chore(rules): Exclude sysdir from Potential ClickFix infection chain rule

rabbitstack · rabbitstack · commit a91720f1e35c · 2026-02-08T16:10:19.000+01:00
diff --git a/rules/initial_access_potential_clickfix_infection_chain.yml b/rules/initial_access_potential_clickfix_infection_chain.yml
@@ -1,6 +1,6 @@
 name: Potential ClickFix infection chain
 id: ffe1fc54-2893-4760-ab50-51a83bd71d13
-version: 2.0.0
+version: 2.0.1
 description: |
   Identifies the execution of the process via the Run command dialog box, Windows Console shortuct, or Explorer address bar
   followed by spawning of the potential infostealer process.
@@ -36,8 +36,7 @@ condition: >
     |spawn_process and ps.exe not imatches
                               (
                                 '?:\\Program Files\\*.exe',
-                                '?:\\Program Files (x86)\\*.exe',
-                                '?:\\Windows\\System32\\*.exe'
+                                '?:\\Program Files (x86)\\*.exe'
                               )
     | by ps.parent.uuid
 action:
