From 6d86c7df6c35a6c980fc048fbc8a754bb323d7a2 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 9 Sep 2021 09:41:03 +0200
Subject: [PATCH] Revert "refactor: 2nd condition in CVE-2021-40444 rule"

This reverts commit 015573c450ddb4d12ee127ffe1218aec90643087.
---
 .../process_creation/win_susp_control_cve_2021_40444.yml   | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
index 41ce96475..312b047b7 100644
--- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
+++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
@@ -13,18 +13,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image|endswith: '\control.exe'
         ParentImage|endswith:
             - '\winword.exe'
             - '\powerpnt.exe'
             - '\excel.exe'
-    selection2:
-        Image|endswith: '\control.exe'
-        CommandLine|contains: '.cpl'
     filter:
         CommandLine|endswith: '\control.exe input.dll'
-    condition: ( selection1 or selection2 ) and not filter
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: critical