From 08a018a2ee68438e5e9ddcff5d87a7fd304e68f8 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 19:49:12 -0300
Subject: [PATCH] Update win_susp_sysprep_appdata.yml

---
 rules/windows/process_creation/win_susp_sysprep_appdata.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
index 68c4260f4..daf98b204 100644
--- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml
+++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
@@ -15,9 +15,9 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
-            - '*\sysprep.exe *\AppData\\*'
-            - sysprep.exe *\AppData\\*
+        CommandLine|contains|all:
+            - 'sysprep.exe'
+            - '\AppData\\'
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment