Update win_susp_rundll32_by_ordinal.yml

2020-10-15 19:46:54 -03:00
parent 8d471775e0
commit d3f0d25ffb
1 changed files with 2 additions and 1 deletions
@@ -18,7 +18,8 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine: '*\rundll32.exe *,#*'
+        CommandLine|contains: '\rundll32.exe'
+        CommandLine|contains: ',#'
    condition: selection
 falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment