From ef95e5278d9130de2a00c948156f05b959acfd02 Mon Sep 17 00:00:00 2001
From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com>
Date: Mon, 1 May 2023 04:54:24 +0900
Subject: [PATCH] fix: delete value-modifier in Search-Identifier (#4210)

---
 .../proc_creation_win_mstsc_run_local_rdp_file.yml          | 5 +++--
 ..._creation_win_mstsc_run_local_rdp_file_susp_location.yml | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml
index 540974cd4a0..42b946752de 100644
--- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml
+++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml
@@ -7,6 +7,7 @@ references:
     - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
 date: 2023/04/18
+modified: 2023/04/30
 tags:
     - attack.command_and_control
     - attack.t1219
@@ -17,8 +18,8 @@ detection:
     selection_img:
         - Image|endswith: '\mstsc.exe'
         - OriginalFileName: 'mstsc.exe'
-    selection_cli|endswith:
-        CommandLine|contains:
+    selection_cli:
+        CommandLine|endswith:
             - '.rdp'
             - '.rdp"'
     filter_optional_wsl:
diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
index d2193eb1ff9..f1baf59d25e 100644
--- a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
+++ b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
@@ -31,9 +31,9 @@ detection:
             - ':\Windows\Temp\'
             - ':\Windows\Tracing\'
             - '\AppData\Local\Temp\'
-            # - '\Desktop\' # Could be source of FP depending on the environement
-            - '\Downloads\' # Could be source of FP depending on the environement
+            # - '\Desktop\' # Could be source of FP depending on the environment
+            - '\Downloads\' # Could be source of FP depending on the environment
     condition: all of selection_*
 falsepositives:
-    - Likelihood is related to how often the paths are used in the environement
+    - Likelihood is related to how often the paths are used in the environment
 level: high