From dfae2a6df6f5bbc90a7b476c22fc9c8fedab47e9 Mon Sep 17 00:00:00 2001
From: Brad Kish <brad.kish@arcticwolf.com>
Date: Mon, 15 Jun 2020 13:54:02 -0400
Subject: [PATCH] Rule needs endwith, not exact match.

Fix ImageLoaded filter to match with endswith, rather than exact match.
---
 .../sysmon_wmi_persistence_commandline_event_consumer.yml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
index 9349ff725..c87d2af65 100644
--- a/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
+++ b/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
@@ -16,7 +16,7 @@ detection:
     selection:
         EventID: 7
         Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
-        ImageLoaded: 'wbemcons.dll'
+        ImageLoaded|endswith: '\wbemcons.dll'
     condition: selection
 falsepositives: 
     - Unknown (data set is too small; further testing needed)