From 052cd2e9677d1d4b87c42db865fb63e8da683ec6 Mon Sep 17 00:00:00 2001
From: Vadim <atomm32@gmail.com>
Date: Tue, 3 Jan 2023 12:11:13 +0300
Subject: [PATCH] Update proc_creation_win_change_evtx_location.yml

---
 .../process_creation/proc_creation_win_change_evtx_location.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
index b21ea449c..4afdcd17f 100644
--- a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
+++ b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
@@ -19,7 +19,7 @@ detection:
         CommandLine|contains|all:
             - wevtutil
             - /lfn
-            - \.evtx
+            - .evtx
     filter_cmd:
         CommandLine|contains: \Windows\System32\winevt\Logs
     condition: selection_cmd and not filter_cmd