From 1ea4bb0b871ed4c1fd8bf5d1e1036a2ac0e92aeb Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 28 Nov 2020 10:10:00 +0100
Subject: [PATCH] wrong field name

---
 .../win_susp_file_download_via_gfxdownloadwrapper.yml           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
index 4adaeef44..63ffa1398 100644
--- a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
+++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml
@@ -15,7 +15,7 @@ detection:
     cmd_known_url:
         CommandLine|contains: 'gameplayapi.intel.com'
     same_parent:
-        ParentProcessName|endswith: '\GfxDownloadWrapper.exe'
+        ParentImage|endswith: '\GfxDownloadWrapper.exe'
     condition: image_path and not cmd_known_url and not same_parent
 fields:
     - CommandLine