From ffbb968fcdeeb1a60b3ade88d7cb0018d492faa6 Mon Sep 17 00:00:00 2001
From: megan201296 <megansroddie@gmail.com>
Date: Tue, 9 Oct 2018 19:03:30 -0500
Subject: [PATCH] Update sysmon_cmstp_com_object_access.yml

Edit tule logic for `and` instead of `or
---
 rules/windows/sysmon/sysmon_cmstp_com_object_access.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml b/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml
index c53010ebb..f535868aa 100644
--- a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml
+++ b/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml
@@ -19,15 +19,12 @@ detection:
     # CMSTP Spawning Child Process
     selection1:
         EventID: 1
-        ParentCommandLine:
-            - '*\DllHost.exe'
-            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
+        ParentCommandLine: '*\DllHost.exe'
     selection2:
-        EventID: 1
         ParentCommandLine:
-            - '*\DllHost.exe'
+            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
             - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225
-    condition: 1 of them
+    condition: selection1 and selection2
 fields:
     - CommandLine
     - ParentCommandLine