From 17ade8e5f596c1ec48584733dc34cd9410f61aa5 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 20:07:53 -0300
Subject: [PATCH] Update sysmon_susp_download_run_key.yml

---
 .../registry_event/sysmon_susp_download_run_key.yml    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
index 963cbfc9..06e47352 100755
--- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml
+++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml
@@ -16,11 +16,11 @@ logsource:
     product: windows
 detection:
     selection:
-        Image: 
-            - '*\Downloads\\*'
-            - '*\Temporary Internet Files\Content.Outlook\\*'
-            - '*\Local Settings\Temporary Internet Files\\*'
-        TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
+        Image|contains: 
+            - '\Downloads\\'
+            - '\Temporary Internet Files\Content.Outlook\\'
+            - '\Local Settings\Temporary Internet Files\\'
+        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\'
     condition: selection
 falsepositives:
     - Software installers downloaded and used by users