From 8a52610bf8383dec57e8ef4fa13d25a9f3ea7ecd Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 20:11:11 -0300
Subject: [PATCH] Update sysmon_uac_bypass_eventvwr.yml

---
 rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
index f566bc863..737f18139 100755
--- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml
@@ -32,9 +32,9 @@ logsource:
     product: windows
 detection:
     methprocess:
-        ParentImage: '*\eventvwr.exe'
+        ParentImage|endswith: '\eventvwr.exe'
     filterprocess:
-        Image: '*\mmc.exe'
+        Image|endswith: '\mmc.exe'
     condition: methprocess and not filterprocess
 fields:
     - CommandLine