Update win_webshell_spawn.yml

2020-10-15 19:59:59 -03:00
parent 138b8fed06
commit 630e92f3c2
1 changed files with 12 additions and 12 deletions
@@ -10,18 +10,18 @@ logsource:
    product: windows
 detection:
    selection:
-        ParentImage:
-            - '*\w3wp.exe'
-            - '*\httpd.exe'
-            - '*\nginx.exe'
-            - '*\php-cgi.exe'
-            - '*\tomcat.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\bitsadmin.exe'
+        ParentImage|endswith:
+            - '\w3wp.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\tomcat.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\bitsadmin.exe'
    condition: selection
 fields:
    - CommandLine