From a88b22a1bd83596c00ff0ce87321f9c676ea00a1 Mon Sep 17 00:00:00 2001
From: Harish SEGAR <segharish@gmail.com>
Date: Fri, 20 Mar 2020 23:34:15 +0100
Subject: [PATCH] Fix namefield.

---
 .../process_creation/win_powershell_downgrade_attack.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_powershell_downgrade_attack.yml b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
index 228f01b13..814dc49bd 100644
--- a/rules/windows/process_creation/win_powershell_downgrade_attack.yml
+++ b/rules/windows/process_creation/win_powershell_downgrade_attack.yml
@@ -36,5 +36,5 @@ detection:
     selection:
         EventID: 4688
         CommandLine|re: '.*-[Vv][Ee][Rr][Ss][Ii][Oo][Nn] 2'
-        Image|endswith: '\powershell.exe'
+        NewProcessName|endswith: '\powershell.exe'
     condition: selection