From 2075962596f0c49bfa871e8f42fdf2feb024aa58 Mon Sep 17 00:00:00 2001
From: Vadim <atomm32@gmail.com>
Date: Tue, 3 Jan 2023 11:54:30 +0300
Subject: [PATCH] Update proc_creation_win_change_evtx_location.yml

---
 .../proc_creation_win_change_evtx_location.yml             | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
index d65944fb4..b21ea449c 100644
--- a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
+++ b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml
@@ -1,7 +1,7 @@
-title: Process Creation Win Change Evtx Location
+title: Change Evtx Location Used Wevtutil
 id: e6b11ea9-919a-413a-92bd-0976b42bd3b8
 status: experimental
-description: Detects change location evtx used wecutil
+description: Detects change location evtx used wevtutil
 author: D3F7A5105
 date: 2023/01/03
 references:
@@ -21,8 +21,7 @@ detection:
             - /lfn
             - \.evtx
     filter_cmd:
-        CommandLine|contains:
-            - \Windows\System32\winevt\Logs
+        CommandLine|contains: \Windows\System32\winevt\Logs
     condition: selection_cmd and not filter_cmd
 falsepositives:
      - Admin activity