From 39bac712c32e0cf39bd58ef92cb71d20f3be3567 Mon Sep 17 00:00:00 2001
From: Timur Zinniatullin <zinin.t@gmail.com>
Date: Sun, 18 Oct 2020 19:05:09 +0300
Subject: [PATCH] Update win_invoke_obfuscation_via_rundll_services.yml

---
 .../builtin/win_invoke_obfuscation_via_rundll_services.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
index cf69f3f69..3bad01d92 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml
@@ -17,7 +17,7 @@ falsepositives:
 level: medium
 detection:
     selection_1:
-        - ImagePath|re: '(?i).*rundll32(?:.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
     condition: selection and selection_1
 ---
 logsource: