From 44a5792be3e3261f23eb01cc5d7181d39dd7835a Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Sun, 5 Sep 2021 12:34:24 +0200
Subject: [PATCH] Revert win_apt_apt29_tor.yml

---
 rules/windows/builtin/win_apt_apt29_tor.yml | 32 +++++++++------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/rules/windows/builtin/win_apt_apt29_tor.yml b/rules/windows/builtin/win_apt_apt29_tor.yml
index 65b7b8f31..606220273 100755
--- a/rules/windows/builtin/win_apt_apt29_tor.yml
+++ b/rules/windows/builtin/win_apt_apt29_tor.yml
@@ -10,24 +10,8 @@ tags:
     - attack.t1050          # an old one
     - attack.t1543.003
 date: 2017/11/01
-modified: 2020/09/05
-author: Thomas Patzke , frack113 (reorder file)
----
-#First detection is only need to the near so level is informational to not trigger an alert
-id: d1478dc2-fd6a-4154-a8fb-ba9a88a366e5
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    process:
-        Image:
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
-    condition: process
-level: informational
----
-action: repeat
-id: c069f460-2b87-4010-8dcf-e45bab362624
+modified: 2020/08/23
+author: Thomas Patzke 
 logsource:
     product: windows
     service: system
@@ -40,7 +24,17 @@ detection:
 falsepositives:
     - Unknown
 level: high
+---
+id: c069f460-2b87-4010-8dcf-e45bab362624
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process:
+        Image:
+            - 'C:\Program Files(x86)\Google\GoogleService.exe'
+            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
 fields:
     - ComputerName
     - User
-    - CommandLine
\ No newline at end of file
+    - CommandLine