From e7d2bba8a298c78ed3d378fad2d07cfc1a07ea24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zach=20Mathis=20=28=E7=94=B0=E4=B8=AD=E3=82=B6=E3=83=83?=
 =?UTF-8?q?=E3=82=AF=29?= <71482215+YamatoSecurity@users.noreply.github.com>
Date: Sat, 11 Nov 2023 10:16:51 -0800
Subject: [PATCH] Merge PR #4563 from @YamatoSecurity - Remove erroneous extra
 asterisk

fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 ...ation_win_webshell_susp_process_spawned_from_webserver.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
index d772f5324..d0822cbd4 100644
--- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
+++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
@@ -7,7 +7,7 @@ references:
     - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
 author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2023/11/09
+modified: 2023/11/11
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -81,7 +81,7 @@ detection:
         CommandLine|contains|all:
             - 'sc query'
             - 'ADManager Plus'
-    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_**
+    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high