From 4b58d7634bfd2c9e0080f4ffc19fc6b84b9100dd Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 15 Jan 2025 20:14:42 +0000
Subject: [PATCH] Sigma Rule Update (2025-01-15  20:14:35) (#807)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
---
 .../file_event_win_exploit_cve_2023_36874_wermgr_creation.yml  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml
index 657cf0701..a2dbfef89 100644
--- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml
+++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml
@@ -10,7 +10,7 @@ references:
     - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-08-23
-modified: 2023-10-08
+modified: 2025-01-13
 tags:
     - attack.execution
     - cve.2023-36874
@@ -34,6 +34,7 @@ detection:
             - :\Windows\SysWOW64\
             - :\Windows\WinSxS\
             - :\WUDownloadCache\   # Windows Update Download Cache
+            - :\Windows\SoftwareDistribution\Download\
     condition: file_event and (selection and not 1 of filter_main_*)
 falsepositives:
     - Unknown