From 0fa1c1525b05b63cd65c05256ce683540df95d16 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 3 Jul 2020 10:17:34 +0200
Subject: [PATCH] fix: missing copy command

---
 rules/windows/process_creation/win_susp_copy_systemroot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_copy_systemroot.yml b/rules/windows/process_creation/win_susp_copy_systemroot.yml
index b4d196691..7c37dd96d 100644
--- a/rules/windows/process_creation/win_susp_copy_systemroot.yml
+++ b/rules/windows/process_creation/win_susp_copy_systemroot.yml
@@ -14,8 +14,8 @@ tags:
 detection:
     selection:
         CommandLine|contains:
-            - 'cmd.exe /c %SysteRoot%'
-            - 'cmd.exe /c C:\Windows'
+            - 'cmd.exe /c copy %SysteRoot%'
+            - 'cmd.exe /c copy C:\Windows'
     condition: selection
 fields:
     - CommandLine