From 138b8fed06127f20f8ff0bb7fddd8b2d950a8519 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 19:59:36 -0300
Subject: [PATCH] Update win_webshell_recon_detection.yml

---
 .../win_webshell_recon_detection.yml          | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml
index ed874a0f6..5ecc3568d 100644
--- a/rules/windows/process_creation/win_webshell_recon_detection.yml
+++ b/rules/windows/process_creation/win_webshell_recon_detection.yml
@@ -17,19 +17,19 @@ logsource:
 detection:
     selection:
         ParentImage|contains:
-            - '*\apache*'
-            - '*\tomcat*'
-            - '*\w3wp.exe'
-            - '*\php-cgi.exe'
-            - '*\nginx.exe'
-            - '*\httpd.exe'
+            - '\apache'
+            - '\tomcat'
+            - '\w3wp.exe'
+            - '\php-cgi.exe'
+            - '\nginx.exe'
+            - '\httpd.exe'
         Image|endswith:
-            - '*\cmd.exe'
+            - '\cmd.exe'
         CommandLine|contains:
-            - '*perl --help*'
-            - '*python --help*'
-            - '*wget --help*'
-            - '*perl -h*'
+            - 'perl --help'
+            - 'python --help'
+            - 'wget --help'
+            - 'perl -h'
     condition: selection
 fields:
     - Image