From 8477c4976be74ebdfad72090b75f404e9970f511 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 12 Aug 2022 16:02:54 +0100
Subject: [PATCH] Update proc_creation_win_renamed_procdump.yml

---
 .../process_creation/proc_creation_win_renamed_procdump.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml
index 9469558c6..5e1b13880 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml
@@ -31,7 +31,7 @@ detection:
         Image|endswith:
             - '\procdump.exe'
             - '\procdump64.exe'
-    condition: (original_file_name or all of selection_*) and not filter
+    condition: original_file_name or all of selection_* and not filter
 falsepositives:
     - Procdump illegaly bundled with legitimate software
     - Weird admins who renamed binaries (and should be investigated)