From ec1944e2d7c2444bf2dc2c2fe6c7f7ac5c12e317 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Fri, 20 Nov 2020 02:31:26 -0300
Subject: [PATCH] Update win_susp_copy_system32.yml

---
 rules/windows/process_creation/win_susp_copy_system32.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml
index 48de314d0..5a3535453 100644
--- a/rules/windows/process_creation/win_susp_copy_system32.yml
+++ b/rules/windows/process_creation/win_susp_copy_system32.yml
@@ -16,8 +16,10 @@ tags:
 detection:
     selection:
         CommandLine|contains: 
-            - ' /c copy *\System32\'
-            - 'xcopy*\System32\'
+            - ' /c copy'
+            - 'xcopy'
+        CommandLine|contains|all:
+            - '\System32\'
     condition: selection
 fields:
     - CommandLine