From c47fb4708f72d0178063f8c9bbf9bba5828e444b Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 18:21:32 -0300
Subject: [PATCH] Update win_powershell_download.yml

---
 .../process_creation/win_powershell_download.yml     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml
index e142a17d..972f5099 100644
--- a/rules/windows/process_creation/win_powershell_download.yml
+++ b/rules/windows/process_creation/win_powershell_download.yml
@@ -13,12 +13,12 @@ logsource:
     product: windows
 detection:
     selection:
-        Image: '*\powershell.exe'
-        CommandLine:
-            - '*new-object system.net.webclient).downloadstring(*'
-            - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*'
-            - '*new-object net.webclient).downloadfile(*'
+        Image|endswith: '\powershell.exe'
+        CommandLine|contains:
+            - 'new-object system.net.webclient).downloadstring('
+            - 'new-object system.net.webclient).downloadfile('
+            - 'new-object net.webclient).downloadstring('
+            - 'new-object net.webclient).downloadfile('
     condition: selection
 fields:
     - CommandLine