From 5505ff28d92cbb815a8dfcfdd92067dcd4498071 Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Fri, 3 Feb 2023 14:40:40 +0500
Subject: [PATCH] Update proc_creation_win_tool_nircmd.yml

---
 .../process_creation/proc_creation_win_tool_nircmd.yml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml
index 0bfffb9ed..1a9018787 100644
--- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml
@@ -8,7 +8,7 @@ references:
     - https://www.nirsoft.net/utils/nircmd2.html#using
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
 date: 2022/01/24
-modified: 2022/11/30
+modified: 2023/02/03
 tags:
     - attack.execution
     - attack.t1569.002
@@ -34,7 +34,7 @@ detection:
         CommandLine|contains:
             - ' show '
             - ' hide '
-    condition: 1 of selection* or all of combo_*
+    condition: 1 of selection_* or all of combo_*
 fields:
     - CommandLine
     - ParentCommandLine