From 272625a0052f6c0ecfa07b687a4452177bfa51f8 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 24 Aug 2021 08:34:08 +0200
Subject: [PATCH] Update win_susp_splwow64.yml

---
 rules/windows/process_creation/win_susp_splwow64.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_splwow64.yml b/rules/windows/process_creation/win_susp_splwow64.yml
index 3695fcec2..38c4a4da3 100644
--- a/rules/windows/process_creation/win_susp_splwow64.yml
+++ b/rules/windows/process_creation/win_susp_splwow64.yml
@@ -13,7 +13,7 @@ detection:
     selection:
         Image|endswith: '\splwow64.exe'
     filter:
-        CommandLine|contains: 'splwow64.exe '
+        CommandLine|endswith: 'splwow64.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown