From 6da1431612d14e15af7099339cea52f7a1c8b344 Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Wed, 8 Feb 2023 16:18:58 +0500
Subject: [PATCH] fix: added originalfilename

---
 ..._creation_win_ads_stored_dll_execution_rundll32.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml b/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
index d808e4b1d..d7c01a149 100644
--- a/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
+++ b/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
 author: Harjot Singh, '@cyb3rjy0t'
 date: 2023/01/21
-modified: 2023/01/23
+modified: 2023/02/08
 tags:
     - attack.defense_evasion
     - attack.t1564.004
@@ -14,13 +14,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\rundll32.exe'
+    selection_img:
+        - Image|endswith: '\rundll32.exe'
+        - OriginalFileName: 'RUNDLL32.EXE'
+    selection_cli:
         # Example:
         #   rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
         # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
         CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high