From 8a4b53eb3a9652ee779729cd0fcea36e85ed0648 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 23 Jul 2020 17:04:16 +0200
Subject: [PATCH] fix: rule leads to FPs on systems that don't log the cmdline
 parameters

---
 .../process_creation/win_susp_svchost_no_cli.yml      | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/windows/process_creation/win_susp_svchost_no_cli.yml
index d635c590a..4da570b7e 100644
--- a/rules/windows/process_creation/win_susp_svchost_no_cli.yml
+++ b/rules/windows/process_creation/win_susp_svchost_no_cli.yml
@@ -6,6 +6,7 @@ references:
     - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 author: David Burkett
 date: 2019/12/28
+modified: 2020/07/23
 tags:
     - attack.t1055
 logsource:
@@ -13,13 +14,13 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine: null
+        CommandLine|endswith: 'svchost.exe' 
     selection2:
-        Image: '*\svchost.exe'
+        Image|endswith: '\svchost.exe'
     filter:
-        ParentImage:
-            - '*\rpcnet.exe'
-            - '*\rpcnetp.exe'
+        ParentImage|endswith:
+            - '\rpcnet.exe'
+            - '\rpcnetp.exe'
     condition: (selection1 and selection2) and not filter
 fields:
     - CommandLine