From 757bf95ecb939b834034cbcfced2b0a12e938827 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 2 Jan 2022 11:45:33 +0100
Subject: [PATCH] fix detection

---
 .../windows/process_creation/win_pc_susp_powershell_encode.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_pc_susp_powershell_encode.yml b/rules/windows/process_creation/win_pc_susp_powershell_encode.yml
index 271bc05da..af3a5ccd6 100644
--- a/rules/windows/process_creation/win_pc_susp_powershell_encode.yml
+++ b/rules/windows/process_creation/win_pc_susp_powershell_encode.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         Image|endswith: \powershell.exe
-        CommandLine|contains:
+        CommandLine|contains|all:
             - '-e '
             - '==' # not all base64 have the ==
     condition: selection