refactor: rewrite re rule to contains

2022-01-11 09:19:55 +01:00
parent 1fad4edfcb
commit 7eaa3f8d3f
1 changed files with 4 additions and 1 deletions
@@ -16,7 +16,10 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine|re: '.*(?i)winget install (--m|-m).*'
+        CommandLine|contains|all: 'winget install'
+        CommandLine|contains:
+            - ' -m '
+            - ' --manifest '
    condition: selection
 falsepositives:
    - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users.