From 1544a351a33f5f178fe13d3ade7bc7fab65715da Mon Sep 17 00:00:00 2001
From: Jon Galarneau <jon.galarneau@gmail.com>
Date: Tue, 10 Aug 2021 08:29:39 -0400
Subject: [PATCH 1/2] Correcting regex in
 win_modif_of_services_for_via_commandline.yml

The ^ symbol designates the beginning of the string, but in this rule it is clearly intended to be the end of the string.
---
 .../win_modif_of_services_for_via_commandline.yml             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
index 970b7c6d0..85c787913 100644
--- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
+++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
@@ -20,8 +20,8 @@ detection:
     selection_cmdline_2: 
         CommandLine|re: '(?i)sc failure.*command=.*'
     selection_cmdline_3:
-        CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin^|\.bat|\.cmd|\.js|\.msh^|\.reg^|\.scr|\.ps|\.vb|\.jar|\.pl).*'
+        CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*'
     condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3
 falsepositives:
     - unknown
-level: medium
\ No newline at end of file
+level: medium

From 6d869feb4315fd716dce42e3d5f0267a1a9c59ac Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Tue, 10 Aug 2021 15:12:45 +0200
Subject: [PATCH 2/2] update modified

---
 .../win_modif_of_services_for_via_commandline.yml               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
index 85c787913..05ee03d58 100644
--- a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
+++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1058
 author: Sreeman
 date: 2020/09/29
-modified: 2021/06/11
+modified: 2021/08/10
 logsource:
     category: process_creation
     product: windows