From 6f38a44ec1d2fffa8cb2bd45d3ea60a021c3caad Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 20 Mar 2017 22:06:48 +0100
Subject: [PATCH] Broader definition certutil.exe rule

---
 rules/windows/sysmon/sysmon_certutil_decode.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_certutil_decode.yml b/rules/windows/sysmon/sysmon_certutil_decode.yml
index 04d46518d..626b09a90 100644
--- a/rules/windows/sysmon/sysmon_certutil_decode.yml
+++ b/rules/windows/sysmon/sysmon_certutil_decode.yml
@@ -1,6 +1,6 @@
 title: Certutil Decode in AppData
 status: experimental
-description: Detetcs a Microsoft certutil execution with the 'decode' sub command on files in the AppData folder, which is sometimes used to decode malicious code with the built-in certutil utility
+description: Detetcs a Microsoft certutil execution with the 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
 author: Florian Roth
 reference: https://twitter.com/JohnLaTwC/status/835149808817991680
 logsource:
@@ -9,8 +9,7 @@ logsource:
 detection:
     selection:
         EventID: 1
-        Image: '*\certutil.exe'
-        CommandLine: '* -decode *\AppData\*'
+        Image: '*\certutil.exe -decode '
     condition: selection
 falsepositives:
     - unknown