From 9ae26e2674cea201eab6df591ce7ef2cc6cc7ff1 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Sat, 28 Nov 2020 10:20:12 +0100
Subject: [PATCH] Update win_apt_cloudhopper.yml

---
 rules/windows/process_creation/win_apt_cloudhopper.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml
index 940696607..8c6538e18 100755
--- a/rules/windows/process_creation/win_apt_cloudhopper.yml
+++ b/rules/windows/process_creation/win_apt_cloudhopper.yml
@@ -16,7 +16,9 @@ logsource:
 detection:
     selection:
         Image|endswith: '\cscript.exe'
-        CommandLine|contains: '.vbs /shell '
+        CommandLine|contains|all:
+            - '.vbs'
+            - '/shell'
     condition: selection
 fields:
     - CommandLine