Issue 3552

rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml

@@ -6,6 +6,7 @@ references:
     - https://www.cobaltstrike.com/help-opsec
 author: Florian Roth
 date: 2021/05/27
+modified: 2022/10/06
 logsource:
     category: process_creation
     product: windows
@@ -18,7 +19,7 @@ detection:
         ParentImage|contains: 
             - '\AppData\Local\'
             - '\Microsoft\Edge\'
-    condition: selection and not filter1 and not filter2
+    condition: selection and not 1 of filter*
 fields:
     - ParentImage
     - ParentCommandLine