Fix Requested Changes

rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml

@@ -7,7 +7,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
 author: frack113
 date: 2022/02/19
-modified: 2022/05/13
+modified: 2022/03/13
 logsource:
     product: windows
     category: file_rename
@@ -18,7 +18,7 @@ detection:
         - OriginalFilename|endswith:
             - '.dll'
             - '.tmp'  # VSCode FP
-        - OriginalFilename:
+        - OriginalFilename|contains:
             - '.dll.'
             - '\SquirrelTemp\temp'
     filter_tiworker:

rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml

@@ -22,7 +22,9 @@ detection:
         CommandLine|contains|all:
             - ' /INJECTRUNNING'
             - '.dll' # space some time in the end
-        OriginalFileName: mavinject
+        OriginalFileName:
+            - 'mavinject32.exe'
+            - 'mavinject64.exe'
     condition: selection
 fields:
     - ComputerName

rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml

@@ -26,7 +26,7 @@ detection:
   renamed:
     Image|endswith: '\TrolleyExpress.exe'
   filter_renamed:
-    OriginalFileName: 'CtxInstall'
+    OriginalFileName|contains: 'CtxInstall'
   filter_empty:
     OriginalFileName: null
   condition: selection or ( renamed and not 1 of filter* )

rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml

@@ -21,7 +21,7 @@ detection:
         CommandLine: 'null'
     filter_null2:  # some backends need the null value in a separate expression
         CommandLine: null
-    condition: all of selection* and not filter_null1 and not filter_null2
+    condition: all of selection* and not filter_null*
 falsepositives:
     - AppvClient
     - CCM