From d3f0ddd2b19cd23cbf522d3a17e6f1874e172014 Mon Sep 17 00:00:00 2001
From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com>
Date: Wed, 7 Oct 2020 14:50:00 +0300
Subject: [PATCH] Update powershell_code_injection.yml

---
 rules/windows/powershell/powershell_code_injection.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml
index aa90fe428..47d220c50 100644
--- a/rules/windows/powershell/powershell_code_injection.yml
+++ b/rules/windows/powershell/powershell_code_injection.yml
@@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell. Code Injection.
 id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
 status: experimental
 description: Detecting Code injection with PowerShell in another process
-author: Nikita Nazarov
+author: Nikita Nazarov, oscd.community
 date: 2020/10/06
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
@@ -17,7 +17,7 @@ detection:
     selection:
         EventID:
             - 8
-        SourceImage: '*\powershell.exe'
+        SourceImage|endswith: '\powershell.exe'
     condition: selection
 falsepositives:
     - Unknown