From 76bc06358e45adfc6b3b789858bf2bce94b8e490 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 19 Apr 2022 17:35:40 +0200
Subject: [PATCH] Update proc_creation_win_7zip_cve_2022_29072.yml

---
 .../proc_creation_win_7zip_cve_2022_29072.yml                | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml b/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml
index 4ef6ffd6c..768061be9 100644
--- a/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml
+++ b/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml
@@ -7,6 +7,7 @@ references:
     - https://twitter.com/kagancapar/status/1515219358234161153
 author: frack113
 date: 2022/04/17
+modified: 2022/04/19
 tags:
     - cve.2022.29072
 logsource:
@@ -16,7 +17,9 @@ detection:
     selection: 
         Image|endswith: '\cmd.exe'
         ParentImage|endswith: '\7zFM.exe'
-    condition: selection
+    filter:
+        CommandLine|contains: ' /c '
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high