[Rule Tuning] Persistence via Update Orchestrator Service Hijack

[jonasdlm]

Description

MusNotifyIcon.exe can also be added to the list of excluded process names. It's the exe that shows the icon in the taskbar when there are updates available.

event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.parent.args:(UsoSvc or usosvc) and not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe or MusNotifyIcon.exe)

Example Data

Process Create: RuleName: - UtcTime: 2021-02-15 13:59:53.536 ProcessGuid: {827a5d7a-7e59-602a-d501-000000005001} ProcessId: 15012 Image: C:\Windows\System32\MusNotifyIcon.exe FileVersion: 10.0.17763.529 (WinBuild.160101.0800) Description: MusNotifyIcon.exe Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: MusNotifyIcon.exe CommandLine: %%systemroot%%\system32\MusNotifyIcon.exe NotifyTrayIcon 10 CurrentDirectory: C:\Windows\system32\ TerminalSessionId: 1 IntegrityLevel: Medium ParentProcessGuid: {827a5d7a-7ceb-602a-6e01-000000005001} ParentProcessId: 6776 ParentImage: C:\Windows\System32\svchost.exe ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

[Samirbous]

thanks, this PR should address this FP.

[willemdh]

@Samirbous process.name WerFault.exe should also be excluded.