From 8293fd8e5b511bd50cf0ede83e0ee3ebbb59af2b Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Sat, 28 Nov 2020 13:30:27 +0100
Subject: [PATCH] Update win_susp_iss_module_install.yml

---
 .../process_creation/win_susp_iss_module_install.yml      | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml
index 79e0debe3..269e18518 100644
--- a/rules/windows/process_creation/win_susp_iss_module_install.yml
+++ b/rules/windows/process_creation/win_susp_iss_module_install.yml
@@ -6,6 +6,7 @@ references:
     - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
 author: Florian Roth
 date: 2012/12/11
+modified: 2020/11/28
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -15,8 +16,11 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - '\APPCMD.EXE install module /name:'
+        Image|endswith: '\appcmd.exe'
+        CommandLine|contains|all:
+            - 'install'
+            - 'module'
+            - '/name:'
     condition: selection
 falsepositives:
     - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules