From 315a79fcf0c4bbe71f669c32f3332c2d4cd438bf Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 2 May 2022 18:13:03 +0200
Subject: [PATCH] Update proc_creation_win_susp_gpresult.yml

---
 .../process_creation/proc_creation_win_susp_gpresult.yml     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml
index 06417c333..98e0649ec 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml
@@ -14,8 +14,7 @@ logsource:
     category: process_creation
 detection:
     selection:
-        Image|endswith:
-            - '\gpresult.exe'
+        Image|endswith: '\gpresult.exe'
         CommandLine|contains:
             - '/z'
             - '/v'
@@ -25,4 +24,4 @@ falsepositives:
 level: medium
 tags:
     - attack.discovery
-    - attack.t1615
\ No newline at end of file
+    - attack.t1615