From 5fdad241ea0b2c741b86fa4838b5ee9f15e560f1 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 23 Dec 2022 20:11:55 +0100
Subject: [PATCH] Update proc_creation_win_lolbin_agentexecutor.yml

---
 .../proc_creation_win_lolbin_agentexecutor.yml               | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
index 8851dfc95..0cf6c58aa 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
@@ -15,15 +15,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image: 'AgentExecutor.exe'
-    selection2: 
         CommandLine|contains: '-powershell'
     filter:
         CommandLine|contains:
             - ' C:\Windows\SysWOW64\WindowsPowerShell\'
             - ' C:\Windows\System32\WindowsPowerShell\'
-    condition: selection1 and selection2 and not filter
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: medium