From 14d81bae06ca4febdc7bf6ed2bada03f3cbcfba9 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 31 May 2022 09:46:40 +0100
Subject: [PATCH] Update proc_creation_win_msdt.yml

---
 rules/windows/process_creation/proc_creation_win_msdt.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml
index 3ad578266..e323b7dff 100644
--- a/rules/windows/process_creation/proc_creation_win_msdt.yml
+++ b/rules/windows/process_creation/proc_creation_win_msdt.yml
@@ -7,6 +7,7 @@ references:
   - https://twitter.com/nao_sec/status/1530196847679401984
   - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 date: 2022/05/29
+modified: 2022/05/31
 logsource:
   category: process_creation
   product: windows
@@ -15,11 +16,8 @@ detection:
     ParentImage|endswith: '\WINWORD.exe'
     Image|endswith: '\msdt.exe'
   selection_cmd:
-    Image|endswith: '\msdt.exe'
-    CommandLine|contains|all:
-      - 'ms-msdt:/id'
-      - 'IT_BrowseForFile='
-      - 'IT_RebrowseForFile='
+    OriginalFileName: 'msdt.exe'
+    CommandLine|contains: 'IT_BrowseForFile='
   condition: 1 of selection*
 falsepositives:
   - Unknown