From 29cd7fed3eb7f78d864ccdea1327fffbfdd6f45c Mon Sep 17 00:00:00 2001
From: alexpetrov12 <allreadyparty@gmail.com>
Date: Wed, 23 Oct 2019 02:39:40 +0300
Subject: [PATCH] fix

---
 .../renamed_binary_description.yml            | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml
index bd2030d84..5f207ab04 100644
--- a/rules/windows/process_creation/renamed_binary_description.yml
+++ b/rules/windows/process_creation/renamed_binary_description.yml
@@ -35,24 +35,24 @@ detection:
             - "7-zip console"
     filter:
         Image:
-             - '*\adexplorer.exe'
-            - '*\procdump.exe'
-            - '*\msbuild.exe'
-            - '*\dotnet.exe'
-            - '*\cmd.exe'
-            - '*\powershell.exe'
-            - '*\psexec.exe'
-            - '*\installutil.exe'
-            - '*\cscript.exe'
-            - '*\wscript.exe'
-            - '*\mshta.exe'
-            - '*\regsvr32.exe'
-            - '*\wmic.exe'
-            - '*\certutil.exe'
-            - '*\rundll32.exe'
-            - '*\cmstp.exe'
-            - '*\msiexec.exe'
-            - '*\7z.exe'
+            -'*\adexplorer.exe'
+            -'*\procdump.exe'
+            -'*\msbuild.exe'
+            -'*\dotnet.exe'
+            -'*\cmd.exe'
+            -'*\powershell.exe'
+            -'*\psexec.exe'
+            -'*\installutil.exe'
+            -'*\cscript.exe'
+            -'*\wscript.exe'
+            -'*\mshta.exe'
+            -'*\regsvr32.exe'
+            -'*\wmic.exe'
+            -'*\certutil.exe'
+            -'*\rundll32.exe'
+            -'*\cmstp.exe'
+            -'*\msiexec.exe'
+            -'*\7z.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist