From 5bbe3dec9bb6dfb97190e04c3139ebb8be793985 Mon Sep 17 00:00:00 2001
From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com>
Date: Wed, 8 Sep 2021 21:14:58 -0600
Subject: [PATCH] Completed changes to selection1 and selection2

changes were completed to remove ( * ) and stay within rule creation guide:
    - Image|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'

 WMIcommand|contains: 'Win32_Process\:\:Create'
---
 ...Create_command_execution_by_Office_Applications.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml
index 5f9e15896..d61ba1b64 100644
--- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
+++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
@@ -20,12 +20,12 @@ detection:
   selection1:
     EventLog: EDR
     EventType: WMIExecution
-    WMIcommand: '*Win32_Process\:\:Create*'
+    WMIcommand|contains: 'Win32_Process\:\:Create'
   selection2:
-    - Image:
-      - '*\winword.exe'
-      - '*\excel.exe'
-      - '*\powerpnt.exe'
+    - Image|endswith:
+      - '\winword.exe'
+      - '\excel.exe'
+      - '\powerpnt.exe'
   condition: selection1 AND selection2
 falsepositives:
 - Unknown