From 95b47972f05eed2ea4fa709acd4a202fb2b0f99c Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 12 Mar 2019 09:03:30 +0100
Subject: [PATCH] fix: transformed rule to new proc_creation format

---
 ...susp-mshta-execution.yml => win_susp_mshta_execution.yml} | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 rename rules/windows/builtin/{win-susp-mshta-execution.yml => win_susp_mshta_execution.yml} (94%)

diff --git a/rules/windows/builtin/win-susp-mshta-execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml
similarity index 94%
rename from rules/windows/builtin/win-susp-mshta-execution.yml
rename to rules/windows/builtin/win_susp_mshta_execution.yml
index d762ccb84..1c643abef 100644
--- a/rules/windows/builtin/win-susp-mshta-execution.yml
+++ b/rules/windows/builtin/win_susp_mshta_execution.yml
@@ -25,10 +25,9 @@ detection:
             - '*mshta vbscript:Execute("Execute*'
             - '*mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe*'
     selection2:
-        EventID: 4688
-        NewProcessName:
+        Image:
             - 'C:\Windows\system32\mshta.exe'
-        ProcessCommandLine: 
+        CommandLine: 
             - '*.jpg*'
             - '*.png*'
             - '*.lnk*'