From dff2e16ad224875efebd3bffec2903b94cdc36ef Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Tue, 13 Oct 2020 10:59:20 +0300
Subject: [PATCH] Update powershell_cmdline_specific_comb_methods.yml

---
 ...wershell_cmdline_specific_comb_methods.yml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
index 273c0f2ca..8bbb7d5be 100644
--- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
+++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml
@@ -17,15 +17,16 @@ logsource:
 detection:
     selection1:
         Image|endswith: '\powershell.exe'
-        CommandLine|all:
-            - '*char*'
-            - '*join*'
+        CommandLine|contains|all:
+            - 'char'
+            - 'join'
     selection2:
         Image|endswith: '\powershell.exe'
         CommandLine|contains:
             - 'ToInt'
             - 'ToDecimal'
             - 'ToByte'
+            - 'ToUint'
             - 'ToSingle'
             - 'ToSByte'
     selection3:
@@ -36,14 +37,14 @@ detection:
             - 'String'
     selection4:
         Image|endswith: '\powershell.exe'
-        CommandLine|all:
-            - '*split*'
-            - '*join*'
+        CommandLine|contains|all:
+            - 'split'
+            - 'join'
     selection5:
         Image|endswith: '\powershell.exe'
-        CommandLine|all:
-            - '*ForEach*'
-            - '*Xor*'
+        CommandLine|contains|all:
+            - 'ForEach'
+            - 'Xor'
     selection6:
         Image|endswith: '\powershell.exe'
         CommandLine|contains: