From d9d543e545bec517a2cd9b24b99d542e077b92ee Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 12 Aug 2021 13:28:24 +0200
Subject: [PATCH] refactor: removed OriginalFileName from rule to improve
 compatibilty

---
 rules/windows/process_creation/win_susp_whoami.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml
index 5fab95fae..ffc7efcaf 100644
--- a/rules/windows/process_creation/win_susp_whoami.yml
+++ b/rules/windows/process_creation/win_susp_whoami.yml
@@ -17,9 +17,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\whoami.exe'
-    selection2:
-        OriginalFileName: 'whoami.exe'
-    condition: selection or selection2
+    condition: selection
 falsepositives:
     - Admin activity
     - Scripts and administrative tools used in the monitored environment