Update 900000-exclusion_rules.xml

2025-10-23 08:12:16 +00:00 · 2025-02-11 15:07:45 -06:00
parent d861b470dc
commit 925b4070a6
1 changed files with 7 additions and 0 deletions
--- a/Rules/900000-exclusion_rules.xml
+++ b/Rules/900000-exclusion_rules.xml
@@ -629,4 +629,11 @@
    <description>Exceptions AD Sync.</description>
    <options>no_full_log</options>
  </rule>
+  <!-- Lower cleanmgr -->
+  <rule id="900090" level="3">
+    <if_sid>92213</if_sid>
+    <field name="win.eventdata.image" type="pcre2">(?i)^C:\\\\Windows\\\\system32\\\\cleanmgr\.exe$</field>
+    <description>Executable file dropped in folder commonly used by malware.</description>
+    <options>no_full_log</options>
+  </rule>
 </group>