From 18c4acce2d69fda3f44b87f95f48aadb5fb557af Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Fri, 3 Feb 2023 14:34:09 +0500
Subject: [PATCH] update: condition name

---
 .../proc_creation_win_termserv_proc_spawn.yml                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml b/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
index 18293b29f..a80d45a3d 100644
--- a/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
+++ b/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
@@ -21,7 +21,7 @@ detection:
         ParentCommandLine|contains|all:
             - '\svchost.exe'
             - 'termsvcs'
-    filter:
+    filter_img:
         Image|endswith:
             - '\rdpclip.exe'
             - ':\Windows\System32\csrss.exe'
@@ -29,7 +29,7 @@ detection:
             - ':\Windows\System32\winlogon.exe'
     filter_null:
         Image: null
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high