fix: bound keywords to field in WMI persistence rule

See #501.
2019-10-29 19:22:41 +01:00
parent 632c45843b
commit cd20e4a3fc
1 changed files with 4 additions and 3 deletions
@@ -16,9 +16,10 @@ detection:
    selection:
        EventID: 5861
    keywords:
-        - 'ActiveScriptEventConsumer'
-        - 'CommandLineEventConsumer'
-        - 'CommandLineTemplate'
+        Message:
+            - '*ActiveScriptEventConsumer*'
+            - '*CommandLineEventConsumer*'
+            - '*CommandLineTemplate*'
        # - 'Binding EventFilter'  # too many false positive with HP Health Driver
    selection2:
        EventID: 5859