Update proc_creation_win_renamed_procdump.yml

2022-08-12 16:02:54 +01:00
parent cf2a817801
commit 8477c4976b
1 changed files with 1 additions and 1 deletions
@@ -31,7 +31,7 @@ detection:
        Image|endswith:
            - '\procdump.exe'
            - '\procdump64.exe'
-    condition: (original_file_name or all of selection_*) and not filter
+    condition: original_file_name or all of selection_* and not filter
 falsepositives:
    - Procdump illegaly bundled with legitimate software
    - Weird admins who renamed binaries (and should be investigated)