From 431f34b985d546121bcc8cfa290f6b2fd76cdf2c Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 27 May 2021 18:12:20 +0200
Subject: [PATCH] fix: other locations

https://twitter.com/ber_m1ng/status/1397948048135778309
---
 rules/windows/process_creation/win_susp_procs_req_dlls.yml     | 2 +-
 rules/windows/process_creation/win_susp_rundll32_no_params.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
index 955d6f6f6..d52158f85 100644
--- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml
+++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
@@ -22,7 +22,7 @@ detection:
             - '\regsvr32.exe'
     filter1:
         ParentImage|contains: 
-            - '\AppData\Local\Temp\'
+            - '\AppData\Local\'
             - '\Microsoft\Edge\'
     condition: selection and not filter1
 fields:
diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
index f9a961510..b45e3b4e0 100644
--- a/rules/windows/process_creation/win_susp_rundll32_no_params.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
@@ -16,7 +16,7 @@ detection:
         ParentImage|endswith: '\svchost.exe'
     filter2:
         ParentImage|contains: 
-            - '\AppData\Local\Temp\'
+            - '\AppData\Local\'
             - '\Microsoft\Edge\'
     condition: selection and not filter1 and not filter2
 fields: