From b1504c7632d6c0a43f61ba45b26b847c5a17d5b1 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 15 Dec 2022 19:02:56 +0100
Subject: [PATCH] fix: wrong condition

---
 .../net_connection_win_wuauclt_network_connection.yml           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
index 2ac32898b..d0694ab32 100644
--- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
@@ -23,7 +23,7 @@ detection:
         DestinationIp|startswith: '51.10'  # Microsoft Range
     filter_cmdline:
         CommandLine|contains: '\UpdateDeploy.dll /ClassId '
-    condition: selection
+    condition: selection and not 1 of filter*
 falsepositives:
     - Legitimate use of wuauclt.exe over the network.
 level: medium