From f79342cc597b33a2071cb1e5b511e90f25ef88a2 Mon Sep 17 00:00:00 2001
From: Ivan Dyachkov <idyachkov@ptsecurity.com>
Date: Thu, 15 Oct 2020 13:21:06 +0300
Subject: [PATCH] fixed image search

---
 rules/windows/process_creation/win_susp_diskshadow.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml
index e55ab8ac..15f1d93a 100644
--- a/rules/windows/process_creation/win_susp_diskshadow.yml
+++ b/rules/windows/process_creation/win_susp_diskshadow.yml
@@ -15,7 +15,7 @@ logsource:
     definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
 detection:
     selection:
-            Image: 'c:\windows\system32\diskshadow.exe'
+            Image|endswith: 'diskshadow.exe'
             CommandLine|contains:
                 - '/s'
     condition: selection