From e4864b43d2da7b1d90cc8adbcfe6e3063ae00f29 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 16 Mar 2023 22:46:08 +0100
Subject: [PATCH] fix: regular expression

---
 .../proc_creation_win_rundll32_webdav_client_susp_execution.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
index 8794978eb..28c469bde 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
@@ -21,7 +21,7 @@ detection:
         ParentImage|endswith: '\svchost.exe'
         Image|endswith: '\rundll32.exe'
         CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
-        CommandLine|re: '//:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
+        CommandLine|re: ':\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
     filter_local_ips:
         CommandLine|contains:
             - '://10.' #10.0.0.0/8