From 6fcf3f9ebf3ae66ee9bb7853f823dfe11f62d2c1 Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Mon, 25 May 2020 10:13:26 +0200
Subject: [PATCH] Update win_netsh_fw_add.yml

---
 rules/windows/process_creation/win_netsh_fw_add.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index 1184ebc34..59c3361fc 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -15,13 +15,13 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         CommandLine:
             - '*netsh*'
+    selection2:
         CommandLine:
             - '*firewall add*'
-            - '*advfirewall firewall add*'
-    condition: selection
+    condition: selection1 and selection2
 falsepositives:
     - Legitimate administration
 level: medium