From 64c63c8d38e042b9e0dace71b5a4a22aa8ffaab9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 18:23:03 -0300
Subject: [PATCH] Update win_proc_wrong_parent.yml

---
 .../win_proc_wrong_parent.yml                 | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml
index ed200d806..8a1f501d4 100644
--- a/rules/windows/process_creation/win_proc_wrong_parent.yml
+++ b/rules/windows/process_creation/win_proc_wrong_parent.yml
@@ -20,22 +20,22 @@ logsource:
     product: windows
 detection:
     selection:
-        Image:
-            - '*\svchost.exe'
-            - '*\taskhost.exe'
-            - '*\lsm.exe'
-            - '*\lsass.exe'
-            - '*\services.exe'
-            - '*\lsaiso.exe'
-            - '*\csrss.exe'
-            - '*\wininit.exe'
-            - '*\winlogon.exe'
+        Image|endswith:
+            - '\svchost.exe'
+            - '\taskhost.exe'
+            - '\lsm.exe'
+            - '\lsass.exe'
+            - '\services.exe'
+            - '\lsaiso.exe'
+            - '\csrss.exe'
+            - '\wininit.exe'
+            - '\winlogon.exe'
     filter:
-        ParentImage:
-            - '*\System32\\*'
-            - '*\SysWOW64\\*'
-            - '*\SavService.exe'
-            - '*\Windows Defender\\*\MsMpEng.exe'
+        ParentImage|endswith:
+            - '\System32\\*'
+            - '\SysWOW64\\*'
+            - '\SavService.exe'
+            - '\Windows Defender\\*\MsMpEng.exe'
     filter_null:
         ParentImage: null
     condition: selection and not filter and not filter_null