Update win_termserv_proc_spawn.yml

2024-11-07 09:48:58 +00:00 · 2020-10-15 19:57:05 -03:00 · 2020-10-15 19:57:05 -03:00 · d9afa1aec6
commit d9afa1aec6
parent 737fbd1619
1 changed files with 5 additions and 3 deletions
--- a/rules/windows/process_creation/win_termserv_proc_spawn.yml
+++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml
@ -18,10 +18,12 @@ logsource:
    category: process_creation
 detection:
    selection:
-        ParentCommandLine: '*\svchost.exe*termsvcs'
+        ParentCommandLine|contains|all: 
+            - '\svchost.exe'
+            - 'termsvcs'
    filter:
-        Image: '*\rdpclip.exe'
+        Image|endswith: '\rdpclip.exe'
    condition: selection and not filter
 falsepositives:
    - Unknown
-level: high
+level: high