From b1b0240692cd35a8f493b77809f2164578fb9ca9 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Sat, 3 Apr 2021 23:21:13 +0200
Subject: [PATCH] Fixes

---
 rules/windows/powershell/powershell_shellcode_b64.yml         | 2 +-
 .../process_creation/win_susp_crackmapexec_execution.yml      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml
index 3d7988b68..ba269aca2 100644
--- a/rules/windows/powershell/powershell_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_shellcode_b64.yml
@@ -23,7 +23,7 @@ detection:
         EventID: 4104
         ScriptBlockText|contains: 'AAAAYInlM'
     selection2:
-        ScriptBlockText|contains|all:
+        ScriptBlockText|contains:
             - 'OiCAAAAYInlM'
             - 'OiJAAAAYInlM'
     condition: selection and selection2
diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
index e5d69a30a..9a5f1afb3 100644
--- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
+++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml
@@ -28,9 +28,9 @@ detection:
             - 'cmd.exe /C * > *\\Temp\\* 2>&1'
         CommandLine|contains:
             # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation)
-            - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*'
+            - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
             # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation)
-            - '*powershell.exe -noni -nop -w 1 -enc *'
+            - 'powershell.exe -noni -nop -w 1 -enc '
     condition: selection
 fields:
     - ComputerName