From d0bb6e9e81d842da3da6ce52ec325e24e791698a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= <o.gunal977@gmail.com>
Date: Tue, 1 Dec 2020 21:24:57 +0300
Subject: [PATCH] Update lnx_file_deletion.yml

---
 rules/linux/lnx_file_deletion.yml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml
index a35f1401..e0648ec8 100644
--- a/rules/linux/lnx_file_deletion.yml
+++ b/rules/linux/lnx_file_deletion.yml
@@ -10,15 +10,13 @@ logsource:
     product: linux
     category: process_creation
 detection:
-    keywords:
-        - Commands|contains:
-          - 'rm '
-          - 'shred -u'
-          - 'rmdir'
-          - 'unlink'
-          - 'busybox rm -f *'
-          - 'find * -delete'
-    condition: keywords
+    selection:
+        - ProcessName|endswith:
+          - '/rm'
+          - '/shred'
+          - '/unlink'
+          - '/busybox'
+    condition: selection
 falsepositives:
     - Legitimate administration activities
 level: low