userinit.exe'
-    exec_exclusion:
+    exec_exclusion1:
         Image: '*\explorer.exe'
+    exec_exclusion2:
         CommandLine: '*\netlogon.bat'
     create_selection_cli:
         EventID:
@@ -33,7 +34,7 @@ detection:
     create_keywords_cli:
         CommandLine:
             - '*UserInitMprLogonScript*'
-    condition: (exec_selection and not exec_exclusion) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)
+    condition: (exec_selection and not exec_exclusion1 and not exec_exclusion2) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)
 falsepositives:
     - exclude legitimate logon scripts
     - penetration tests, red teaming