From 9e99832b76f7555224b7dfa65a607f241dfd0d5d Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 17:55:04 -0300
Subject: [PATCH] Update win_hwp_exploits.yml

---
 rules/windows/process_creation/win_hwp_exploits.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml
index 206d5ab97..e21047809 100644
--- a/rules/windows/process_creation/win_hwp_exploits.yml
+++ b/rules/windows/process_creation/win_hwp_exploits.yml
@@ -25,8 +25,8 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage: '*\Hwp.exe'
-        Image: '*\gbb.exe'
+        ParentImage|endswith: '\Hwp.exe'
+        Image|endswith: '\gbb.exe'
     condition: selection
 falsepositives:
     - Unknown