From 1114a25a2c29841069b439609fe38b236a360563 Mon Sep 17 00:00:00 2001
From: Hasan <naqvi_hasan@live.com>
Date: Tue, 15 Jun 2021 17:07:51 +0500
Subject: [PATCH] Removal of NODE from ALL filter for better coverage

---
 rules/windows/process_creation/win_susp_wmi_execution.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml
index 6c53498dc..165e41fd2 100644
--- a/rules/windows/process_creation/win_susp_wmi_execution.yml
+++ b/rules/windows/process_creation/win_susp_wmi_execution.yml
@@ -17,7 +17,6 @@ detection:
         Image|endswith: '\wmic.exe'
     selection2:
         CommandLine|contains|all:
-            - '/NODE:'
             - 'process'
             - 'call'
             - 'create '