From 2edd79a37f388e97b93b2bb522ef8bb80cfbe68d Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 12 Oct 2020 08:30:28 +1100
Subject: [PATCH] Update win_root_certificate_installed.yml

---
 .../win_root_certificate_installed.yml        | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml
index a9f3c25e1..d0f67207f 100644
--- a/rules/windows/builtin/win_root_certificate_installed.yml
+++ b/rules/windows/builtin/win_root_certificate_installed.yml
@@ -20,11 +20,16 @@ logsource:
     product: windows
     service: powershell
 detection:
-    selection:
+    selection1:
         EventID: 4104
-        ScriptBlockText|contains:
-          - 'Import-Certificate * Cert:\LocalMachine\Root'
-          - 'Move-Item * Cert:\LocalMachine\Root'
+        ScriptBlockText|contains|all:
+          - 'Move-Item'
+          - 'Cert:\LocalMachine\Root'
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'Import-Certificate'
+          - 'Cert:\LocalMachine\Root'
 ---
 logsource:
     category: process_creation
@@ -32,7 +37,11 @@ logsource:
 detection:
     selection1:
         Image|endswith: '\certutil.exe'     # Example: certutil -addstore -f -user ROOT CertificateFileName.der
-        CommandLine|contains: '-addstore * root'
+        CommandLine|contains|all: 
+            - '-addstore'
+            - 'root'
     selection2:
         Image|endswith: '\CertMgr.exe'      # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
-        CommandLine|contains: '/add * root'
+        CommandLine|contains|all:
+            - '/add'
+            - 'root'