From 0e1ae89a5cab7c459e4188f8883dbc5f0c514b4f Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 19:30:56 -0300
Subject: [PATCH] Update win_susp_iss_module_install.yml

---
 .../windows/process_creation/win_susp_iss_module_install.yml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml
index 28305f82e..79e0debe3 100644
--- a/rules/windows/process_creation/win_susp_iss_module_install.yml
+++ b/rules/windows/process_creation/win_susp_iss_module_install.yml
@@ -15,8 +15,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
-            - '*\APPCMD.EXE install module /name:*'
+        CommandLine|contains:
+            - '\APPCMD.EXE install module /name:'
     condition: selection
 falsepositives:
     - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules