From f0bf3d13b5fa0da4503828ff6b5602d97eeadad1 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Sat, 28 Nov 2020 13:38:34 -0300
Subject: [PATCH] Update win_webshell_detection.yml

---
 .../process_creation/win_webshell_detection.yml    | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index e3b75ba3a..9f6d8db77 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -25,13 +25,19 @@ detection:
             - '\apache'
             - '\tomcat'
     selection2:
-        CommandLine|contains:
+        - CommandLine|contains:
             - 'whoami'
-            - 'net user '
-            - 'ping -n '
             - 'systeminfo'
             - '&cd&echo'
-            - 'cd /d'  # https://www.computerhope.com/cdhlp.htm
+        - CommandLine|contains|all:
+            - 'net'
+            - 'user'
+        - CommandLine|contains|all:
+            - 'cd' # https://www.computerhope.com/cdhlp.htm
+            - '/d'
+        - CommandLine|contains|all:
+            - 'ping'
+            - '-n'
     condition: selection and selection2
 fields:
     - CommandLine