From 266d6630dffef7ce352b2fc3e8c82cd5595c8286 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 21 Apr 2023 14:56:37 +0200
Subject: [PATCH] fix: broken condition

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ..._win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
index c25a14912..d79870ce9 100644
--- a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
+++ b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
@@ -109,7 +109,7 @@ detection:
             - 'wbadmin'
             - 'delete'
             - 'catalog'
-    condition: all of selection_parent_path and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
+    condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
 falsepositives:
     - Unlikely
 level: critical