Merge pull request #1515 from jbeley/master

Modified win_susp_rclone_exec.yml to detect renamed rclone executable…

rules/windows/process_creation/win_susp_rclone_exec.yml

@@ -11,16 +11,11 @@ tags:
     - attack.t1567.002
 falsepositives:
     - Legitimate Rclone usage (rare)
-level: high 
+level: high
 logsource:
     product: windows
     category: process_creation
 detection:
-    exec_selection:
-        Image|endswith: '\rclone.exe'
-        ParentImage|endswith:
-            - '\PowerShell.exe'
-            - '\cmd.exe'
     command_selection:
         CommandLine|contains:
             - ' pass '
@@ -32,4 +27,6 @@ detection:
             - ' lsd '
             - ' remote '
             - ' ls '
-    condition: exec_selection and 1 of command_selection
+    description_selection:
+      Description: 'Rsync for cloud storage'
+    condition: 1 of command_selection and description_selection