From ecbec06709ccfeefa0971b250c759ae57dbc38db Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 16:06:47 -0300
Subject: [PATCH] Update sysmon_susp_office_dotnet_clr_dll_load.yml

---
 .../sysmon_susp_office_dotnet_clr_dll_load.yml     | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
index 59b043baa..f75cce094 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
     product: windows
 detection:
     selection:
-        Image:
-            - '*\winword.exe'
-            - '*\powerpnt.exe'
-            - '*\excel.exe'
-            - '*\outlook.exe'
-        ImageLoaded:
-            - '*\clr.dll*'
+        Image|endswith:
+            - '\winword.exe'
+            - '\powerpnt.exe'
+            - '\excel.exe'
+            - '\outlook.exe'
+        ImageLoaded|contains:
+            - '\clr.dll'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate