Closed leemidgley closed 2 years ago
frack113
commented
2 years ago Should be the rule id: a96970af-f126-420d-90e1-d37bf25e50e1 (proc_creation_win_ntfs_short_name_path_use_image.yml) @nasbench we can add this filter ?
filter_installshield:
- Product: 'InstallShield (R)'
- Description: 'InstallShield (R) Setup Engine'
- Company: 'InstallShield Software Corporation'
nasbench
commented
2 years ago Yes. It's a good filter since we can't control this one. We can be safe and filter the parent process + image name but there might be other binaries used with this. So the filter you proposed frack is good in my opinion
leemidgley
commented
2 years ago Thank you for this.
Hello, not sure if you can help with this also. which is a High Level one.
InstallShield setup.exe extracting and executing using a 8.3 path. (this is something I don't have control of, that I know of)
TerminalSessionId:1 ProcessGuid:C784477D-A9C4-62FE-6B06-000000003000 ProcessId:3424 Product:InstallShield (R) Description:InstallShield (R) Setup Engine Company:InstallShield Software Corporation ParentProcessGuid:C784477D-D342-62FD-0F00-000000003000 User:DESKTOP-123\lee OriginalFileName:iKernel.exe ParentImage:C:\Windows\System32\svchost.exe FileVersion:6, 31, 100, 1221 ParentProcessId:840 CurrentDirectory:C:\Windows\system32\ CommandLine:C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding EventID:1 LogonGuid:C784477D-D347-62FD-1DD8-030000000000 LogonId:251933 Image:C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe IntegrityLevel:High ParentCommandLine:C:\Windows\system32\svchost.exe -k DcomLaunch -p UtcTime:2022-08-18 21:06:12.777 RuleName:-