From 04370c7e9136bde426a1d8159819bce89da354ec Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 14 Jul 2021 09:56:35 +0200
Subject: [PATCH] refactor: improved Raccine uninstall rule

---
 rules/windows/process_creation/win_susp_disable_raccine.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_disable_raccine.yml b/rules/windows/process_creation/win_susp_disable_raccine.yml
index b93f381d3..15c00f7fb 100644
--- a/rules/windows/process_creation/win_susp_disable_raccine.yml
+++ b/rules/windows/process_creation/win_susp_disable_raccine.yml
@@ -9,6 +9,7 @@ tags:
     - attack.t1562.001
 author: Florian Roth 
 date: 2021/01/21
+modified: 2021/07/14
 logsource:
     category: process_creation
     product: windows
@@ -16,7 +17,7 @@ detection:
     selection1:
         CommandLine|contains|all:
             - 'taskkill '
-            - '/IM RaccineSettings.exe'
+            - 'RaccineSettings.exe'
     selection2:
         CommandLine|contains|all:
             - 'reg.exe'