From ef3af551e9afe3abd22e4134ff2bf99f27cd0fa8 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 15:56:16 -0300
Subject: [PATCH] Update win_user_driver_loaded.yml

---
 .../builtin/win_user_driver_loaded.yml        | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml
index 5abc45e1f..d829a0781 100644
--- a/rules/windows/builtin/win_user_driver_loaded.yml
+++ b/rules/windows/builtin/win_user_driver_loaded.yml
@@ -21,18 +21,18 @@ detection:
         Service: '-'
     selection_2:
         ProcessName|contains:
-            - '*\Windows\System32\Dism.exe'
-            - '*\Windows\System32\rundll32.exe'
-            - '*\Windows\System32\fltMC.exe'
-            - '*\Windows\HelpPane.exe'
-            - '*\Windows\System32\mmc.exe'
-            - '*\Windows\System32\svchost.exe'
-            - '*\Windows\System32\wimserv.exe'
-            - '*\procexp64.exe'
-            - '*\procexp.exe'
-            - '*\procmon64.exe'
-            - '*\procmon.exe'
-            - '*\Google\Chrome\Application\chrome.exe'
+            - '\Windows\System32\Dism.exe'
+            - '\Windows\System32\rundll32.exe'
+            - '\Windows\System32\fltMC.exe'
+            - '\Windows\HelpPane.exe'
+            - '\Windows\System32\mmc.exe'
+            - '\Windows\System32\svchost.exe'
+            - '\Windows\System32\wimserv.exe'
+            - '\procexp64.exe'
+            - '\procexp.exe'
+            - '\procmon64.exe'
+            - '\procmon.exe'
+            - '\Google\Chrome\Application\chrome.exe'
     condition: selection_1 and not selection_2
 falsepositives:
     - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'