From e93dd7fe61fa88db9076faed2155aa4dc3bec5fd Mon Sep 17 00:00:00 2001
From: feedb <32587208+feedb@users.noreply.github.com>
Date: Sun, 1 Nov 2020 15:25:12 +0300
Subject: [PATCH] fix

---
 rules/windows/process_creation/process_creation_dotnet.yml  | 6 +++---
 .../windows/process_creation/process_creation_msdeploy.yml  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml
index 90659e7be..9182bb218 100644
--- a/rules/windows/process_creation/process_creation_dotnet.yml
+++ b/rules/windows/process_creation/process_creation_dotnet.yml
@@ -16,9 +16,9 @@ logsource:
     product: windows
 detection:
     selection:
-        ProcessCommandline|contains:
-            - '*.dll'
-            - '*.csproj'
+        Commandline|endswith:
+            - '.dll'
+            - '.csproj'
         Image|endswith:
             - '\dotnet.exe'
     condition: selection
diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml
index 263ff5bb2..236e747d3 100644
--- a/rules/windows/process_creation/process_creation_msdeploy.yml
+++ b/rules/windows/process_creation/process_creation_msdeploy.yml
@@ -1,9 +1,9 @@
-title: Msdeploy.exe LOLBIN
+title: Execute Files with Msdeploy.exe
 status: experimental
 id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
 author: Beyu Denis, oscd.community
 date: 2020/10/18
-description: launch binary via msdeploy.exe
+description: Detects file execution using the msdeploy.exe lolbin
 references:
     - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml
     - https://twitter.com/pabraeken/status/995837734379032576
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        ProcessCommandline|contains|all:
+        Commandline|contains|all:
             - 'verb:sync'
             - '-source:RunCommand'
             - '-dest:runCommand'