From d80fd4f9b7f3b5f1964afa298d072f4ebfe6eeaa Mon Sep 17 00:00:00 2001
From: 0xv1n <11021725+0xv1n@users.noreply.github.com>
Date: Sat, 22 Apr 2023 15:19:46 -0400
Subject: [PATCH] typo in wevtutil image name

small typo fix.
---
 .../proc_creation_win_malware_rorschach_ransomware_activity.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml b/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml
index f79a2323a..31e932640 100644
--- a/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml
+++ b/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml
@@ -20,7 +20,7 @@ detection:
             - '\bcdedit.exe'
             - '\net.exe'
             - '\netsh.exe'
-            - '\wevtuil.exe'
+            - '\wevtutil.exe'
             - '\vssadmin.exe'
         CommandLine|contains: '11111111'
     condition: selection