From cd3cdc94510ce5db4f75f044f232f15efcb0f8c6 Mon Sep 17 00:00:00 2001
From: Tareq AlKhatib <tareq.khatib@gmail.com>
Date: Wed, 13 Feb 2019 21:26:02 +0300
Subject: [PATCH] Removed unnecessary '1 of them' in condition

---
 rules/windows/builtin/win_psexesvc_start.yml        | 2 +-
 rules/windows/sysmon/sysmon_win_reg_persistence.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/builtin/win_psexesvc_start.yml
index 08e517099..bfd47e750 100644
--- a/rules/windows/builtin/win_psexesvc_start.yml
+++ b/rules/windows/builtin/win_psexesvc_start.yml
@@ -15,7 +15,7 @@ detection:
     selection:
         EventID: 4688
         ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
-    condition: 1 of them
+    condition: selection
 falsepositives:
     - Administrative activity
 level: low
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml
index 27dd71e66..0b9727168 100644
--- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml
+++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml
@@ -15,7 +15,7 @@ detection:
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
             - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
         EventType: 'SetValue'
-    condition: 1 of them
+    condition: selection_reg1
 tags:
     - attack.privilege_escalation
     - attack.persistence