From 236db73778693acf0a2911cef31793ce6f68ff38 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 13 Sep 2024 11:17:23 +0200
Subject: [PATCH] Merge PR #5006 from @frack113 - Fix `UNC2452 Process Creation
 Patterns`

fix: UNC2452 Process Creation Patterns - Add the missing `all` modifier
---
 .../proc_creation_win_apt_unc2452_cmds.yml                    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
index 3ae86ca4a..b7589eac3 100644
--- a/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
+++ b/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
 author: Florian Roth (Nextron Systems)
 date: 2021-01-22
-modified: 2023-09-12
+modified: 2024-09-12
 tags:
     - attack.execution
     - attack.t1059.001
@@ -42,7 +42,7 @@ detection:
             - '.dll,Tk_'
     selection_generic_4:
         ParentImage|endswith: '\rundll32.exe'
-        ParentCommandLine|contains:
+        ParentCommandLine|contains|all:
             - 'C:\Windows'
             - '.dll'
         CommandLine|contains: 'cmd.exe /C '