Update win_renamed_psexec.yml

2020-10-15 18:24:48 -03:00
parent 081f5a90fe
commit 9751cac1a2
1 changed files with 3 additions and 3 deletions
@@ -20,9 +20,9 @@ detection:
        Description: 'Execute processes remotely'
        Product: 'Sysinternals PsExec'
    filter:
-        Image:
-           - '*\PsExec.exe'
-           - '*\PsExec64.exe'
+        Image|endswith:
+           - '\PsExec.exe'
+           - '\PsExec64.exe'
    condition: selection and not filter
 falsepositives:
    - Software that illegaly integrates PsExec in a renamed form