From cd20e4a3fc6b8a2cc187c49f84de341a485be5c1 Mon Sep 17 00:00:00 2001
From: Karneades <karneades@protonmail.com>
Date: Tue, 29 Oct 2019 19:22:41 +0100
Subject: [PATCH] fix: bound keywords to field in WMI persistence rule

See #501.
---
 rules/windows/other/win_wmi_persistence.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml
index 58bf3033d..f978565a5 100644
--- a/rules/windows/other/win_wmi_persistence.yml
+++ b/rules/windows/other/win_wmi_persistence.yml
@@ -16,9 +16,10 @@ detection:
     selection:
         EventID: 5861
     keywords:
-        - 'ActiveScriptEventConsumer'
-        - 'CommandLineEventConsumer'
-        - 'CommandLineTemplate'
+        Message:
+            - '*ActiveScriptEventConsumer*'
+            - '*CommandLineEventConsumer*'
+            - '*CommandLineTemplate*'
         # - 'Binding EventFilter'  # too many false positive with HP Health Driver
     selection2:
         EventID: 5859