From febe489c99467e321fee591bce0da4f0316dfda9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 17:52:40 -0300
Subject: [PATCH] Update win_exploit_cve_2019_1388.yml

---
 .../windows/process_creation/win_exploit_cve_2019_1388.yml  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
index a882d4e9a..ffec6797d 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -15,9 +15,9 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage: '*\consent.exe'
-        Image: '*\iexplore.exe'
-        CommandLine: '* http*'
+        ParentImage|endswith: '\consent.exe'
+        Image|endswith: '\iexplore.exe'
+        CommandLine|contains: ' http'
     rights1:
         IntegrityLevel: 'System'  # for Sysmon users
     rights2: