From 47cd3d4e7ba65d8a83d27682ba10f9c3472ad38e Mon Sep 17 00:00:00 2001
From: AaronHerman <aaron@aaronherman.co>
Date: Sat, 1 Oct 2022 19:13:31 -0500
Subject: [PATCH] update for Image instead of CommandLine

---
 .../proc_creation_win_susp_lolbin_non_c_drive.yml               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
index 4f8aeb5ed..ca1832261 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
@@ -15,7 +15,7 @@ logsource:
     product: windows
 detection:
     selection_lolbin:
-        CommandLine|contains:
+        Image|endswith:
             - '\wscript.exe'
             - '\cscript.exe'
     selection_exetensions: