From bea2daac4535939aaca95899d639af478c05bf6c Mon Sep 17 00:00:00 2001
From: root <sechost@yandex.ru>
Date: Sat, 26 Oct 2019 07:55:44 +0200
Subject: [PATCH] modifed win_susp_msoffice.yml

---
 rules/windows/process_creation/win_susp_msoffice.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml
index cba66eb4..5dd0581f 100644
--- a/rules/windows/process_creation/win_susp_msoffice.yml
+++ b/rules/windows/process_creation/win_susp_msoffice.yml
@@ -19,7 +19,8 @@ detection:
     Image: 
       - '*\powerpnt.exe'
       - '*\winword.exe'
-    CommandLine: '* "http*'
+      - '*\excel.exe'
+    CommandLine: '* http*'
   condition: selection
 level: medium
 falsepositives: