From d3f0d25ffb9eeaf74eabd86a3ffba9e28008b69b Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 19:46:54 -0300
Subject: [PATCH] Update win_susp_rundll32_by_ordinal.yml

---
 .../windows/process_creation/win_susp_rundll32_by_ordinal.yml  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
index 584e5f49e..64c953780 100644
--- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
@@ -18,7 +18,8 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: '*\rundll32.exe *,#*'
+        CommandLine|contains: '\rundll32.exe'
+        CommandLine|contains: ',#'
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment