From ba0968d043d23f8cc8c014a467c47795c5c11920 Mon Sep 17 00:00:00 2001
From: Thane Gill <me@thanegill.com>
Date: Wed, 24 Jul 2024 14:35:00 -0700
Subject: [PATCH] Add Exception to 100502 for SCCM `Windows\CCM\CcmExec.exe`

---
 Windows_Sysmon/100100-MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Windows_Sysmon/100100-MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml b/Windows_Sysmon/100100-MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
index 6787cdf..32d38a9 100644
--- a/Windows_Sysmon/100100-MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
+++ b/Windows_Sysmon/100100-MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
@@ -976,7 +976,7 @@
     <if_sid>100100</if_sid>
     <field name="win.eventdata.image">powershell.exe$|pwsh.exe$</field>
     <field name="win.eventdata.commandLine">ExecutionPolicy Bypass</field>
-    <field name="win.eventdata.parentImage" negate="yes">cmd.exe$|explorer.exe$|wazuh-agent.exe$|^C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe$</field>
+    <field name="win.eventdata.parentImage" negate="yes">cmd.exe$|explorer.exe$|wazuh-agent.exe$|^C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe$|\\\\Windows\\\\CCM\\\\CcmExec.exe$</field>
     <description>Sysmon - Event 1: PowerShell Execution Policy Bypass detected.</description>
     <mitre>
       <id>T1548</id>