Skip to content

Commit

Permalink
fix: null value in separate expression
Browse files Browse the repository at this point in the history
  • Loading branch information
@Neo23x0
Neo23x0 committed Jul 2, 2019
1 parent f5a8a81 commit 0b883a9
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions rules/windows/process_creation/win_susp_svchost.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,9 @@ detection:
- '*\MsMpEng.exe'
- '*\Mrt.exe'
- '*\rpcnet.exe'
- null
condition: selection and not filter
filter_null:
ParentImage: null
condition: selection and not filter and not filter_null
fields:
- CommandLine
- ParentCommandLine
Expand Down

0 comments on commit 0b883a9

Please sign in to comment.