From 5248f83fb3c52cfa38047faf5e4bb0ed15bec82e Mon Sep 17 00:00:00 2001
From: zinint <zinin.t@gmail.com>
Date: Mon, 21 Oct 2019 23:46:11 +0300
Subject: [PATCH] Update sysmon_xsl_script_processing.yml

---
 rules/windows/sysmon/sysmon_xsl_script_processing.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml
index 24eb7c8f..9b546215 100644
--- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml
+++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml
@@ -18,15 +18,12 @@ detection:
     selection2:
         EventID: 1
         Image:
-          - 'C:\Windows\Temp\msxsl.exe'
-          - '*msxsl.exe*'
+          - '*\msxsl.exe*'
     condition:
         selection1 or selection2
-fields:
-    -
 falsepositives:
-    - WMIC.exe - depend on scripts and administrative methods used in the monitored environment
-    - msxsl.exe - is not installed by default so unlikely.
+    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
+    - msxsl.exe is not installed by default so unlikely.
 level: medium
 tags:
     - attack.t1220