From c68531e6882ea563ea3197ba360db17a4011514e Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 2 Feb 2023 10:52:04 +0100
Subject: [PATCH] fix: apply suggestions from code review

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../posh_ps_install_unsigned_appx_packages.yml                  | 2 +-
 .../proc_creation_win_install_unsigned_appx_packages.yml        | 2 +-
 .../proc_creation_win_susp_copy_lateral_movement.yml            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml
index fa3aa8930..5470e2010 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml
@@ -21,7 +21,7 @@ detection:
     selection_cmdlet:
         ScriptBlockText|contains:
             - 'Add-AppPackage '
-            - 'Add-AppxPackage'
+            - 'Add-AppxPackage '
     selection_flag:
         ScriptBlockText|contains: ' -AllowUnsigned'
     condition: all of selection_*
diff --git a/rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml
index 46dc5b240..0cf0d0e91 100644
--- a/rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml
+++ b/rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml
@@ -27,7 +27,7 @@ detection:
     selection_cmdlet:
         CommandLine|contains:
             - 'Add-AppPackage '
-            - 'Add-AppxPackage'
+            - 'Add-AppxPackage '
     selection_flag:
         CommandLine|contains: ' -AllowUnsigned'
     condition: all of selection_*
diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml
index 7a249e92b..62850b7c5 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml
@@ -43,7 +43,7 @@ detection:
     selection_pwsh_cli:
         CommandLine|contains:
             - 'copy-item'
-            - 'copy'
+            - 'copy '
             - 'cpi '
             - ' cp '
             - 'move '