From 585f3a2f3649897538bb874bb4e1c59129f6e8a7 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Sat, 21 Jan 2023 13:02:11 +0100
Subject: [PATCH] fix: update regex

---
 ...proc_creation_win_ads_stored_dll_execution_rundll32.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml b/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
index a9064e688..8ee038d72 100644
--- a/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
+++ b/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml
@@ -5,7 +5,7 @@ description: Detects execution of rundll32 where the DLL being called is stored
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Rundll32
 author: Harjot Singh, '@cyb3rjy0t'
-date: 2023/01/11
+date: 2023/01/21
 tags:
     - attack.defense_evasion
     - attack.t1564.004
@@ -15,7 +15,10 @@ logsource:
 detection:
     selection:
         Image|endswith: '\rundll32.exe'
-        CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32.+:'
+        # Example:
+        #   rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
+        # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
+        CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32.+\w:.+:'
     condition: selection
 falsepositives:
     - Unknown