From 2b7699cc158202010e1f7cd25164cafca750ff19 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 14 Nov 2019 10:15:18 +0100
Subject: [PATCH] fix: fixed broken condition

---
 rules/windows/process_creation/win_susp_msiexec_cwd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml
index d7c3e7cc5..02801e4a3 100644
--- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml
+++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml
@@ -20,7 +20,7 @@ detection:
             - 'C:\Windows\System32\\*'
             - 'C:\Windows\SysWOW64\\*'
             - 'C:\Windows\WinSxS\\*' 
-    condition: selection
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high