From 2b9048b6c832a9f2a9dec90330db8d65da4e643e Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 16 Dec 2022 17:09:34 +0100
Subject: [PATCH] fix: update detection logic

---
 .../proc_creation_win_rundll32_parent_explorer.yml            | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
index 94a6a90ff..f1b485722 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
@@ -18,9 +18,7 @@ detection:
         Image|endswith: '\rundll32.exe'
         ParentImage|endswith: '\explorer.exe'
     filter:
-        - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL'
-        - CommandLine|contains: 'rundll32.exe" C:\Windows\System32\'
-        - CommandLine|contains: 'rundll32.exe C:\Windows\System32\'
+        CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
     condition: selection and not filter
 fields:
     - Image