fix: specify image and loaded image

SavinSpring · May 16, 2023 · 06ec405 · 06ec405
1 parent 9da42e4
commit 06ec405
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml
@@ -466,9 +466,11 @@ detection:
         Image|startswith:
             - 'C:\Program Files\CheckPoint\'
             - 'C:\Program Files (x86)\CheckPoint\'
+        Image|endswith: '\SmartConsole.exe'
         ImageLoaded|startswith:
             - 'C:\Program Files\CheckPoint\'
             - 'C:\Program Files (x86)\CheckPoint\'
+        ImageLoaded|endswith: '\PolicyManager.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate applications loading their own versions of the DLLs mentioned in this rule