From 32406c1915aac3c79ddcc3a349e95e5003425bf4 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 6 Oct 2022 06:50:54 +0200
Subject: [PATCH] Issue 3552

---
 .../proc_creation_win_susp_rundll32_no_params.yml              | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml
index b1a6486ae..244655abc 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml
@@ -6,6 +6,7 @@ references:
     - https://www.cobaltstrike.com/help-opsec
 author: Florian Roth
 date: 2021/05/27
+modified: 2022/10/06
 logsource:
     category: process_creation
     product: windows
@@ -18,7 +19,7 @@ detection:
         ParentImage|contains: 
             - '\AppData\Local\'
             - '\Microsoft\Edge\'
-    condition: selection and not filter1 and not filter2
+    condition: selection and not 1 of filter*
 fields:
     - ParentImage
     - ParentCommandLine