From da7648f154ac8a0fa91f3d375e2fa066a13fbc1f Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 18:02:08 -0300
Subject: [PATCH] Update win_malware_notpetya.yml

---
 .../windows/process_creation/win_malware_notpetya.yml  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml
index 6604463a2..8b6b8d3d2 100644
--- a/rules/windows/process_creation/win_malware_notpetya.yml
+++ b/rules/windows/process_creation/win_malware_notpetya.yml
@@ -24,12 +24,12 @@ logsource:
     product: windows
 detection:
     pipe_com:
-        CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*'
+        CommandLine|contains: '\AppData\Local\Temp\\* \\.\pipe\\'
     rundll32_dash1:
-        Image: '*\rundll32.exe'
-        CommandLine: '*.dat,#1'
-    perfc_keyword:
-        - '*\perfc.dat*'
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith: '.dat,#1'
+    perfc_keyword|contains:
+        - '\perfc.dat'
     condition: 1 of them
 fields:
     - CommandLine