From e9976bc3db6e10472ba5873ea8aacf8968a56e1b Mon Sep 17 00:00:00 2001
From: CD-R0M <97048268+CD-R0M@users.noreply.github.com>
Date: Sun, 22 May 2022 15:21:41 -0400
Subject: [PATCH] Update proc_creation_win_rundll32_parent_explorer.yml

---
 .../proc_creation_win_rundll32_parent_explorer.yml              | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
index 1fb438cd2..a26d4e145 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
@@ -12,6 +12,8 @@ detection:
     selection:
         Image|endswith: '\rundll32.exe'
         ParentImage|endswith: '\explorer.exe'
+    filter:
+         CommandLine|contains: '\shell32.dll,OpenAs_RunDLL'
     condition: selection
 fields:
     - Image