From 2e6f184370b1c08c826da66036f79014d5db122f Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Mon, 12 Oct 2020 14:11:10 +0300
Subject: [PATCH] Update powershell_cmdline_specific_comb_methods.yml

---
 ...wershell_cmdline_specific_comb_methods.yml | 21 +++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
index 95f46a0d7..ed6751a22 100644
--- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
+++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
@@ -16,12 +16,11 @@ logsource:
     product: windows
 detection:
     selection1:
-        Image|endswith:
-            - '\powershell.exe'
+        Image|endswith: '\powershell.exe'
     selection2:
-        CommandLine|contains|all:
-            - 'char'
-            - 'joint'
+        CommandLine|all:
+            - '*char*'
+            - '*joint*'
     selection3:
         CommandLine|contains:
             - 'ToInt'
@@ -35,13 +34,13 @@ detection:
             - 'ToString'
             - 'String'
     selection5:
-        CommandLine|contains|all:
-            - 'split'
-            - 'join'
+        CommandLine|all:
+            - '*split*'
+            - '*join*'
     selection6:
-        CommandLine|contains|all:
-            - 'ForEach'
-            - 'Xor'
+        CommandLine|all:
+            - '*ForEach*'
+            - '*Xor*'
     selection7:
         CommandLine|contains:
             - 'cOnvErTTO-SECUreStRIng'