Update proc_creation_win_7zip_cve_2022_29072.yml

2022-04-19 17:35:40 +02:00
parent fee402c183
commit 76bc06358e
1 changed files with 4 additions and 1 deletions
@@ -7,6 +7,7 @@ references:
    - https://twitter.com/kagancapar/status/1515219358234161153
 author: frack113
 date: 2022/04/17
+modified: 2022/04/19
 tags:
    - cve.2022.29072
 logsource:
@@ -16,7 +17,9 @@ detection:
    selection: 
        Image|endswith: '\cmd.exe'
        ParentImage|endswith: '\7zFM.exe'
-    condition: selection
+    filter:
+        CommandLine|contains: ' /c '
+    condition: selection and not filter
 falsepositives:
    - Unknown
 level: high