From 1443adc730bdaac4c50af4ff7598d4e8e47d8a9b Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 20 Aug 2022 10:27:40 +0200
Subject: [PATCH] Update proc_creation_win_lolbin_customshellhost.yml

---
 .../proc_creation_win_lolbin_customshellhost.yml          | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
index 26106e227..ea7071e42 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
@@ -14,13 +14,9 @@ logsource:
     product: windows
 detection:
     selection:
-        - Image|endswith: '\CustomShellHost.exe'
-        - OriginalFileName: 'CustomShellHost.exe'
+        ParentImage|endswith: '\CustomShellHost.exe'
     filter:
-        - Image: 
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\System32\explorer.exe'
-        - CurrentDirectory|startswith: C:\Windows\System32\
+        Image: 'C:\Windows\explorer.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown