From 8a9db12d30565416cc5b24ef5a31ff88321e0115 Mon Sep 17 00:00:00 2001
From: invrep-de <72574591+invrep-de@users.noreply.github.com>
Date: Mon, 26 Oct 2020 12:05:16 -0400
Subject: [PATCH] Enhanced to improve specificity

Enhanced to improve specificity per feedback received;
---
 .../win_bad_opsec_sacrificial_processes.yml                 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
index 206dd9fa2..4b9294d8c 100644
--- a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
+++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml
@@ -16,9 +16,9 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
-            - '*\WerFault.exe'
-            - '*\rundll32.exe'
+        CommandLine|endswith:
+            - '\WerFault.exe'
+            - '\rundll32.exe'
     condition: selection
 falsepositives:
     - Unlikely