From ce750aba9caaff7e1db0804e1c65402e00be9410 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 31 Oct 2022 17:38:04 +0100
Subject: [PATCH] fix: wrong condition

---
 .../proc_creation_win_susp_rundll32_by_ordinal.yml              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
index f5346f3d3..449439771 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
@@ -32,7 +32,7 @@ detection:
         CommandLine|contains|all:
             - '\FileTracker32.dll'
             - ',#1'
-    condition: selection and not filter
+    condition: selection and not 1 of filter*
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
     - Windows control panel elements have been identified as source (mmc)