fix: condition

SigmaHQ · Feb 3, 2023 · 7332939 · 7332939
1 parent 71c2be5
commit 7332939
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml
@@ -10,20 +10,22 @@ references:
     - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 author: Oddvar Moe, Sander Wiebing, oscd.community
 date: 2020/10/12
-modified: 2021/12/31
+modified: 2023/02/03
 tags:
     - attack.t1112
     - attack.defense_evasion
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\regedit.exe'
+    selection_img:
+        - Image|endswith: '\regedit.exe'
+        - OriginalFileName: 'REGEDIT.EXE' 
+    selection_cli:
         CommandLine|contains:
             - ' /i '
             - '.reg'
-    selection_2:
+    selection_cli_re:
         CommandLine|re: ':[^ \\]'
     filter:
         CommandLine|contains:
@@ -33,7 +35,7 @@ detection:
             - ' -e '
             - ' -a '
             - ' -c '
-    condition: all of selection* and not filter
+    condition: all of selection_* and not filter
 fields:
     - ParentImage
     - CommandLine