From 7eaa3f8d3fa0d26313fbbdc5e9331511f06efa51 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 11 Jan 2022 09:19:55 +0100
Subject: [PATCH] refactor: rewrite re rule to contains

---
 .../process_creation/win_lolbin_execution_via_winget.yml     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml
index 820e899f2..a2c43a507 100644
--- a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml
+++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml
@@ -16,7 +16,10 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|re: '.*(?i)winget install (--m|-m).*'
+        CommandLine|contains|all: 'winget install'
+        CommandLine|contains:
+            - ' -m '
+            - ' --manifest '
     condition: selection
 falsepositives:
     - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users.