Update proc_creation_win_winpeas_tool.yml

rules/windows/process_creation/proc_creation_win_winpeas_tool.yml

@@ -16,7 +16,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    winpeas_basic:
+    selection_basic:
         Image|endswith:
             - '\winPEASany.exe'
             - '\winPEASany_ofs.exe'
@@ -24,28 +24,17 @@ detection:
             - '\winPEASx64_ofs.exe'
             - '\winPEASx86.exe'
             - '\winPEASx86_ofs.exe'
-    winpeas_option:
-        CommandLine|contains:
-            - 'systeminfo'     # Search system information
-            - 'userinfo'       # Search user information
-            - 'processinfo'    # Search processes information
+    selection_pe:
+        	OriginalFileName: 'winPEAS.exe'
+    selection_option:
+        - CommandLine|endswith:
             - 'serviceinfo'    # Search services information
             - 'applicationsinfo' # Search installed applications information
-            - 'networkinfo'   # Search network information
             - 'windowscreds'  # Search windows credentials
             - 'browserinfo '  # Search browser information
-            - 'filesinfo '    # Search generic files that can contains credentials
             - 'fileanalysis'  # Search specific files that can contains credentials and for regexes inside files
-            - 'eventsinfo'    # Display interesting events information
-    filter_sysinfo:
-        Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS
-    condition: 1 of winpeas_* and not filter_sysinfo
-fields:
-    - Image
-    - User
-    - CommandLine
-    - ParentCommandLine
-    - CurrentDirectory
+        - CommandLine|contains: '.exe browserinfo '  # Search browser information
+    condition: 1 of selection*
 falsepositives:
-    - Unlikely
+    - Other programs that use the same command line flags
 level: high