From ac18788f3458d6b27652928ddf7039580c0c1ca4 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 11 Apr 2024 13:29:16 +0200
Subject: [PATCH] Add filter gpo

---
 ...e_event_win_shell_write_susp_files_extensions.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
index 31509a82012..5f5227cad78 100644
--- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
+++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
@@ -9,7 +9,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/12
-modified: 2024/04/04
+modified: 2024/04/11
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -54,6 +54,16 @@ detection:
             - ':\Users\'
             - '\AppData\Local\Temp\__PSScriptPolicyTest_'
         TargetFilename|endswith: '.ps1'
+    filter_main_script_gpo_machine:
+        Image: 'C:\Windows\system32\svchost.exe'
+        TargetFilename|contains|all:
+            - ':\Windows\System32\GroupPolicy\DataStore\'
+            - '\sysvol\'
+            - '\Policies\'
+            - '\Machine\Scripts\Startup\'
+        TargetFilename|endswith: 
+            - '.ps1'
+            - '.bat'
     condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown