From 9751cac1a2ed9d1ca94ce429fea17ce29090a42c Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 18:24:48 -0300
Subject: [PATCH] Update win_renamed_psexec.yml

---
 rules/windows/process_creation/win_renamed_psexec.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml
index 4a1ab2244..d599d6e0e 100644
--- a/rules/windows/process_creation/win_renamed_psexec.yml
+++ b/rules/windows/process_creation/win_renamed_psexec.yml
@@ -20,9 +20,9 @@ detection:
         Description: 'Execute processes remotely'
         Product: 'Sysinternals PsExec'
     filter:
-        Image:
-           - '*\PsExec.exe'
-           - '*\PsExec64.exe'
+        Image|endswith:
+           - '\PsExec.exe'
+           - '\PsExec64.exe'
     condition: selection and not filter
 falsepositives:
     - Software that illegaly integrates PsExec in a renamed form