fix: apply suggestions from code review

SigmaHQ · Jan 26, 2023 · 6325e75 · 6325e75
1 parent 6a954b6
commit 6325e75
Showing 1 changed file with 3 additions and 8 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_rhadamanthys_dll_launch.yml b/rules/windows/process_creation/proc_creation_win_rhadamanthys_dll_launch.yml
@@ -17,17 +17,12 @@ logsource:
     product: windows
 detection:
     selection_rundll32:
-        - Description: 'Windows host process (Rundll32)'
         - OriginalFileName: 'RUNDLL32.EXE'
-        - Image|endswith:
-            - '\rundll32.exe'
-        - CommandLine|contains: 'rundll32'
+        - Image|endswith: '\rundll32.exe'
     selection_dll:
-        CommandLine|contains:
-            - 'nsis_uns'
+        CommandLine|contains: 'nsis_uns'
     selection_export_function:
-        CommandLine|contains:
-            - 'PrintUIEntry'
+        CommandLine|contains: 'PrintUIEntry'
     condition: all of selection_*
 falsepositives:
     - Unknown