From d9d27fec74988928e4264bc8e2ea6fc1e320e3cd Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sun, 11 Mar 2018 01:22:04 +0100
Subject: [PATCH] Improved EquationGroup dll load rule

---
 rules/apt/apt_equationgroup_dll_u_load.yml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/rules/apt/apt_equationgroup_dll_u_load.yml b/rules/apt/apt_equationgroup_dll_u_load.yml
index 95c7b71cd..2228eafe4 100644
--- a/rules/apt/apt_equationgroup_dll_u_load.yml
+++ b/rules/apt/apt_equationgroup_dll_u_load.yml
@@ -9,11 +9,12 @@ references:
 author: Florian Roth
 date: 2018/03/10 
 detection:
-    selection:
-        CommandLine: 
-            - '*rundll32.exe *,dll_u'
-            - '* -export dll_u *'
-    condition: selection
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: critical
@@ -22,7 +23,9 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection:
+    selection1:
+        EventID: 1
+    selection2:
         EventID: 1
 ---
 logsource:
@@ -30,5 +33,7 @@ logsource:
     service: security
     description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
-    selection:
+    selection1:
+        EventID: 4688
+    selection2:
         EventID: 4688
\ No newline at end of file