refactor: new way to write that rule

2024-11-07 09:48:58 +00:00 · 2020-07-03 11:20:36 +02:00 · 2020-07-03 11:20:36 +02:00 · 3111ab8396
commit 3111ab8396
parent d12b8347dc
1 changed files with 4 additions and 4 deletions
--- a/rules/windows/process_creation/win_cmstp_com_object_access.yml
+++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml
@ -23,11 +23,11 @@ logsource:
    product: windows
 detection:
    selection1:
-        ParentCommandLine: '*\DllHost.exe *'
+        ParentCommandLine|contains: '\DllHost.exe '
    selection2:
-        ParentCommandLine:
-            - '*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
-            - '*{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
+        ParentCommandLine|endswith:
+            - '{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+            - '{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
    condition: selection1 and selection2
 fields:
    - CommandLine