From 7bef822da7c85f599076286f38c664f6d7b897ba Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 4 Sep 2019 16:31:49 +0200
Subject: [PATCH] rule: minor improvement to susp ps enc cmd

---
 rules/windows/process_creation/win_susp_powershell_enc_cmd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
index 18f2f513..ca539eb4 100644
--- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
+++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml
@@ -22,6 +22,7 @@ detection:
             - '* -e     JAB*'
             - '* -e      JAB*'
             - '* -enc JAB*'
+            - '* -enco JAB*'
             - '* -encodedcommand JAB*'
             - '* BA^J e-'
             - '* -e SUVYI*'