[Bug] Suspicious Windows Service DLL Creation

[FideliusFalcon]

Describe the bug
Setup.exe via DismHost.exe is triggering the "Suspicious Windows Service DLL Creation" (2c624716-75a1-42d9-bcb8-1defcb9bded9) when Windows is updating

process.executable: C:\Windows\SystemTemp\{GUID}\DismHost.exe
process.parent.executable: C:\$WINDOWS.~BT\Sources\SetupHost.exe

Desktop (please complete the following information):

• OS: Microsoft Windows
• Version: 11 Pro

Additional context
For now, we have seen this on:

• Windows 11 Pro (10.0.22631.4169)
• Windows 11 Pro (10.0.26100.1742)

[joe-desimone]

@FideliusFalcon thank you for reporting. We have tuned the associated rule and expect the change to be released in a day or so.

[Samirbous]

@FideliusFalcon thank you for reporting. The rule was updated

protections-artifacts/behavior/rules/windows/persistence_suspicious_windows_service_dll_creation.toml

Line 45 in 489119d

"C:\\Windows\\SystemTemp\\*\\DismHost.exe") and