From 28febe5dd2ff2f19fd7b070a3dfa84cffd89ee5a Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Tue, 27 Oct 2020 23:28:04 -0300
Subject: [PATCH] Update win_apt_chafer_mar18.yml

---
 rules/windows/process_creation/win_apt_chafer_mar18.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml
index 4fd4fa101..49b45faa8 100755
--- a/rules/windows/process_creation/win_apt_chafer_mar18.yml
+++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml
@@ -74,7 +74,8 @@ detection:
         CommandLine|startswith:
             - 'C:\wsc.exe'
     selection_process2:
-        Image|endswith: '\Windows\Temp\DB\\*.exe'
+        Image|contains: '\Windows\Temp\DB\'
+        Image|endswith: '.exe'
     selection_process3:
         CommandLine|contains: '\nslookup.exe -q=TXT'
         ParentImage|contains: '\Autoit'