From 6a95a17ad3148118414af82bf6f8aaf2b53c85f1 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sat, 11 Nov 2023 20:06:52 +0000
Subject: [PATCH] Sigma Rule Update (2023-11-11  20:06:45) (#530)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
---
 ...ation_win_webshell_susp_process_spawned_from_webserver.yml | 4 ++--
 ...ation_win_webshell_susp_process_spawned_from_webserver.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
index dae6fd464..d80e3bf31 100644
--- a/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
+++ b/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
@@ -10,7 +10,7 @@ references:
 author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim
     Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2023/11/09
+modified: 2023/11/11
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -89,7 +89,7 @@ detection:
             - ADManager Plus
         ParentProcessName|endswith: \java.exe
     condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children
-        and not 1 of filter_main_**)
+        and not 1 of filter_main_*)
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high
diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
index 302a18c44..970b102d3 100644
--- a/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
+++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
@@ -10,7 +10,7 @@ references:
 author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim
     Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2023/11/09
+modified: 2023/11/11
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -90,7 +90,7 @@ detection:
             - sc query
             - ADManager Plus
     condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children
-        and not 1 of filter_main_**)
+        and not 1 of filter_main_*)
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high