From 630e92f3c24d348c64ff2b1bbbee1cf7f2e44dca Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 19:59:59 -0300
Subject: [PATCH] Update win_webshell_spawn.yml

---
 .../process_creation/win_webshell_spawn.yml   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index 1135169c9..8f5c95a03 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -10,18 +10,18 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage:
-            - '*\w3wp.exe'
-            - '*\httpd.exe'
-            - '*\nginx.exe'
-            - '*\php-cgi.exe'
-            - '*\tomcat.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\bitsadmin.exe'
+        ParentImage|endswith:
+            - '\w3wp.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\tomcat.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\bitsadmin.exe'
     condition: selection
 fields:
     - CommandLine