From e1b99db1497b0e0b333b6c97ba63de8aac3b1893 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 16 Aug 2021 15:50:14 +0200
Subject: [PATCH 1/2] fix duplicate uuid

---
 rules/windows/process_creation/win_procdump.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_procdump.yml b/rules/windows/process_creation/win_procdump.yml
index 1f02d04b7..697a761b2 100644
--- a/rules/windows/process_creation/win_procdump.yml
+++ b/rules/windows/process_creation/win_procdump.yml
@@ -1,5 +1,5 @@
 title: Procdump Usage
-id: 03795938-1387-481b-9f4c-3f6241e604fe
+id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
 description: Detects uses of the SysInternals Procdump utility
 status: experimental
 references:

From d2790f24507212702653c9502a0ba57a0663cc24 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 16 Aug 2021 16:14:48 +0200
Subject: [PATCH 2/2] fix: missing "|all" modifier

---
 rules/windows/process_creation/win_susp_procdump.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml
index 288002fa5..7c3256d94 100644
--- a/rules/windows/process_creation/win_susp_procdump.yml
+++ b/rules/windows/process_creation/win_susp_procdump.yml
@@ -16,11 +16,11 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
+        CommandLine|contains|all:
             - ' -ma '
             - ' -accepteula '
     condition: selection
 falsepositives:
     - Another tool that uses the command line switches of Procdump
     - Legitimate use of procdump by a developer or administrator
-level: high
\ No newline at end of file
+level: high