Merge PR #5229 from @dsplice - Update Potential APT FIN7 Exploitation Activity

dsplice · web-flow · commit 78a78c79ffd2 · 2025-03-16T03:19:44.000+01:00
update: Potential APT FIN7 Exploitation Activity - Add false positive description
diff --git a/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml
@@ -25,5 +25,5 @@ detection:
         Image|endswith: '\notepad++.exe'
     condition: 1 of selection_*
 falsepositives:
-    - Unknown
+    - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
 level: medium
