From d7eda3fe7e4e2ffda59f6059e0a9d230bb9eb2cb Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 20:15:22 -0300
Subject: [PATCH] Update sysmon_wmi_susp_scripting.yml

---
 .../sysmon/sysmon_wmi_susp_scripting.yml      | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
index e1f150b77..9e75dea5b 100644
--- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+++ b/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
@@ -17,17 +17,17 @@ logsource:
 detection:
     selection:
         EventID: 20
-        Destination:
-            - '*new-object system.net.webclient).downloadstring(*'
-            - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*'
-            - '*new-object net.webclient).downloadfile(*'
-            - '* iex(*'
-            - '*WScript.shell*'
-            - '* -nop *'
-            - '* -noprofile *'
-            - '* -decode *'
-            - '* -enc *'
+        Destination|contains:
+            - 'new-object system.net.webclient).downloadstring('
+            - 'new-object system.net.webclient).downloadfile('
+            - 'new-object net.webclient).downloadstring('
+            - 'new-object net.webclient).downloadfile('
+            - ' iex('
+            - 'WScript.shell'
+            - ' -nop '
+            - ' -noprofile '
+            - ' -decode '
+            - ' -enc '
     condition: selection
 fields:
     - CommandLine