From 04ff9ae69271b7abfcd818e4c73bf19fa81d2019 Mon Sep 17 00:00:00 2001
From: Roberto Rodriguez <rrodri0622@gmail.com>
Date: Fri, 15 Oct 2021 15:46:59 -0400
Subject: [PATCH] Updated at command rule to use Image field

---
 rules/linux/{ => process_creation}/at_command.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename rules/linux/{ => process_creation}/at_command.yml (94%)

diff --git a/rules/linux/at_command.yml b/rules/linux/process_creation/at_command.yml
similarity index 94%
rename from rules/linux/at_command.yml
rename to rules/linux/process_creation/at_command.yml
index 81e3802ea..bc79120c7 100644
--- a/rules/linux/at_command.yml
+++ b/rules/linux/process_creation/at_command.yml
@@ -11,7 +11,7 @@ logsource:
     category: process_creation
 detection:
     selection:
-        ProcessName|endswith:
+        Image|endswith:
           - '/at'
           - '/atd'
     condition: selection