From b02a2ff2dc7aeba219301a19e4e8b64a54f71694 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 2 Sep 2022 09:49:14 +0200
Subject: [PATCH] Update
 proc_creation_win_net_default_accounts_manipulation.yml

---
 .../proc_creation_win_net_default_accounts_manipulation.yml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml
index ff04ad0f7..d8c5ba7bb 100644
--- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml
+++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml
@@ -10,7 +10,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_img:
         Image|endswith:
             - '\net.exe'
             - '\net1.exe'
@@ -26,7 +26,7 @@ detection:
             - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
             - ' Administratör ' # Swedish
             - ' guest '
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
 level: high