From e1fdca6dfa7a9b6ab526e0b4926d1c5a260afd7b Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Tue, 8 Jun 2021 14:07:33 -0500
Subject: [PATCH] changed to arg detection vs file detection

---
 queries/windows/cmstp_signed_binary_proxy_execution.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/queries/windows/cmstp_signed_binary_proxy_execution.yml b/queries/windows/cmstp_signed_binary_proxy_execution.yml
index 1eed907..cd896d2 100644
--- a/queries/windows/cmstp_signed_binary_proxy_execution.yml
+++ b/queries/windows/cmstp_signed_binary_proxy_execution.yml
@@ -8,7 +8,7 @@ mitre:
    technique: T1218
    subtechnique: 003
 operating_system: windows
-query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
+query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine ContainsCIS "/ni /s"
 false_positives: 
 tags: