From 82fbfed2c2319acd4eefa9dba5d2694de546172a Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 17:33:02 -0300
Subject: [PATCH] Update win_apt_mustangpanda.yml

---
 .../process_creation/win_apt_mustangpanda.yml       | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml
index 28fa66924..252b8ab46 100644
--- a/rules/windows/process_creation/win_apt_mustangpanda.yml
+++ b/rules/windows/process_creation/win_apt_mustangpanda.yml
@@ -13,12 +13,13 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine: 
-            - '*Temp\wtask.exe /create*'
-            - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
-            - '*/E:vbscript * C:\Users\\*.txt" /F'
-            - '*/tn "Security Script *'
-            - '*%windir:~-1,1%*'
+        CommandLine|endswith: 
+            - 'Temp\wtask.exe /create*'
+            - '%windir:~-3,1%%PUBLIC:~-9,1%*'
+            - '/tn "Security Script *'
+            - '%windir:~-1,1%*'
+        Commandline|startswith:
+            - '/E:vbscript * C:\Users\\*.txt" /F'
     selection2:
         Image:
             - '*Temp\winwsh.exe'