From d84281936b622d10a9de1d73f9cd2c7d97d5726d Mon Sep 17 00:00:00 2001
From: Timur Zinniatullin <zinin.t@gmail.com>
Date: Sun, 18 Oct 2020 19:05:40 +0300
Subject: [PATCH] Update win_invoke_obfuscation_via_rundll.yml

---
 .../process_creation/win_invoke_obfuscation_via_rundll.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
index 80b0a025..4883f326 100644
--- a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        - CommandLine|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        - CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
     condition: selection
 falsepositives:
     - Unknown