From a40308263127b7e40f0c10ba2dbd65d39f85ea23 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 26 Nov 2020 23:33:00 -0300
Subject: [PATCH] Update win_bypass_squiblytwo.yml

---
 rules/windows/process_creation/win_bypass_squiblytwo.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml
index 6cc7c95cd..a5422e5f6 100644
--- a/rules/windows/process_creation/win_bypass_squiblytwo.yml
+++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml
@@ -24,8 +24,8 @@ logsource:
     product: windows
 detection:
     selection1:
-        Image:
-            - '*\wmic.exe'
+        Image|endswith:
+            - '\wmic.exe'
         CommandLine|contains|all:
             - wmic
             - format