From fe9b91c504b66d0032b565f8a2dc2e5f8359368e Mon Sep 17 00:00:00 2001
From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com>
Date: Wed, 8 Sep 2021 21:26:01 -0600
Subject: [PATCH] Completed changes to selection1

changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
---
 ...pplications_from_proxy_executing_regsvr32_with_payload.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
index ecb11a21f..0dbd99039 100644
--- a/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
+++ b/rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
@@ -18,8 +18,8 @@ logsource:
 detection:
   #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
-    - Image: '*\wbem\WMIC.exe'
-    - ProcessCommandLine: '*wmic *'
+    - Image|endswith: '\wbem\WMIC.exe'
+    - ProcessCommandLine|contains: 'wmic '
     - OriginalFileName: 'wmic.exe'
     - Description: 'WMI Commandline Utility'
   selection2: